Compliance In The Cloud: CSP Selections and Best Practices

The internet (a.k.a. the cloud) has become an essential component of doing business. That’s as true for DoD prime contractors and subcontractors as it is for any other industry segment. The benefits of using cloud service providers (CSPs) are numerous, including lower maintenance costs, higher efficiency, and the ability to scale cloud-based solutions to meet your current business needs. Most CSPs also offer top-notch security—a matter of paramount importance to DoD primes and subs. 

But how do you select a CSP that aligns with your need to achieve compliance with CMMC? What does CMMC require of a DoD contractor’s CSPs? How do you maintain compliance while using cloud services? This post explores those concerns and offers best practices for promoting compliance in the cloud. 

Selecting a Compliant CSP 

In most cases, the CMMC rule requires that CSPs have Federal Risk and Authorization Management Program (FedRAMP) authorization to prove their ability to securely handle sensitive data. However, if you are using a Managed Service Provider (MSP) or Managed Security Service Provider (MSSP) who also provides cloud services, that provider will need CMMC certification at the same level as your organization as well as FedRAMP authorization. FedRAMP is a government program geared specifically toward the safe handling of government data in the cloud. As such, it has many parallels with CMMC, including a rigorous assessment and authorization process. 

When selecting a CSP, you must understand your own organization’s CMMC level as well as the type of data your CSP will be handling for you. Your CSP must have FedRAMP authorization at the appropriate level: Low, Moderate, or High. If your CSP handles Federal Contract Information (FCI) for you, they will need a minimum of FedRAMP Low authorization. If they handle your Controlled Unclassified Information (CUI), they will need FedRAMP Moderate or higher. Or if  the CSP is not yet FedRAMP-authorized, it may be acceptable if they can prove FedRAMP equivalency. 

Some other considerations when selecting a CSP: 

• Verify that the CSP listed in the FedRAMP Marketplace with the appropriate authorization. 

• If they are not FedRAMP authorized, review their FedRAMP equivalency documentation. 

• Ask how they comply with DFARS Clause 252.204-7012, addressing cyber incident reporting, malicious software, media preservation and protection, access to additional information and equipment necessary for forensic analysis, and cyber incident damage assessment. 

• Even if they are not required to be certified themselves, it can be helpful to work with a CSP who understands CMMC and its requirements. Ask about their CMMC knowledge and if they offer environments specifically designed to support CMMC compliance. 

• Review their System Security Plan. Ensure they support proper access controls, encryption, and logging to protect your data and restrict unauthorized access. 

• Review their Shared Responsibility Matrix outlining the inherited and shared cybersecurity requirements for both parties. 

• Review their Incident Response Plan to understand their process for reporting incidents to their clients and what information they share. 

Best Practices for Ongoing Compliance 

Once you have selected your CSP, you will need to configure your cloud services to align with CMMC security requirements. Key security practices include: 

• Identity and Access Management: Enforce least privilege access and multi-factor authentication to prevent unauthorized access. 

• Data Encryption: Encrypt CUI in transit and at rest using FIPS 140-2 validated cryptographic modules. 

• Logging and Auditing: Enable detailed logging, continuous monitoring, and regular auditing to detect and respond to security incidents. 

• Secure Configuration Management: Apply secure baseline configurations and maintain compliance with required security settings. 

• Continuous Risk Management: Regularly assess risks, update security policies, and provide your employees with ongoing training on evolving threats and compliance obligations. 

Maintaining CMMC compliance is an ongoing commitment. The following practices can help you maintain your cybersecurity posture particularly in regard to working with CSPs. 

• Just as your organization must be periodically reassessed for CMMC certification, your CSP’s FedRAMP authorization is assessed annually. Be sure to keep up to date and verify they maintain their authorization. 

• Stay up to date on changes to CMMC guidelines as well and adjust your cloud security configurations accordingly. 

• Conduct regular security assessments and internal audits to ensure continued adherence to CMMC requirements. 

• In addition to reviewing your CSP’s incident response plan, make sure your organization has a robust plan of its own to address potential breaches and report incidents as required. 

• Work with a compliance consultant such as CyberNINES to ensure your CSP is compliant as well as enhancing your own security posture and compliance efforts. 

CyberNINES is here to help!  If you have specific questions or would like to talk over your options, just send us a contact request at this link, and one of our cybersecurity experts will soon be in touch. You can also select this link for a free e-book describing what to look for in CSPs, MSPs, MSSPs, and the myriad other service providers you may work with on your CMMC journey. 

Next up: Team building for CMMC compliance 

Resources 

• https://dodcio.defense.gov/CMMC/About/ 

• https://marketplace.fedramp.gov/products 

• https://csrc.nist.gov/pubs/fips/140-2/upd2/final 

• https://cybernines.com/cmmc-overview 

• https://www.pipelinepub.com/cybersecurity-assurance-2024/CMMC-cybersecurity-certification-guide 

• https://info.cybernines.com/demystifying-cmmc-compliance-your-guide-to-cmmc-compliance 

• https://blog.cybernines.com/assessing-cloud-service-provider-compliance 

• https://blog.cybernines.com/finding-the-best-msp 

• https://blog.cybernines.com/cybersecurity-training-for-employees-an-essential-investment-for-cmmc 

• https://www.kiteworks.com/cmmc-compliance/cloud-security/ 

• https://www.totem.tech/what-the-heck-is-the-difference-between-fedramp-and-cmmc/#:~:text=FedRAMP%20is%20for%20general%20Federal,ATO%20or%20meet%20equivalent%20protections.