Why a hybrid approach can help you navigate CMMC Level 3

Gettyimages.com/metamorworks

Find opportunities — and win them.

Blending FedRAMP High and a commercial cloud environment can be an efficient way to reach CMMC Level 3 while optimizing your security and costs, writes Andrew Bream, vice president of enterprise IT at SOSi.

The Cybersecurity Maturity Model Certification has emerged as a critical standard for organizations handling sensitive government information.

Achieving Level 3 maturity will soon become a requirement for any company pursuing Department of Defense work. This expected shift creates an urgency for government contractors and subcontractors to assess and upgrade their cybersecurity frameworks.

While implementing additional security controls over sensitive information can be costly, a hybrid approach that blends a FedRAMP High and a commercial cloud environment can provide an efficient solution.

DoD has indicated it plans to require CMMC certification for all solicitations supporting critical programs and technologies. CMMC Level  3 introduces 24 additional advanced requirements beyond the current NIST SP 800-171 standard, representing a significant increase in expected cyber maturity. The certification process requires mandatory third-party assessment with no self-assessment option,  making it more rigorous. Additionally, the use of a Plan of Action and Milestones (POA&M) to close gaps is limited. 

Within the context of CMMC, conversations often center around balancing compliance obligations, operational flexibility, and financial constraints  – mirroring broader discussions within the cybersecurity community.

Meeting CMMC Level 3 requirements can be a considerable burden for companies with complex IT environments and significant amounts of controlled unclassified information (CUI). Small and medium-sized businesses within the defense industrial base that play a critical role in the defense supply chain encounter a particularly pronounced challenge due to limited resources. 

While a full transition to an isolated environment certified for DoD use (FedRAMP Moderate or equivalent) guarantees compliance and simplifies  infrastructure management, it can be expensive and may impact application functionality and security features. It can limit collaboration capabilities with partners and customers, impacting business opportunities.

The lower price of a small-enclave cloud environment  might sound tempting, but it is not a viable option for organizations that deal with significant amounts of CUI and need to meet regulatory requirements.

A hybrid approach that hosts classified information in FedRAMP cloud and unclassified information in a multi-tenant commercial environment can be less costly than fully migrating to a FedRAMP environment. It offers several benefits, including enhanced functionality, dynamic use of resources, and lower operating costs.

In fact, these cost savings can lead to as much as a 20% reduction in migration  costs. It also provides the flexibility to integrate with third-party applications and customized infrastructure needs. 

Implementing a multi-cloud infrastructure for CMMC compliance requires meticulous planning to identify critical data flows, assess gaps, and segment the environment to meet rigorous standards. Robust governance policies and operational procedures spanning both environments are essential, including comprehensive data management policies, strict access controls, and regular audit trails to maintain

 visibility and security. New processes must be established for cross-environment connectivity and security, multi-tenant management and administration, and cross-tenant user migration. 

Organizations should begin by examining the CUI flow to determine whether a subset of their infrastructure can be secured at a higher level.

Afterward, they should review the CMMC standard and identify gaps in their current systems and processes. Based on the findings, a compliant architecture can be designed, and corresponding processes can be developed. Finally, organizations should perform an  internal assessment of their CMMC controls and prepare for the third-party audit.

To qualify for a Level 3 certification, a company must have previously defined the boundaries of the CMMC assessment in Level 2, and any identified POA&M must be closed to ensure deficiencies or weaknesses have been addressed.

Properly scoping the CMMC Level 3 environment is essential to maximizing benefits and minimizing costs. The scoping guidance allows tailoring assessments to the most critical operations by focusing on a specific data enclave within the Level 2 assessment scope. 

There are several integrated tools that can be leveraged to ensure a secure and interoperable multi-tenant environment. A built-in identity

 and access management solution can streamline authentication and conditional access to resources, restricting it to company-controlled devices and utilizing device-based certificates for network access. A security information and event management platform can enable cybersecurity teams to manage multiple environments from a single system.

Finally, data loss prevention  systems can ensure that protected data does not cross the boundary between the two environments.

Blending a cloud environment that meets DoD's rigorous demands with commercial cloud presents a tangible pathway to CMMC Level 3 compliance.

 Such a hybrid approach balances financial and operational burdens, making it an attractive option for smaller DIB organizations to optimize compliance and operational efficiency and gain a competitive edge in the market.


Andrew Bream is vice president for enterprise IT at SOSi, a private defense and government services firm. He has more  than 20 years of leadership experience in the defense, aerospace, and technology industries. Throughout his career, Andrew has led full-service IT teams responsible for technology transformations across small, medium, and large organizations.