Supporting CMMC Compliance: The Role of a Cloud Service Supplier

What is the role of a Cloud Service Provider (CSP) when it comes to Cybersecurity Maturity Model Certification (CMMC)? In a recent webinar hosted by Deltek partner Cherry Bekaert, a panel of cybersecurity compliance practitioners and experts discussed the impending requirements of CMMC for defense contractors and what the program will mean for the various entities that play a crucial role in the preparation, audit and support of defense contractors and securing data.

What is the CMMC Program?

CMMC was developed by the U.S. Department of Defense (DoD) to help enforce the protection of Controlled Unclassified Information (CUI) within the Defense Industrial Base (DIB). After many false starts and delays, in December 2023, the proposed CMMC Program Rule (32 CFR Part 170) was published for public comment and provided the first look at what defense contractors could expect to be responsible for once the rule becomes final in late 2024. Just recently, on August 15, 2024, the proposed CMMC Enforcement Rule (48 CFR parts 204, 212, 217, and 252) was published for public comment which, when final, will officially start the CMMC program enforcement over a three-year rollout period.

With a primary focus on safeguarding CUI and Federal Contract Information (FCI), CMMC certification will be mandatory for all DoD contractors and subcontractors in a phased rollout over the next three years. By adhering to the prescribed cybersecurity requirements (based on NIST SP 800-171 controls) and undergoing self-assessment for Level 1 compliance, certified third-party audit for Level 2 compliance, and DCMA audit for Level 3 compliance, defense contractors will not only protect essential data but also improve their overall cyber security posture. Failure to comply will jeopardize your chances of winning and securing lucrative defense contracts.

Cloud Service Providers (CSPs) play a critical role in supporting government contractors with their current cybersecurity compliance requirements and, eventually, their CMMC certification requirements. In the CMMC Program Rule, a CSP must demonstrate, at a minimum, FedRAMP Moderate Authorization or equivalence.

How Does FedRAMP Factor Into CMMC?

Amidst all the discussions, and confusion, surrounding CMMC, it is important to note the significance of the Federal Risk and Authorization Management Program (FedRAMP). FedRAMP plays a pivotal role in the realm of cybersecurity compliance for government contractors, acting as a critical link between defense contractors seeking CMMC certification and the cloud solutions they use in support of their federal contracts. FedRAMP serves as a comprehensive, independent review of cloud service providers that enables CMMC assessors to validate the required security protections of cloud-based services that will transmit, store, or handle protected CUI data. It also provides a standardized approach to security assessment, continuous monitoring and a universal for cloud products and services.

What Role Does a CSP Play in CMMC?

In the context of cybersecurity compliance, FedRAMP aligns very closely with the objectives of CMMC. Just as CMMC aims to enhance cybersecurity practices within the Defense Industrial Base (DIB) contractors, FedRAMP focuses on strengthening cybersecurity of cloud service providers that support those DoD contractors with their products that will be involved with transmitting and storing CUI data. Both frameworks share a common goal of safeguarding sensitive information and reducing cyber threats.

What Are the Consequences of Picking the Wrong CSP?

The risk of choosing a CSP that does not have the right security posture cannot be overlooked when it comes to CMMC. The wrong cloud service provider can present several risks including data breaches, operational disruptions, reputational damage, failed compliance audits, and financial losses stemming from one or all these risks. It is essential that DoD contractors thoroughly vet their cloud service providers and ask them to provide proof that they meet the required standards for cloud security.

According to the 32 CFR Part 170 CMMC Program Rule, CSPs must have FedRAMP Moderate (or higher) Authorization or demonstrate equivalence through a "Body of Evidence" described in the rule. For CMMC, Deltek serves DoD customers as a CSP with our Costpoint GCCM offering.

How Can Deltek Help?

With DoD's CMMC enforcement rule racing toward the finish line and assessments beginning very soon, defense contractors face imminent risk to their funding source and need a secure solution from a trusted provider to meet their compliance needs. Deltek has supported compliance requirements for government contractors for decades and is prepared to support CMMC requirements as a Cloud Service Provider (CSP) with our Costpoint GCCM offering, which has achieved FedRAMP Moderate Ready status and is listed on the FedRAMP Marketplace. DoD contractors need to be aware that CSPs cannot inherit FedRAMP Authorization from third-party providers such as Amazon GovCloud or Microsoft GCC High.

Deltek's product security roadmap demonstrates that we treat security of your data seriously and that we will continue to invest in secure solutions that deliver value and peace of mind for government contractors to achieve compliance standards and win more contracts.

• CMMC
• Cybersecurity
• Federal
• Procurement
• Government Contracting
• Management & IT Consulting
• Aerospace & Defense