DOD Cloud Requirements and DIB Standards

February 28, 2022 • Shannon Flynn


Throughout 2021 and much of 2020, the DoD worked to develop a new cybersecurity process. These steps ensure Defense Industrial Base (DIB) contractors meet requirements for handling controlled, unclassified data.

The process, called the Cybersecurity Maturity Model Certification (CMMC), premiered in 2020 and immediately impacted many federal contractors.

The new CMMC 2.0 framework, released in late 2021, provides a streamlined version of the CMMC. Federal contractors will soon need to follow this updated version.

Once codified via legislation, the DoD will require all DoD contractors to adhere to different CMMC levels depending on the controlled data that they have access to.

DIB companies, including cloud service providers and businesses reliant on CSPs, that are awarded DoD contracts of a certain value will need to be aware of CMMC 2.0 security requirements and related programs, like FedRAMP.

Implications of CMMC 2.0 the DIB and DIB Cloud Service Providers

Most businesses in the DIB will need to be compliant with CMMC 2.0 level 1. This level includes basic cyber hygiene requirements specified in the FAR 52.204-21 regulation and annual self-assessments.

This level will develop and strengthen the cyber-defenses of contractors without critical information. Any data at this level isn’t a matter of national security.

Only cloud services that store controlled unclassified information (CUI) need to meet CMMC 2.0 level 2 requirements. These businesses will need triennial third-party assessments for “critical national security information” in addition to the level 1-required self-assessments.

Details for level 3 are not currently available but will be based on a subset of NIST SP 800-172 requirements.

These CMMC levels are similar to other DoD security models and frameworks, like FedRAMP and CC SRG. They progress upwards, requiring greater cybersecurity investment as businesses handle more sensitive information.

Third-Party Cloud Services and CMMC

Third-party cloud services used by DIB companies and contractors need to meet CMMC 2.0 requirements. However, they may or may not need to meet related requirements, like FedRAMP. It depends on the function they perform and the access they have.

In an article for CMMC Audit Preparation, Amira Armond, the president of cybersecurity provider Kieri Solutions writes that, in absence of DoD guidance on CMMC and third-party cloud services, it can be a good strategy to assume cloud services with management access to a CUI system are in scope for CMMC requirements.

For example, a third-party edge computing solution that contractors use to store or manage CUI would likely need to meet both CMMC requirements and have FedRAMP authorization. Because edge computing solutions can be hard to secure, contractors using them may struggle to meet CMMC guidelines.

However, these cloud services may not require FedRAMP authorization if they do not process or store CUI.

In the article, Armond included an email from John Ellis, the Quality Assurance Director (Acting) of the DCMA). Ellis clarified that a cloud antivirus service would not need moderate or high authorization if it didn’t have access to the CUI itself.

Preparing for Audits and CMMC Enforcement

Remaining consistent from CMMC 1.0 to 2.0 is the potential for DoD cybersecurity audits. 2.0 will only require these audits for level 3 businesses. DIBCAC (the DoD’s Defense Industrial Base Cybersecurity Assessment Center) will likely be authorized to audit contractors on their implementation of NIST 800-171 practices.

During the audit, the DIBCAC audit team will review the contractor’s System Security Plan (SSP) and compliance with the NIST 800-171 standard. Audit scores are stored in the DoD’s SPRS (Supplier Performance Risk System).

New CMMC Offers Streamlined Process for Cloud Service Providers

CMMC 2.0 extends the Department of Defense’s approach to contract cybersecurity and builds on existing programs, like FedRAMP. Cloud service providers that work with the DoD should prepare to become compliant with the program’s requirements.