What is CMMC? CMMC Update Archives CMMC Links
Security Awareness Training Public Speaking Expert Witness
Newsletters Whitepapers Articles Videos Interviews Additional Resources
CMMC Update by Glenda R. Snodgrass for The Net Effect
[ View this email in your web browser ] [ Visit our archives ] [ Sign Up for this Newsletter ]

November 19, 2024

Cloud services in your CMMC scope

Another super-hot topic! I hope I can provide some guidance this week on cloud services in general, and how/where they, along with Cloud Service Providers (CSPs), fit into your CMMC scope. First, a definition from the final rule:

"Cloud Service Provider (CSP) means an external company that provides cloud services based on cloud computing. Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This definition is based on the definition for cloud computing in NIST SP 800-145 Sept2011. (CMMC-custom term)"

Also, remember that the DFARS 7012 clause tells us this:

"If the Contractor intends to use an external cloud service provider to store, process, or transmit any covered defense information in performance of this contract, the Contractor shall require and ensure that the cloud service provider meets security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline (https://www.fedramp.gov/resources/documents/) and that the cloud service provider complies with requirements in paragraphs (c) through (g) of this clause for cyber incident reporting, malicious software, media preservation and protection, access to additional information and equipment necessary for forensic analysis, and cyber incident damage assessment."

Armed with these two pieces of information, there are two very important questions to ask yourself:

(1) What kind of cloud services do we use? Many organizations use a variety of cloud services, most commonly ERP, CRM, accounting, HR and of course Office 365. Additionally, when we do security assessments for our clients, we often find that employees are using cloud services without the knowledge or approval of IT and/or upper management (or at least without the general understanding that the software has a cloud component, with the attendant security and compliance issues). Examples include engineering software, forms processing software, Grammarly, or simple storage (e.g., DropBox, Google Drive).

(2) Do I use a CSP to process, store or transmit FCI and/or CUI? First, go back to the definition. Not everything marketed as a "cloud service" meets the CMMC definition of a CSP. Many niche-market companies in particular will host your data and possibly even their applications for you, but their infrastructure may not meet the five tests to be a CSP (1-ubiquitous, 2-convenient, 3-on-demand network access, 4-to a shared pool of configurable computing resources, 5-that can be rapidly provisioned and released with minimal management effort or service provider interaction).

Whether your "hosted solution" qualifies as a CSP will have a huge impact on how it fits into your CMMC scope:

(1) If you process, store or transmit FCI and/or CUI in/via a hosted environment that doesn't meet the definition of a CSP, that environment will be in your scope as an FCI Asset and/or CUI Asset (assets = facilities, technologies, people, ESPs), subject to meeting the appropriate requirements for that level of data (CMMC L1 or L2).

(2) If that environment does meet the definition of a CSP, it must be on the FedRAMP Marketplace at the Moderate or higher level, or it must have achieved "equivalency" according to the DoD memo on the subject. (Note that the CSP, if not on FedRAMP, must provide a body of evidence proving equivalency, and it is your responsibility to evaluate this evidence and determine whether equivalency has, in fact, been achieved. Warning: very few commercial service providers are willing and able to do this.)

What about cloud services used by your organization that do not process, store or transmit FCI or CUI on your behalf? Assessors will expect to see these addressed in your SSP, particularly under 3.1.3 ("Control the flow of FCI/CUI in accordance with approved authorizations." and 3.1.20 ("Verify and control/limit connections to and use of external systems.").

If you aren't sure whether you are using "hosted solutions" or "cloud services," ask the service provider for clarification.

Takeaway: if you use hosted solutions and/or cloud services, now is the time to have a serious internal conversation about your data flows (where are FCI and/or CUI going?) and how those services fit into your assessment scope.

If you need help, I'm here! email, call or schedule a time to chat.

How old is your SPRS self-assessment score? Might want to review this.



Glenda R. Snodgrass Sincerely,

Glenda R. Snodgrass, CCP/CCA
grs@theneteffect.com
The Net Effect, LLC
www.theneteffect.com
251-433-0196 x107

TNE. Cybersecurity. Possible.

Speak with an Expert

Contact

The Net Effect, L.L.C.
Post Office Box 885
Mobile, Alabama 36601-0885 (US)
phone: (251) 433-0196
fax: (251) 433-5371
email: sales at theneteffect dot com
Secure Payment Center

Site Map

Home
Employee Training
Security Awareness Training
Public Speaking
Expert Witness
Workshops
About

Resources


CMMC
Newsletter
Whitepapers
Articles
Videos
Interviews

The Net Effect, LLC

Copyright 1996-2024 The Net Effect, L.L.C. All rights reserved. Read our privacy policy