gov cloud

Cloud Based Solutions for Meeting CMMC Requirements

CMMC requirements vary depending on your business and industry. Manufacturing, IT consulting, engineering, construction, etc. may all have different infrastructures, but if you’re in the DoD supply chain, CMMC requirements are on the way. Compounding the new CMMC requirements are the challenges of remote work.

For government contractors who are struggling to understand just how they will meet CMMC when the entire organization is remote, there is a proven solution. In this case it becomes a challenge to show compliance with CMMC around the domain of Physical Protection (PE) since everyone is remote and likely working from home if not the coffee shop up the street. 

How to Secure Your Remote Workforce

The best solution when your entire workforce is remote with no on premise infrastructure needs is to take the endpoints (laptops, desktops, mobile devices) out of scope for PE. How do you go about doing this? The answer is to host everything in the cloud like GCC High/Azure Government and create a Virtual Desktop Infrastructure (VDI) as depicted in the slimmed down sample diagram below. You will want to configure access to the VDI environment by setting authentication protocols and authentication tokens to access the environment. 

Why GCC-High/Azure Government?

If you are an existing commercial Microsoft client, why do you want to be in GCC High/Azure Government? That will depend on:

  1. The type of Controlled Unclassified Information (CUI) you work with.
  2. If your contracts require US Sovereignty.

For reference, check out this informative blog by Microsoft’s Richard Wakeman.

Building out the secure enclave in Azure Government means configuring the environment with the appropriate GCC High licenses that provide access to the enclave in a secure manner.  It also means configuring the environment so no CUI or ITAR data can bleed out of the secure enclave. This creates a bubble around that environment which is completely in the cloud. Once you have taken the additional step of obtaining the System Security Plan (SSP) from Microsoft’s Azure Government team, this then removes the PE requirements from scope.

Will this work for you? 

The short answer is yes.  The longer answer is that it takes work to put together the policies and procedures along with documenting all the security configurations of the environment. 

Customer Success

KTL recently guided our customer Redspin through the CMMC process. Redspin is now the first official C3PAO to be listed with the CMMC-AB. Check out our press release. Redspin also released a Lessons Learned video that details the process they had to go through during their CMMC Level 3 assessment with DIBCAC.  The completely cloud based configuration proves that it will pass the scrutiny of an audit.

More Info

For more information on CMMC preparedness, contact us at

Share this post

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest
Share on print
Share on email

Related Posts

Let’s Talk Security

As the IT security landscape evolves, new threats crop up almost daily and security teams face a heavy burden to keep pace. To provide some

Read More »

Webinar Recap: RPO vs DIY

KTL recently presented a webinar on CMMC Preparedness: RPO vs DIY. This presentation highlighted the five key reasons that using an RPO (CMMC Registered Provider Organization) is better than trying to DIY (Do It Yourself). The speakers and their topics are below.

Read More »

CMMC Preparedness: Webinar Recap

KTL Solutions recently hosted a webinar on Cybersecurity Maturity Model Certification (CMMC) Preparedness and welcomed esteemed guest Richard Wakeman of Microsoft. Richard is the Senior

Read More »