CMMC requirements vary depending on your business and industry. Manufacturing, IT consulting, engineering, construction, etc. may all have different infrastructures, but if you’re in the DoD supply chain, CMMC requirements are on the way. Compounding the new CMMC requirements are the challenges of remote work.
For government contractors who are struggling to understand just how they will meet CMMC when the entire organization is remote, there is a proven solution. In this case it becomes a challenge to show compliance with CMMC around the domain of Physical Protection (PE) since everyone is remote and likely working from home if not the coffee shop up the street.
How to Secure Your Remote Workforce
The best solution when your entire workforce is remote with no on premise infrastructure needs is to take the endpoints (laptops, desktops, mobile devices) out of scope for PE. How do you go about doing this? The answer is to host everything in the cloud like GCC High/Azure Government and create a Virtual Desktop Infrastructure (VDI) as depicted in the slimmed down sample diagram below. You will want to configure access to the VDI environment by setting authentication protocols and authentication tokens to access the environment.
Why GCC-High/Azure Government?
If you are an existing commercial Microsoft client, why do you want to be in GCC High/Azure Government? That will depend on:
- The type of Controlled Unclassified Information (CUI) you work with.
- If your contracts require US Sovereignty.
For reference, check out this informative blog by Microsoft’s Richard Wakeman.
Building out the secure enclave in Azure Government means configuring the environment with the appropriate GCC High licenses that provide access to the enclave in a secure manner. It also means configuring the environment so no CUI or ITAR data can bleed out of the secure enclave. This creates a bubble around that environment which is completely in the cloud. Once you have taken the additional step of obtaining the System Security Plan (SSP) from Microsoft’s Azure Government team, this then removes the PE requirements from scope.
Will this work for you?
The short answer is yes. The longer answer is that it takes work to put together the policies and procedures along with documenting all the security configurations of the environment.
KTL recently guided our customer Redspin through the CMMC process. Redspin is now the first official C3PAO to be listed with the CMMC-AB. Check out our press release. Redspin also released a Lessons Learned video that details the process they had to go through during their CMMC Level 3 assessment with DIBCAC. The completely cloud based configuration proves that it will pass the scrutiny of an audit.
For more information on CMMC preparedness, contact us at firstname.lastname@example.org.