New cybersecurity requirements under the Defense Federal Acquisition Regulations and Cybersecurity Maturity Model Certification may be important steps to shoring up the Defense Department’s cyber defenses, but some small businesses claim they’re increasingly placing big business compliance requirements on small businesses. Although they have to meet the same requirements, small businesses often don’t have the internal staff, maturity or technological resources to meet the same compliance metrics.
That’s why, according to Summit 7 CEO Scott Edwards, small businesses are turning to the cloud in ever greater numbers to meet these compliance requirements.
“For small businesses to be able to build on premises systems to meet these requirements is extremely burdensome, because you’re talking about lots of different types of systems, email systems, file sharing systems, collaboration systems, messaging systems, voice systems,” he said. “A small business of 20 people can’t go hire a team of five or six people to install, configure, maintain, and support all of these different types of IT systems across an on premises implementation. So cloud services allow them to shortcut a big portion of this by essentially outsourcing the implementation of these systems to a cloud services provider, like Microsoft with Office 365.”
This allows small businesses to have the capabilities of up to 15 on-premises services as a per-user fee. Users and their respective licenses can be added or removed as a DoD contractor grows or shrinks due to award cycles. That makes it easier to manage in the long term, but also speeds up the timeframe by skipping the procurement process, which can be onerous, especially for hardware. With cloud service providers, the platform is already there; it’s mostly a matter of configuration and proper management.
And while some small businesses may already have internal staff to address cybersecurity concerns or outsource their continuous monitoring, pen testing, change control, and other activities, there remain some risk benefits from going to the cloud. Many companies are transitioning to the cloud as a result of the lack of complexity, for example.
“Any time you are trying to build out an infrastructure on premises with varied software, you’re going to end up purchasing tools from potentially a dozen-plus companies to install, integrate, and manage,” Edwards said. “Whereas if you move to a cloud service provider, you may be able to pull that number of vendors down to two or three. By having a smaller number of vendors, you have a smaller number of integration challenges to deal with. Yet it’s important that companies be mindful to leverage a platform that has been built to the specific standards set forth by federal regulations and standards organizations, such as FedRAMP.”
Specifically cloud infrastructure and platforms should all be built to the standard of FedRAMP Moderate if used by organizations supporting the DoD and consequently must meet DFARS 7012. Besides being mandatory, that’s a significant step toward lowering cyber risk and burden.
Aside from lowered risk, going to the cloud has time and cost benefits, as it can prove to be less expensive and difficult to reach DFARS and CMMC compliance. Cloud service providers are taking care of the majority of physical security and hardware and software management requirements on behalf of the organization. Once you’re there, it’s easier to stay in compliance, because CSPs are constantly enabling new capabilities based upon novel and evolving threats. Moreover, server patches and network updates are abstracted to IT leadership and require little to no involvement, saving businesses time and effort to track down batch issues or manually update their environments.
Some CSPs pay extra attention to meeting the unique needs of contractors in the Defense Industrial Base.
“All of this is about protecting controlled unclassified information and, by extension, export control information or ITAR data. Microsoft specifically built the Microsoft 365 Government Community Cloud High (GCC High) platform and the Azure Government infrastructure to meet these specific requirements set forth by National Archives and Records Administration and the DoD,” Edwards said. “In simplest terms that means dedicated government data centers, staffed by people who’ve passed background checks and are US persons.”
“They elected to make these investments so that companies could move to the cloud with confidence and also know that they could meet the DFARS requirements and eventual CMMC assessment requirements,” Edwards continued. “In addition the platform as a whole can be configured to CMMC Level 3 standards, and even up to CMMC Level 5 if you have a need to do that.”
Microsoft continues to lead industry efforts to enable small business adoption of cloud technologies through its CMMC Acceleration Program that launched in late 2020. The program is a combination of documentation, reference tools, templates and workbooks, and visuals that allow defense contractors to assess their compliance, take action on specific gaps or implement certain capabilities, and document their configurations.
“That doesn’t mean it’s not going to take effort, it’s still going to take significant resources. But these tools will most certainly serve as a guidebook as companies move towards compliance in Microsoft 365 GCC or GCC High and Azure Government. Summit 7 is also strategically using everything that Microsoft is providing, to make it as easy as possible for our customer set,” Edwards said.
The Microsoft partner of 12 years and recent recipient of the Microsoft US Partner Award for Security and Compliance is focused entirely on helping the DIB meet DFARS and CMMC compliance in Microsoft’s sovereign cloud offerings.
“We’re continuing to see the need across the market as the industry is experiencing a major shift to cloud platforms, and our team alone is actively migrating dozens of firms from on prem to cloud or non-compliant cloud to another cloud each quarter,” Edwards said. “We fully expect most of the industry will be using cloud services by the complete rollout of CMMC in 2025.”