If you are looking to work with the DoD then you probably already know that you need CMMC qualifications. The key role of CMMC is to create a more secure environment for the business and the overall supply chain to better protect against any and all kinds of cyber-security threats. In doing so CMMC assessors are not only interested in how efficient your business is in properly managing security, but also place a great deal of importance on how good/secure the services of vendors you work with are.
Some of the most commonly used services by businesses are cloud-based, and in the recent past, cloud services have been victim to a lot of digital crime. While in some cases the cloud is easily identifiable in others it can be a little more challenging to diagnose. For simplicity's sake, we will consider any service that is not owned and operated by your business as a cloud service.
Secondly, it's also important to consider the difference in the three main processes that CUI undergoes when it is being used in your business or by a third-party cloud service, which is to store, transmit and process information.
Storage – Cloud services such as Dropbox and SharePoint
Transmission – Services such as cloud-based firewalls, cloud-based front-end services, and even email.
Processing – This is categorized differently by different professionals but it can include anything from services such as virtual desktops to identity solutions, monitoring services, directory services, and mobile device management solutions.
Now the problem with cloud services, considering the fact that they interact with your business’s data and possibly CUI in any of these three ways, are many.
Firstly, there are boundary control problems as the cloud service provider can open remote management links to your network. They can install remote management software, which takes admin rights away from you. They have vulnerable information about your network and access to information that they can use in any way.
Moreover, you don't have control over their hiring practices, their internal controls, or anything else which represents access management problems. Lastly, these service providers are working with countless other clients so a problem such as malware with one of their other clients could reach you as well.
While most cloud services are quite reliable and they have the technical expertise and the infrastructure to back up what they are offering, it can be denied that there is a chance that their services can be compromised.
In the recent past, we have seen an increasing trend of criminals targeting service providers rather than end-users.
One of the main reasons why having a fedRAMP certified vendor helps is that it takes a lot of responsibility off of your shoulders. Rather than having to create even more systems to ensure that your cloud service is secure and in line with regulations required with CMMC, DEFARS, and others, a fedRAMP accredited cloud service will save you this trouble.
However, simply having a fedRAMP approved vendor does not solve the entire problem. This only takes care of the responsibility from the vendor, you still have to make sure that any modifications that you make are also up to the mark.
The security of your own account is still in your own hands and this is known as the Shared Responsibility Model. This is most prominent in situations where you are using Infrastructure as a service (IaaS).
Overall it is easy to see that having a qualified cloud service vendor is fundamental for any business looking to get CMMC qualifications. You have to understand that the security provided by the cloud service is equivalent to your internal network security. Any lapses in cloud security will, in effect, compromise your internal security.