When organizations implement a CMMC compliance program, one of the most powerful tools for reducing cost and implementation time is leveraging the cybersecurity controls that are already implemented by their Cloud Service Provider (CSP), Managed Service Provider (MSP), or even prime contractors. A shared responsibly matrix is used to describe which requirements are met by the organization and which are met by external entities.
The Power of Cloud Provider Inheritance
CSPs in the CMMC ecosystem must be FedRAMP Moderate (or equivalent) authorized. Authorized FedRAMP CSPs can be found here. Organizations using CSPs inherit numerous controls, particularly in physical security and encryption domains. For instance, if you’re using AWS or Microsoft GCC High, you can inherit FIPS 140-2 validated cryptographic modules (AC.L2-3.1.13) and physical access controls (PE.L2-3.10.1).
Don’t reinvent the wheel. Your CSP’s Customer Responsibility Matrix (CRM) is your best friend. Use it as your baseline for documenting inherited controls in your System Security Plan (SSP).
Prime Contractor Relationships: A Strategic Advantage
Working under a prime contractor who provides infrastructure like Virtual Desktop Infrastructure (VDI) can significantly reduce your control implementation burden. Key inheritable areas often include:
- Access control mechanisms (AC.L2-3.1.1)
- System and communications protection (SC.L2-3.13.1)
- Boundary protection controls (SC.L2-3.13.2)
This is a significant benefit of using a VDI. With a VDI only solution with no local storage or processing of Controlled Unclassified Information (CUI), physical access controls (PE.L2-3.10.1 through PE.L2-3.10.5) are mostly non-applicable. But, it’s not a “free pass” for CMMC. An organization is still responsible for organization-specific controls like:
- Personnel screening (PS.L2-3.9.1)
- Access authorization processes (AC.L2-3.1.2)
- Security awareness training (AT.L2-3.2.1, AT.L2-3.2.3, and AT.L2-3.2.3)
Whether leveraging a CSP or VDI solution, careful scoping of control of how CUI flows through an organization is critical to limiting the scope and cost of CMMC compliance. But, leveraging CSPs and VDI solutions can significantly reduce scope and costs – especially if your prime is responsible for the VDI.
Smart Documentation: The Key to Success
Here’s a streamlined approach to documenting inherited controls:
- Create a master spreadsheet mapping inherited controls from both cloud providers, primes, and Managed Service Providers (MSPs)
- Reference provider responsibilities in your SSP instead of duplicating content
- Focus documentation efforts on your unique implementation requirements
- Clearly delineate responsibility boundaries in your SSP
The Bottom Line
Control inheritance is a powerful tool for CMMC compliance. But it requires careful planning and documentation. Focus on clearly defining and documenting:
- What you controls you inherit
- From whom you inherit them
- How you implement your remaining responsibilities
Remember: Your SSP should be comprehensive but not overwhelming. Reference inherited controls efficiently while focusing detailed documentation on your organization’s unique implementations.
Looking to optimize your CMMC journey? Follow CMMC Today for more practical insights on cybersecurity compliance. And feel free to message me if you have any questions.
0 Comments