Written by Alec Toloczko
As CMMC becomes more and more of a reality for DoD contracts, many organizations are struggling to quickly become complaint. This article will provide an overview of the steps that companies handling ITAR or EAR data will need to take in order to achieve CMMC level 2 compliance via the Microsoft tech stack.
Environment
If you have an On-Prem or commercial environment today and are handling ITAR or EAR data, you will need to be in a Microsoft GCC-H environment. There are two ways you can achieve this.
The first is to set up a “greenfield” environment where users would essentially start from scratch, with no prior email history or historical records.
The second option is to migrate your data from On-Prem or commercial to GCC-H. The second option is the more expensive of the two. However, the users would retain all their previous data they had on-premise or in their commercial tenant.
Licensing
Once you have decided on GCC-H, the next step is to find the correct licensing that, once fully configured, can comply with CMMC level 2. There are two options here as well.
The first is to get all users an M365 E5 license. This would satisfy all the technical controls of CMMC 2.0 and include features such as Defender for Office Plan 2, Entra ID Plan 2, Intune Plan 1, Defender for Endpoint Plan 2, DLP, and more.
The second option, and the one that KTL recommends to 95% of GCC-H clients, is M365 E3 with M365 E5 Security Add-on. Similar to the E5 license this model will satisfy the technical controls of CMMC 2.0 while not costing as much as the full E5 license.
So, what do you miss out on when you go with E3 & E5 Security? Power BI & Teams phone is the only notable difference. You would not miss out on any of the compliance requirements or technical controls.
SSP
A System Security Plan has been a NIST 800-171 requirement since 2016. It is also a requirement for DFARS clause 7012, DFARS 7019, and CMMC. So what is an SSP?
An SSP is a detailed description/overview of an organization’s cybersecurity plan. The SSP provides a clear picture of the security requirements and how an organization implements, reviews, and protects these controls.
To be in compliance, an SSP will need to be regularly reviewed by a cybersecurity team to ensure all policies & producers are up to date and all technical controls are being satisfied.
Did you know KTL Solutions offers a no-cost CMMC consultation? Click here to learn more.