Microsoft announced Tuesday it’s among the first defense contractors to complete a voluntary assessment for the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) — an accomplishment that will notably have flow-down effects for smaller contractors that use Microsoft’s cloud services to host sensitive data.
The commercial cloud giant earned a perfect 110-point score on the Joint Surveillance Voluntary Assessment Program (JSVAP), jointly conducted by DOD’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) and third-party assessment organization Redspin, it announced in a blog post. The score results in a DIBCAC High certification that should translate to a level 2 CMMC certification for Microsoft when the final rule is issued and takes effect.
“At Microsoft Federal, we are constantly striving to enhance and ensure our products meet the highest standards of quality and security,” said John Bergin, director of federal security at Microsoft Federal. “The JSVAP assessment is a crucial step in this journey as it allows us to evaluate and validate the effectiveness of our cybersecurity capabilities. We are proud to take the lead in being one of the first to undergo a JSVAP assessment to reinforce our commitment to operating under strong cybersecurity protocols and providing the best technology solutions to our customers.”
Under the CMMC 2.0 rules, expected to go into effect in the coming months, contractors that handle the department’s controlled unclassified information (CUI) will have to be certified in meeting one of three tiers of cyber requirements.
While the voluntary CMMC assessment — before the rule has taken effect and thus isn’t yet required — is important for Microsoft’s own direct work with the Pentagon and puts it ahead of the cloud provider pack in doing so, it’s perhaps a bigger win for any smaller DOD contractors who use Microsoft’s Azure commercial or government cloud offerings as they should be able to inherit Microsoft’s certified baseline of security controls in their own CMMC assessment for anything that hasn’t been customized. At least that’s the understanding prior to DOD issuing its CMMC rule.
There have been many concerns from small businesses who worry they won’t be able to afford to meet the controls to earn an onerous CMMC certification. But by being able to inherit the controls of a managed service or cloud provider, they would likely need to meet only a small portion of the 110 controls set forth by CMMC and the National Institute of Standards and Technology’s SP 800-171.
Microsoft wrote in its blog that any of its defense industrial base partners required to meet Defense Federal Acquisition Regulation Supplement (DFARS) requirements for controlled information and cyber incident reporting “can have confidence that Microsoft is able to accept the flow down terms applicable to CSPs for Azure Government Services covered by the US Federal Risk and Authorization Management Program (FedRAMP),” which Pentagon officials have said should have reciprocity with CMMC.
DOD Principal Deputy CIO Dave McKeown last September at DefenseTalks called on cloud providers to help uplift smaller contractors in the defense industrial base.
“We’re still hearing cries from industry small, medium-sized businesses that maybe it’s too onerous to uplift your environment,” McKeown said. “We have a plethora of cybersecurity tools and services that we can offer to DIB partners, as well as we are again teaming with cloud providers to see what sort of secure environments they can provide that industry can just consume in order to protect DOD information.”