How a Cloud Services Provider for CRM and Proposal Management Reduces Your Risk and Cost of CMMC Compliance
The Department of Defense (DoD) created the Cybersecurity Maturity Model Certification (CMMC) as a comprehensive framework to protect the defense industrial base from increasingly frequent and complex cyberattacks. CMMC is designed to protect sensitive unclassified information that is shared by the DoD with its contractors and subcontractors. The program incorporates a set of cybersecurity requirements into acquisition programs, and through self-attestation or formal independent assessment, provides the DoD increased assurance that contractors and subcontractors are meeting these requirements.
CMMC 2.0 published November 4, 2021, has three levels and Level 2 addresses information system (IS) security requirements a contractor must comply with to be eligible for DoD contract awards that include Controlled Unclassified Information (CUI). Other regulations related to aspects of CMMC include:
- DFARS 252.204.2008, Compliance with Safeguarding Covered Defense Information Controls
- DFARS 252.204.7012, Safeguarding Covered Defense Information and Cyber Incident Reporting
- FedRAMP Moderate, Cloud Service Offering to the Federal Government
- NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
- NIST SP 800-53, Security and Privacy Controls for Information Systems and Organizations
A comparison of CMMC 1.0 and CMMC 2.0 (Image Source)
This white paper discussed the impact of these requirements on government contractors, describes how the business development process and systems are within the scope of these regulations, and how cloud services providers for CRM and proposal management can help small and mid-sized government contractors comply with dynamically changing cybersecurity requirements, while focusing on their revenue and growth goals.
The CMMC Level 2 covers essentially the same set of NIST 800-171 controls as FedRAMP Moderate. To set the stage, a brief look at the DFARS, FedRAMP, and CMMC Level 2 specifications is helpful. These regulations overlap by requiring implementation of controls defined in NIST 800-171. DFARS 252.204.7012, paragraphs (c) – (g), specify guidance for cyberincident reporting. CMMC Level 2 essentially includes all FedRAMP Moderate NIST 800-53 controls specified in NIST 800-171, Appendix E. It should be noted that the DFARS regulations reference compliance “in performance of this contract”. Specifically, “all covered contractor systems that support the performance of this contract” (ref: DFARS 252.204.2008(b)) and “if the contractor intends to use an external cloud service provider to store, process, or transmit any covered defense information in performance of this contract” (ref: DFARS 252.204.7012(b)(2)(ii)(D)).
However, 3rd party CRM/business capture (i.e., pre-award) cloud applications, such as Capture2Proposal, can receive and store documents marked CUI from DoD sources or customers, and therefore need to meet these security standards. Our customers share responsibility, though, to meet CUI compliance on their endpoint devices and IT environment.
How Capture2Proposal Meets Customer Security Requirements and Reducing the Risk, Cost and Complexity of Compliance
As a cloud-based Software-as-a-Service (SaaS) government contractor business development platform, Capture2Proposal has invested time, money, and resources to ensure compliance with DFARS, FedRAMP Moderate, and CMMC Level 2 requirements and is committed to meeting the security expectations of our customers – CMMC Level 2 for handling CUI, FedRAMP Moderate as a cloud service offering, and DFARS 253.204-7012 for incident response.
At the core of Capture2Proposal’s compliance efforts is moving Capture2 Inc. corporate and Capture2Proposal application resources to Azure Government and Office 365 Government Cloud Computing High (O365-GCCH) environment and enlisting a 3rd Party Assessment Organization (3PAO) to assess our compliance with FedRAMP Moderate and CMMC Level 2 standards.
Azure Government and O365-GCCH have a FedRAMP High authorization and 3PAO attestation of meeting DFARS 252.204.7012 requirements. Capture2Proposal leverages Azure Government compliance by implementing the NIST 800-171 controls marked “Cloud Service Provider (CSP)” controls, as specified in the Azure Government FedRAMP System Security Plan, to meet attestation requirements for FedRAMP Moderate and CMMC Level 2. Key compliance categories of interest to our customers are Access Control (AC) and Identification and Authentication (IA), Auditing (AU), Incident Response (IR), Media Protection (MP), and System Communication and Protection (SC).
- AC/IA: Capture2Proposal implements role-based access control and Multifactor Authentication (MFA) for customer application access. Customer accounts are created with a unique customer encryption key stored in Azure Key Vault. The customer Manager role assigns additional team members role-based accounts with access to Pursuit Flow features based on their team share or proposal development tasks.
- AU: Capture2Proposal utilizes Azure Sentinel for continuous monitoring of internal resource logs, access monitoring, and alerting of potential malicious events.
- IR: Azure Sentinel aggregates and analyzes activity from resources across the Capture2Proposal infrastructure to support instant notification for administrator review and action. Azure Backup supports data and resources backup, including encrypted customer documents.
- MP: All data is stored within Azure Government. Captue2Proposal disables external media on employee remote devices. Customers share responsibility to secure media access on their devices.
- SC: Capture2Proposal treats documents that the customer uploads to their Capture2Proposal pipeline opportunity Pursuit Flow | Documents section as CUI and, thus, files are FIPS 140-2 encrypted in transmission, storage, and at-rest. The customer Manager role controls team member’s role-based access to documents in the Pursuit Flow module. Customers with access to restricted government solicitation sites configure their site credentials, encrypted in Key Vault storage, to enable Capture2Proposal download of contract opportunity documents into their private pipeline documents. The customer is responsible for protection of CUI when downloaded to their domain or devices. External connections to the Capture2Proposal application are through HTTPS
implementing the capture2proposal.us PKI certificate. Internal communications are encrypted between the Capture2Proposal application and other Azure applications, functions, and storage.
- Azure Firewall and Azure Web Application Firewall provide boundary protection to Azure Government resources and the Capture2Proposal application, respectively.
Next Steps – What You Can Do Now to Get Started on Your Compliance Journey
The overall goal for a government contractor, whether they will be subject to self-attestation or an independent compliance assessment, is to have a documented, auditable, and repeatable process. These key steps will enable you to accomplish this and not only protect your business against cybersecurity threats, but also meet CMMC requirements which span your business operations including capture and proposal management.
- Create an Information Security Policy (ISP) for the 110 NIST 800-171 control categories
- Identify where CUI exists in your IS environment
- Define procedures for handling CUI data
- Generate a System Security Plan (SSP)
- Assess your operations in accordance with NIST 800-171
- Document the Plans of Actions & Milestones (POAMs)
- Implement the Security Requirements in your systems, policies, and procedures
- Maintain Compliance
Partnering with Capture2Proposal as your capture and proposal management software platform delivers several key advantages from a security perspective:
- Enables your organization to comply with dynamically changing cybersecurity requirements by using a Cloud Service Provider (CSP).
- Provides a secure platform to help drive our customer’s process improvement and increased effectiveness in business development and proposal management.
- Removes significant technical burdens from Government Contractors allowing them more time to focus on achieving their business goals.
Capture2Proposal provides business intelligence, capture, and proposal management solution within one secure, collaborative, and customizable platform.
About the Author
Mark Edwards, CISSP/MCSE/MSEE, is an engineer and cybersecurity professional for Capture2 Inc. supporting Capture2Proposal (C2P) data integrity and leading C2P’s Azure Government cloud migration and CMMC compliance efforts. He is a former Air Force electrical engineer (retired) and contractor with 20 years of support to Navy and Army programs, including 6 years as site engineer for the Navy’s multilevel security, cross-domain intelligence system and 15 years as lead test engineer and Information Assurance Security Officer (IASO) for the Army’s MAC 1 tactical logistics system during which time he obtain multiple DIACAP and DIARMF ATOs for the national server center and the tactical systems deployed to worldwide theaters of operation.