Getting CMMC Compliant While Using AWS: A Guide
Companies that handle sensitive and confidential military information face a fast-approaching deadline to prove their cybersecurity compliance with the Pentagon. The Cybersecurity Maturity Model Certification (CMMC) promulgated by the U.S. Department of Defense (DoD) is in its last leg before appearing in all contracts. Organizations that handle sensitive and confidential information are tasked with meeting one of three CMMC security hygiene levels.
Failing to demonstrate your business network can securely store and transmit Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) through a CMMC audit will result in organizations getting sidelined. Missing the CMMC deadline, could mean not participating in lucrative DoD contracts or bidding on those expected in the next fiscal year.
If there’s a silver lining for military contractors and supply chain operations, it’s the fact that cloud-based Amazon Web Services (AWS), coupled with the support of a CMMC-certified firm, can quickly get your operation ready to bid on DoD work and keep essential revenue streams in place. If you are concerned about passing a CMMC audit or maintaining regulatory compliance, you’ll be pleased to know how the AWS CMMC combination can help get the job done.
What Defense Industrial Base Businesses Need to Know About CMMC
The DoD and U.S. Department of Justice (DOJ) have issued plain-talk reports regarding the attempts of enemy nations targeting our national security. In September, the DOJ charged six Russian computer hackers “with conspiracy to commit computer intrusion.” These well-funded advanced persistent threats sought to infiltrate networks in an effort to frustrate U.S. and NATO allies ahead of the Russian invasion of Ukraine.
In February 2022, the federal government admitted that another band of Russian threat actors breached the networks of multiple military contractors beginning in January 2020. The successful hacks gave the Pentagon reason to worry about national security because the U.S. Army, Air Force, Space Force and DoD Intelligence were all reportedly compromised, according to the NSA, CISA and FBI.
What’s disturbing is that these widespread data thefts are just the tip of the spear. That’s why the federal government requires organizations that handle CUI and FCI to identify which of the following three CMMC hygiene levels applies to their operation and implement the protocols.
- Level 1: Referred to as foundational cyber hygiene, organizations that store and transmit FCI fall under the CMMC Level 1 standard. Companies must meet at least 17 controls consistent with the National Institute of Standards and Technology (NIST 800-171) guidelines. Although FCI is considered relatively low-level data, enemy states such as Russia and Iran attempt to piece shreds of information together in hopes of flushing out our country’s national security picture.
- Level 2: Known as “advanced cyber hygiene,” outfits that handle CUI typically need to adhere to Level 2 minimum standards. Its regulations call for 110 NIST SP 800-171 best practices. Certain companies may be allowed to “self-attest” if they meet Level 2 CMMC compliance by scoring high enough on a standardized audit. Most operations that handle sensitive CUI must reach out and have a CMMC Third Party Assessor Organization (C3PAO) conduct an objective review that is reported to the Pentagon.
- Level 3: Considered “expert cyber hygiene,” direct defense contractors and numerous subcontractors must pass a third-party audit and consistently maintain the heightened requirements of more than 110 NIST SP 800-171 practices and controls. The underlying expectation of CMMC Level 3 compliance includes the ability to detect, deter and repel the world’s most notorious Advanced Persistent Threats. Needless to say, that can prove a steep mountain to climb.
It’s important to note that the DoD has created some confusion about Level 2 compliance. If you’re unsure whether your company needs a C3PAO, contact Red River for a CMMC consultation. Keep in mind that meeting the Level 3 standard automatically ensures that you’re covered for Level 2. That being said, employing an AWS CMMC strategy may provide the fastest, most cost-effective way to stay in the DoD’s good graces.
What Is AWS and Why Does it Matter?
The ecommerce giant launched its web services wing in 2002. With much of the foundation already in place to support its multi-national system, the cloud-computing platform provides infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS) and packaged software-as-a-service (SaaS) opportunities. It also delivers outstanding database storage and content delivery capabilities. Structured as a scalable pay-as-you-go model, the DoD recognizes AWS compliance in terms of meeting military cybersecurity standards. To the surprise of some cybersecurity experts, the Pentagon handed AWS a portion of a $9 billion Joint Warfighter Cloud Capability contract in 2022.
The Joint Warfighter Cloud Capability was designed to manage CUI, secret and top-secret data that only authorized military personnel could access throughout the world. As part of the Pentagon’s long-term plan to modernize operations geared toward unmanned assets and satellite communication, getting tapped gave AWS a significant reputational boost. An Associated Press report confirmed the award was the “most important cloud deal” coming out of Washington, D.C., at the time. The point is that the Pentagon has placed its confidence in the cloud-based service. Industry leaders are on solid footing in terms of leveraging the services options to gain AWS CMMC level 3 compliance.
How AWS Works
The Amazon system offers more than 200 distinct cloud services designed to deliver specialized needs. Emanating from data centers across upwards of 105 availability zones (AZes). Your organization can select which AZes make the most sense in terms of productivity, communication and security compliance. These are a handful of cloud-computing solutions that drive AWS CMMC compliance.
Secure Data Storage
Referred to as Simple Storage Service (S3), Amazon offers military contractors secure scalable options that include data backups, collection and real-time analytics. With up to five terabytes of storage, companies can choose ongoing access or a discounted “Infrequent Storage” option. AWS also offers long-term data storage under its Amazon Glacier program, among other choices. One of the critical facets of AWS is that it makes secure data transfers from hard drives to the cloud possible. Using storage transmission devices under the “Snowball” brand, on-premises software products can leverage cloud-stored data.
Cloud Migration
Businesses participating in the nation’s defense typically need to move data off physical drives and into the cloud. The services provided by AWS support full and hybrid migrations. The AWS Migration Hub offers a pathway to manage data transfers in a secure cloud position. Once your FCI or CUI is uploaded, on-premises and cloud servers can be synced.
Networking
Leveraging solutions such as the AWS Virtual Private Cloud allows admins to oversee the entire virtual network. One of the perks of the Virtual Private Cloud program is that companies can separate DoD information and data from other facets of their operation. This type of segmentation is consistent with the zero-trust architecture the DoD prefers.
Security and Governance
The major issue for military contractors and supply chain businesses involves choosing a cloud solution that ensures determined cybersecurity. With AWS Identity and Access Management security, CIOs and administrators can define digital asset access parameters. Again, this system is consistent with the zero-trust cybersecurity measure urged by the DoD.
Adding to its cloud security, AWS comes with tools designed to recognize potential threats and assess digital landscapes for inherent vulnerabilities. Simultaneously, its cloud security services offer encryption tools specifically conceived to defend against distributed denial-of-service (DDoS) cyberattacks.
Artificial Intelligence
The AWS service offers a suite of AI opportunities that can be integrated into a CMMC compliance posture. Applicable subcategories of AI and machine learning include Amazon Rekognition, which provides image and facial recognition; its automated CodeGuru Security, which is designed to identify inefficiencies; as well as predictive maintenance benefits through the AWS Lookout for Equipment. The deployment of strategic AI and machine learning has been a boon for organizations that require sustainable, high-level cybersecurity.
What Is AWS GovCloud?
Amazon earned the trust of the Pentagon by implementing strategies to ensure the security of CUI, FCI and other sensitive digital assets. The AWS GovCloud was conceived to provide American agencies with a space to transfer information that involves national security into the cloud. GovCloud helped achieve AWS compliance regarding defense data. It adheres to the stringent cybersecurity regulations put forward under the Department of Defense Security Requirements Guide (DoD SRG) and the Federal Risk and Authorization Management Program (FedRAMP).
Defense contractors and military service providers can manage government-related data in GovCloud. The service restricts information access to personnel using frameworks such as AWS GovCloud (US) Security. In the spirit of diligently protecting national security, AWS has a program specifically developed to meet the standards established under CMMC. It also supports compliance efforts to meet International Traffic in Arms Regulations.
Importance of the FedRAMP Program
Formed in 2011, FedRAMP delivers a cost-effective, risk-averse way to embrace cloud usage and initiatives. It has been deemed reliable by a variety of federal agencies, most importantly the Pentagon. Using next-generation technologies and data security approaches, FedRAMP can adequately protect CUI, which supports AWS CMMC level 3 regulatory compliance.
The FedRAMP Authorization Act was signed into law in 2022 as part of the National Defense Authorization Act codified in 2023. That’s why leveraging Amazon’s services gives defense companies an edge in terms of AWS CMMC Level 3 audits.
Useful AWS Compliance Controls
Amazon offers a variety of tools that help organizations keep critical data out of the hands of hackers and rogue nations. The U.S. government, as well as non-profits and educational institutions, leverage solutions such as the following.
- AWS Config: This managed service helps users with inventory, configuration, security and governance. It records configuration details and resources that pinpoint items at a given time. AWS Config has proven beneficial when an organization undergoes a security analysis or CMMC audit.
- CloudTrail: The AWS CloudTrail solution empowers enterprises to improve their risk assessments, governance and CCMC compliance capabilities. Any and all actions taken by a network user are logged and recorded. In the event of a cybersecurity incident, companies have a reliable history they can quickly access and take proactive measures.
- GuardDuty: Through 24-7 monitoring and analysis, GuardDuty employs wide-reaching threat data. It puts known malicious IP information to work, checks file hashes and uses machine learning technologies to detect malicious software or actions within the cloud landscape. AWS GuardDuty relentlessly searches for precursors to a ransomware attack, unusual patterns, atypical user behavior and the presence of malware, among other cybersecurity threats.
Adding to its AWS CMMC regulatory compliance capabilities, Security Hub collects data across cloud accounts. Its purpose involves gathering information so it can be assessed for imminent threats. Security Hub adheres to wide-reaching cybersecurity standards such as the Center for Internet Security frameworks. More importantly for corporations tasked with passing CMMC audits, it meets the guidelines established by the National Institute of Standards and Technology (NIST). Much of the CMMC mandate follows NIST controls and best practices.
Red River Can Help You Get CMMC Compliant Using AWS
Protecting valuable and confidential DoD data grows increasingly difficult as enemy nations fund threat actors to target our defense contractors and military supply chain organizations. The devastating losses Russian and Iranian hackers can inflict are only worsened by the danger stolen CUI and FCI places members of the armed services and our national security efforts. If you need reliable cloud services and an experienced CMMC firm to pass an audit and stay in compliance, Red River can help. We are a certified C3PAO supporting private-sector defense initiatives. Contact us today, and let’s get the process started.