Using Cloud Solutions to Protect Data Poses Questions.

• Author: Ebner, Susan Warshaw
• Position: Viewpoint

* Whether a small or large business, if a company seeks to win a Defense Department contract which involves controlled unclassified information, it needs to protect its information systems per the Defense Federal Acquisition Regulation Supplement Interim Rule and be certified for the appropriate level where the Cybersecurity Maturity Model Certification (CMMC) program requirements are included in the contract.

To achieve compliance, contractors face the choice of spending substantial capital to fortify and maintain their internal information systems, or subscribing to a cloud services provider that is in compliance with the new cyber directives.

Many businesses would opt for the cloud as the most cost-effective and efficient solution for compliance. However, businesses must apply a substantial amount of due diligence to understand what these providers can and cannot do to achieve cybersecurity that is customized to a defense contractor.

Recently, the Law and Policy Committee of the National Defense Industrial Association's Cybersecurity Division held its sixth in a series of tabletop discussions on Defense Federal Acquisition Regulations and CMMC to address the issue of using cloud service providers for compliance with defense requirements.

The panel of experts, who expressed only their individual opinions, included a Defense Contract Management Agency auditor, representatives from the CMMC Accreditation Body and cloud service providers, third-party application developers, and cybersecurity analysts. Engaging in tabletop exercises is an important element of compliance.

Both the National Institute of Standards and Technology Special Publication 800-171 and CMMC security controls mandate training and auditing to ensure that contractors know what they have to do if and when something goes awry and prompt action is needed.

There are some lessons learned from the tabletop and further points to consider as contractors determine how best to ensure their continuing compliance and security in the age of new regulations.

First, organizations can't just rely on a cloud service provider to automatically address all security issues.

They do provide a variety of solutions. However, not all will fit a given company's needs. A "customer responsibility matrix" is one of the most basic and important artifacts that must be developed between a contractor and a cloud provider. It allows the contractor to understand its responsibilities and delineates the role...