NeoSystems CISO Ed Bassett and Microsoft Senior Director Richard Wakeman sound off on CMMC

This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Tech Community.

Richard Wakeman is the Senior Director of Aerospace and Defense for Azure Global at Microsoft. He specializes in the defense industrial base (DIB) adoption of cloud services. Google, Microsoft and CMMC together, and you will land on Richard's blog posts. He joined Microsoft in 2007 as a developer. He became an identity and messaging expert at the dawn of Microsoft's online services. He's also worked in different product groups, leading cloud deployments, and has been a senior architect guiding the customer journey to the cloud. Richard is a knowledgeable and authoritative voice on CMMC and Microsoft. 


Ed Bassett, CISO of NeoSystems, sat down with Richard Wakeman to discuss the implications of CMMC compliance and all its complexities. Here’s how the conversation went.  


NeoSystems:  Let's start with the basics. So, Microsoft 365 has a public cloud and community cloud versions available. Just start us off with an overview of those so we can be level set on the terminology and just give us a quick lay of the land. 


Richard Wakeman:  It is the most prevalent question that we get, especially from the Defense Industrial Base looking at which cloud service offering from Microsoft best aligns with your requirements, especially around data protection requirements for the US Department of Defense and other (compliance) regimes. This used to be a simple decision matrix when we first introduced our government clouds about a decade ago.  If you are a US government customer, it's likely you would choose the US government cloud, and everybody else would go into the commercial cloud or stay on-premises. If you look at this journey over time, we've now introduced the ability for government contractors with eligibility to enter the government clouds. This includes the Defense Industrial Base. 


We also have evolved to enable compliance scenarios in our commercial cloud, and even introduced data sovereignty and sovereign clouds as well. The way I like to break it down, oftentimes in this discussion is to differentiate between the concept of data residency versus data sovereignty.  


NeoSystems: Can you tell us more about data sovereignty and data residency? 


Richard Wakeman: If you think about data sovereignty, this is really an alignment with requirements that you get with things like export control data that is in compliance with, for example, the Department of State, DDTC for [ITAR] export controlled data, or even nuclear information and other requirements that would have U.S. citizenship and data center requirements for the continental United States (CONUS). Naturally for data sovereignty, you would have requirements for data at rest only within the Continental United States, as well as networks that are restricted to CONUS. 


This includes data processing and service personnel. We've got a citizenship check for service personnel managing backend systems. Altogether, it gives you a solution where we can have a contractual obligation on the back end for those requirements for data sovereignty.  


On the other side of the equation, you have data residency. If you look at that, you could be in the commercial cloud, both for Azure commercial regions, as well as Microsoft 365, and select where your data is stored at rest. For data residency and the commercial cloud, you can select U.S. regions. However, if you look at the commercial side, the environment does have a global network. For example, if you're connecting from Australia into our global network, you may introduce data processing from outside of CONUS (OCONUS). 

That's a big difference. You also have service personnel who follow a support model within our commercial cloud offering. It does restrict us from being able to have that contractual obligation for things like International Traffic in Arms Regulations (ITAR) and data sovereignty requirements. If you look at the difference between Azure commercial versus Azure government, that's more Infrastructure-as-a-Service and Platform-as-a-Service side of the house. Naturally, you get data residency on Azure commercial. Our Azure government offers full sovereignty in the United States.  


We also have Microsoft 365 Government Community Cloud (GCC) High. GCC High is naturally paired with Azure government. The combination of GCC High and Azure government make our U.S. sovereign cloud. In the middle, we have what we often refer to as GCC “Moderate”. That's very specifically Software-as-a-Service and is our Office 365 platform that was built primarily for state and local government and federal civilian agencies. You'll find it is paired with the Azure commercial platform. It restricts us from being able to meet data sovereignty obligations. For GCC, we cannot offer an ITAR amendment.   


NeoSystems: In addition to what you may do as a cloud provider and what the customer may do, there's Microsoft partners, including us at NeoSystems that offer managed services that would supplement those security controls that come from the cloud.  How do those services fit into that overall compliance picture from your perspective? 


Richard Wakeman:  If you look at the CMMC Acceleration Program that we've constructed to help provide an accelerated path to compliance, a big part is working with our main service providers knowing that many of the small and medium-sized companies of the world have less formal IT departments, many of which don't have a formal program that would manage their security policies. It's a great opportunity to shift customer scope of responsibility over to the managed service provider. And that's where we've been leaning in in terms of being able to deliver a platform that provides scaffolding to the managed service providers. So, let's just say that natively Microsoft can help you get half of the way there for compliance and contributing to the intent of over 50% of the controls. 


NeoSystems: Let's go to that DFARS 7012. That would be the next tier. As a company that has some controlled unclassified information (CUI), and is a defense contractor, the DFARS 7012 clause applies. That clause requires that cloud services be FedRAMP-moderate equivalent and has specific incident reporting requirements. All the Microsoft cloud versions that you mentioned have FedRAMP moderate. How might a company evaluate choices between commercial GCC, GCC High, assuming that their intent is to store and process CUI where they've got to comply with that DFARS 7012 clause. 


Richard Wakeman: This is where it really begins to introduce additional requirements that may drive you into a government cloud. If you look at that requirement for FedRAMP, I'd like to home in on that for just a minute because there are assumptions people make by virtue of having a FedRAMP authorization.  Often there's an assumption that just by being FedRAMP, there is a [U.S.] citizenship requirement for that cloud to be compliant [with FedRAMP]. If you look at customers that come to us and ask, "Hey, I'm looking for whether or not Microsoft commercial cloud is FedRAMP authorized. My question back to them is, "Why are you asking?" 


If you're not a federal agency that has to go through an authorization themselves for FedRAMP, you would, as a commercial company - a Defense Industrial Base company, have additional requirements above and beyond FedRAMP. And that's where you get into DFARS 7012, especially with cyber incident reporting, sub-paragraph (c) through (g) that we cannot do on the commercial cloud within Microsoft 365 commercial - as that would drive you now into a government cloud. From that perspective, we could also go into a whole dialogue around protecting Controlled Unclassified Information [CUI]. That's where you end up with the data sovereignty requirement. 



About NeoSystems: For over 16 years, NeoSystems has helped businesses of all sizes become more successful. At the highest level, NeoSystems assists government contractors, nonprofit organizations and other project-driven businesses by enabling, running and securing their business. For each of these areas, we rely on people, processes, and toolsets to support our clients and accelerate their success. For more information visit   


To listen to the entire interview visit our channel here or view the video below. 



REMEMBER: these articles are REPUBLISHED. Your best bet to get a reply is to follow the link at the top of the post to the ORIGINAL post! BUT you're more than welcome to start discussions here:

This site uses Akismet to reduce spam. Learn how your comment data is processed.