Microsoft Azure Remote Access For CMMC ComplianceHandling Controlled Unclassified Information (CUI) using virtual machines is proliferating in the Defense Industrial Base largely because Microsoft 365 GCC High is becoming ubiquitous as the go-to collaboration platform for Department of Defense contractors; Microsoft Azure Government is provisioned as part of this process for handling sensitive data. As a foundational platform for many Microsoft 365 services, Azure Government hosts many of the tools that make Microsoft 365 compelling for aerospace and defense contractors – endpoint management, cloud access security tools, compliance tools, authentication, email security, secure communications, and more.
In this blog, we'll cover why using Azure Remote Access, specifically to address CMMC compliance, should be a consideration for suppliers supporting the Department of Defense.
What is Microsoft Azure Remote Access?
Preparing for, and maintaining CMMC Level 2 compliance is proving to be a challenge for small-medium defense contractors who support the DoD. The ability to scale, while also maintaining low costs, is a frustration for any organization that is creating technological advantages on behalf of the United States; this is especially appliable to contractors who need to provide IT access to their prime contractors, or other sub-contractors in the defense supply chain while also maintaining compliance with current federal cybersecurity mandates.
Azure Remote Access allows customers to cost-effectively connect remote locations to Azure Government Virtual Machines/Applications and maintain CMMC Level 2 compliance by protecting/encrypting Controlled Unclassified Information (CUI) with TLS 1.2.
Handling CUI in Azure Government For CMMC Level 2
CMMC Level 2 compliance requires organizations to satisfy all 110 security controls from NIST SP 800-171. CMMC Level 2 certification is necessary for those who want to bid on DoD contracts that handle the following:
Controlled Unclassified Information (CUI) / Controlled Defense Information (CDI)
Controlled Technical Information (CTI)
Classifying and handling CUI can define the scope of an organization’s assessment, so it is critical that it is done properly. For each classification, the amount of CMMC requirements that are applicable to the asset varies, and the determining factor for asset classification is the way in which the asset interacts with sensitive data.
Microsoft's Azure Government provides the controls for data encryption, including support for customer-managed encryption keys stored in FIPS 140-2 validated hardware security modules managed by Azure Key Vault. Moreover, an accredited third-party assessment organization (3PAO) has attested that both Azure and Azure Government meet the applicable requirements of DFARS 7012 and CMMC 2.0.
On-Premises versus Azure Government
Increasing engineering workloads and the computing ability to keep up with innovation via on-premises servers have proven to be a challenge, pushing companies to force to invest in capital expenditures on an ongoing basis - as innovation continues, so do the costs associated with the data created. Migrating from legacy systems to secure cloud environments can have significant costs associated with them, so having the ability to set up a protected environment for remote access could be a solution for many contractors in the US supply chain.
Moving applications and workstations into Azure Government simplify your compliance footprint by moving CUI and systems containing CUI into the Microsoft US Sovereign cloud and out of your local office buildings. Organizations gain performance, security, and flexibility while ensuring compliance with CMMC Level 2 requirements.
Azure Remote Access for CMMC
With proper configuration, an Azure Government tenant can be used for a myriad of purposes, with virtualization being a commonly deployed service in the DIB. This has become one of the easiest avenues to enable server and application compliance while enabling productivity and collaboration in a secure and compliant manner. We commonly see ERP systems, CAD workstations, and other GPU and CPU-intensive applications moved into Azure Gov, thus leveraging the elasticity and security offered by Microsoft cloud.
Azure Remote Access for CMMC enables organizations looking to meet the demands of the modern work environment, and maintain government compliance, without interrupting business processes or failing to meet compliance mandates.
A secure avenue of connectivity is created between employee workstations, regardless of their location, to their Microsoft 365-hosted and managed worksites, applications, and data; organizations are afforded the ability to control where users have the ability to VPN from, and admins are able to make sure managed and compliance devices are the only ones accessing data via Conditional Access policies. This awards the organization, yet another capability geared towards uninterrupted business productivity.
With the correct implementation of the Azure Remote Access solution, organizations develop site-to-site and point-to-site VPN capabilities for their Azure Government Tenant through TLS-encrypted tunneled connections.
Aerospace and defense contractors will be able to sufficiently protect their data while also allowing for the controlling and monitoring of remote access to information systems, properly securing sensitive information, and ultimately protecting the Warfighter.