Cloud Data Management for Defense Sector

Halfway through a recent CMMC scoping call, we stopped. We had mapped the CUI inside the boundary. Then a SaaS application surfaced. Cloud-hosted. ERP. Used across the business and with other defense customers. Does it handle CUI? “We don’t restrict that.” “But it has a SOC 2 report.” "Is that good enough?" I asked one more question: Is the application FedRAMP Moderate Authorized or does it have FedRAMP Moderate Equivalency? Silence. This is where disciplined scoping earns its value. Under DFARS 252.204-7012, any cloud service provider storing, processing, or transmitting Covered Defense Information must meet requirements equivalent to the FedRAMP Moderate baseline. This is a DoD requirement. Equivalency provides an alternate path. Equivalent does not mean “secure.” Equivalent does not mean SOC 2. A key distinction from the DoD CIO guidance: FedRAMP Moderate Authorization ≠ FedRAMP Moderate Equivalency. FedRAMP Moderate Authorization: • A federal ATO granted by a federal agency or JAB • Risk formally accepted by a government Authorizing Official • Listed in the FedRAMP Marketplace FedRAMP Moderate Equivalency: • No federal ATO • Requires a FedRAMP-recognized 3PAO assessment • Requires a complete, reviewable Body of Evidence • Must demonstrate full alignment to the Moderate baseline If CUI is flowing into SaaS platforms, this is a critical issue. This is why scoping is the key to CMMC success. Stay sharp. Lead well. I’ll share the DoD memo in the comments outlining the FedRAMP Moderate Equivalency for Cloud Service Provider's Cloud Service Offerings. The mission continues. #cmmc #defensebase #cloudsecurity #fedramp A-LIGN Petar Besalev Mike Gallagher Pete Dudek Patrick Sullivan

On the Topic of CMMC Help For Small Businesses US Army NCODE – Funding Status in 2025 NCODE (Next‑Gen Commercial Operations in Defended Enclaves) is an Army pilot program designed to give small businesses in the defense industrial base access to a CMMC‑compliant secure cloud environment without the prohibitive cost of building one themselves. Announced by Under Secretary of the Army Gabe Camarillo in October 2024, NCODE moved into a two‑year, $26 million pilot phase running 2025–2027. The pilot is funded and active under the FY2025 defense budget signed by President Donald J. Trump in July 2025 (P.L. 119‑21), which includes allocations for cyber and supply chain security initiatives across the services. NCODE’s initial capability set covers office productivity tools in a secure enclave, with planned expansion to development, digital engineering, and other mission‑support tools as the pilot progresses. “What’s great about it is that it’s compliant with CMMC [Cybersecurity Maturity Model Certification], so all of the department’s requirements would be met by operating in this environment.” - Army undersecretary Gabe Camarillo,  2024 My team and I piloted a program for the United States Department of War, with assistance from the National Security Agency, rather cost-effectively using an Amazon Web Services (AWS) IL4 cloud-hosted solution that was vendor agnostic I architected. Features: ➡️ Regular penetration testing, vulnerability scans, alerts for known exploited vulnerabilities (KEVs), and immediate notifications for active threats. ➡️ As the CMMC evolved, updates to the CMMC level (s) framework controls and assessment guides were loaded into the system, such that the subscribed small businesses could correlate vulnerabilities and pen test results to CMMC compliance and identify gaps. ➡️ The solution also stored body of evidence data and maintained encryption from the source network to the isolated instance for each subscribed industrial base business (DIB) at rest and in transit, in addition to leveraging multi-factor authentication and secure key and secrets management. The multi-year pilot accounted for not just IT but also OT assets on the DIB network. One of the lessons learned was that the smaller the DIB company, the more support they needed, regardless of the ease and plug-and-play aspect of the solution. This is where the National Security Agency and its Centers of Excellence in Cybersecurity were a valuable asset, allowing us to train college cybersecurity students, train them on CMMC assessment, and supervise them as they assisted each DIB company. There are a number of other solutions on the horizon that I have sat in on and provided my thoughts on how they could improve and accelerate CMMC, as well as a few other aspects of cybersecurity compliance. Specifically, I have been advising on the use of AI as an accelerator. #CMMC Maverc Technologies #AI Fernando Machado, CISSP, CISM, CCA, CCP Jacob Hill

More on why the IBM/Confluent Move is a Game-Changer for Mission-Critical Data... The tech world is buzzing with end-of-year news, but the real development that should be capturing your attention in the Defense world is IBM's acquisition of Confluent. This isn't just another corporate deal. It fundamentally validates the principle that #data in motion is just as crucial as data at rest. In complex, defense-grade environments, we are seeing an insurmountable challenge: managing immense, rapid streams of sensor, platform telemetry and maintenance, cybersecurity, operations, and logistics data. Traditional architectures are buckling under the pace... This is where Confluent steps in as the essential data ingestion and event-streaming backbone. Integrating Confluent's capability into IBM’s portfolio, combined with our DataStax acquistion in May, accelerates our #AI strategy and now means that we can fully deliver something our clients urgently need: a robust, real-time data fabric. This fabric is designed to operate seamlessly from the tactical edge to the strategic command center, across hybrid cloud settings, and within the most stringent security and disconnected environments. Here’s the practical impact that really excites me: ▪️ Elevated Situational Awareness: Moving from slow, siloed updates to continuous, real-time insights powered by streaming data. ▪️ AI at Machine Speed: Providing a powerful, real-time data foundation essential for deploying AI and autonomous decision-making at the edge. ▪️ True Resilience: Establishing a data backbone that maintains function despite outages, low bandwidth, and stressed conditions (DIL). ▪️ Accelerated Digital Transformation: Drastically reducing the friction involved in integrating decades of legacy systems with modern platforms. For any organization driving joint operations, predictive logistics, or scaled cyber defense, the IBM + Confluent synergy is a transformative force. It accelerates our ability to help our United States Department of War and national security partners build the sovereign, secure, and real-time data infrastructure that the future of defense demands. 2026 is poised to be a landmark year for digital modernization. This acquisition ensures we, and the organizations we serve, are equipped to move forward faster, with greater security and confidence! https://lnkd.in/euwctikg

Matt Bruggeman recently posted a PSA that’s worth restating and expanding on: If you’re using a cloud product (a CSO) where CUI will live, whether file storage, email, SaaS, or infrastructure, that CSO must meet the FedRAMP Moderate ATO (or properly documented Equivalent) requirement. The way a CSO meets compliance is not with a CMMC certification. It’s with FedRAMP. This distinction comes up more often than you’d think. Many still assume that CMMC applies directly to the CSO. It doesn’t. A CSO that processes CUI must be FedRAMP Moderate Authorized or Equivalent; that’s how the CSO aligns with DoD’s requirements. For contractors, this means two things. First, you must verify that your CSP’s offering is FedRAMP Moderate ATO or Equivalent before placing CUI in that environment. Second, you must still achieve CMMC Level 2 across your own systems: access controls, incident response, configuration management etc., because FedRAMP covers the provider’s environment, while CMMC covers the contractor’s. FedRAMP and CMMC share NIST DNA, but they govern different pieces of the puzzle. FedRAMP authorizes the CSO to handle federal data. CMMC ensures the defense contractor is handling that data responsibly in its own business operations. Both layers are essential, and neither substitutes for the other.

Most people think “moving to the cloud” is just spinning up servers. In the DoD world, it’s really about protecting DISN from the cloud. That’s why the DoD created SCCA (Secure Cloud Computing Architecture), a framework built to prevent cloud hosted workloads from becoming an attack path back into DoD networks. Here’s the part most folks miss. SCCA isn’t just “cloud security.” It defines who owns what and what security components must exist to safely connect commercial cloud to DoD environments. What SCCA is really doing: How do we connect IL4/IL5 mission workloads to cloud without exposing DISN? Who is responsible for security between the Mission Owner, DISA, and the cyber protection team? How do we enforce security standards in a multi cloud ecosystem? The key technical components (the backbone): CAP (Cloud Access Point) The controlled connection between DISN/NIPRNet and the cloud. VDSS (Virtual Data Center Security Stack) Security enclave in the cloud (WAF, next gen firewall, IDS/IPS). VDMS (Virtual Data Center Management Service) Where security policies are managed, updated, and enforced. TCCM (Trusted Cloud Credential Manager) The role + process that manages privileged access and enforces least privilege. If you’re an ISSO, RMF analyst, or anyone involved in ATOs, this matters because SCCA impacts: system boundary decisions inherited controls evidence collection continuous monitoring IAM and privileged access governance If you’re learning cloud in GovTech, SCCA is one of the most important frameworks to understand. Link: https://lnkd.in/eSfJD6Jw #RMF #GovTech #CloudSecurity