Skip to content

How Businesses Can Achieve CMMC Compliance with Cloud Zero Trust

If your organization does business with the Pentagon, you probably know that Cybersecurity Maturity Model Certification (CMMC) is an absolute requirement. If your organization does not, you should still take heed. Whatever industry you operate in, know that Zero Trust Network Access (ZTNA), a cloud-based, multi-level security model, can help you fulfill CMMC requirements—and Cloud Zero Trust is available as a service

The concept behind Zero Trust is simple: Assume that every remote employee, partner, supplier, or third-party contractor who needs secure access to your network carries a potential threat. That is the cold truth of the business world today, and ZTNA can be the best way to protect any organization from cyberattack.

The Department of Defense (DoD) initiated the CMMC protocols in 2019 in response to significant compromises of sensitive information located on contractors’ networks. The certification process to determine whether an organization has the security necessary to work with sensitive Pentagon data is, of course, rather rigorous. 

CMMC requires that all DoD contractors be subjected to a cybersecurity evaluation by a Certified Third-Party Assessor Organization (C3PAO). These organizations are trained not by DOD directly, but by an independent nonprofit called CyberAB

Two years after launching CMMC, noting that organizations up and down its supply chain were becoming targets of increasingly frequent and complex cyberattacks by foreign-government adversaries and non-state actors, the Pentagon launched the enhanced CMMC 2.0 program, focusing on the most advanced cybersecurity issues and increasing DoD oversight.

Many in the defense industry have discovered that the surest way to guarantee CMMC compliance is to adopt a Zero Trust strategy. John Kindervag, who developed the strategic initiative he labeled Zero Trust in 2010, points out that it is not a technological innovation, but rather a philosophy or mindset that gives birth to a set of bulletproof practices. 

“Rooted in the principle of ‘never trust, always verify,’ Kindervag writes, “Zero Trust strategy is decoupled from technology, so while technologies will improve and change over time, the strategy remains the same.”

Connect Simply, Intelligently, Securely, at Scale

The ZTNA process begins by defining what Kindervag calls a “protect surface.” Also known as a “Zero Trust environment,” this designates the location of an architecture where Zero Trust controls and policies are deployed. These environments include traditional networks such as data centers, but more and more are deployed in public and private clouds, as well as endpoints such as laptops and phones.

By creating a Zero Trust environment separate from your main environment, you are essentially building an application layer overlay. This secure layer is protected by its own set of cybersecurity measures and defenses, including proactive threat monitoring and alerting.

Baked into the ZTNA system is the notion that every Zero Trust architecture is tailor made for an individual organization and its “protect surface.” The cybersecurity program is aligned to each organization’s strategic outcomes, which makes cybersecurity a business enabler, not the inhibitor that some business leaders see it as today.

A key innovation of ZTNA is the strict determination of who needs to have access to a resource in order to get their job done. This concept is called “least privilege,” and prevents access to sensitive data for inadequate business reasons by verifying who is requesting access, the context of the request, and the risk involved in the access environment. 

Five Steps to Implementing Zero Trust

1. Define the Protect Surface 

Identify the data, applications, assets, and services, (DAAS elements) that need to be secured.

2. Map Transaction Flows 

Understanding how your network works is core to a successful Zero Trust deployment. By mapping transaction flows to and from the protect surface, you will know how various DAAS components interact with other resources on your network. This ultimately determines the design of your ZTNA environment. 

3. Build a Zero Trust Architecture

This, of course, is the heart of Zero Trust, each ZTNA environment is custom-made for each protect surface. Again, I will point out that many organizations work with cybersecurity experts and managed services providers who offer Cloud Zero Trust Network Access as a Service

4. Create a Zero Trust Policy 

Zero Trust employs an old problem-solving trick known as the Kipling Methodology in a novel way, by applying six questions taken from a Rudyard Kipling poem to cybersecurity. Whenever access to the protect surface is being requested, this method ascertains the answers to these questions: Who is accessing the resource? What application is being used? Where is the packet destination? When, How and Why is the resource being accessed? Thanks to advanced technologies including AI, this all takes place instantly.

5. Monitor and Maintain the Network 

A key design principle of Zero Trust involves inspecting and logging all traffic. In addition to preventing data breaches, the telemetry provides security insights that can be analyzed using behavioral analytics, machine learning, and artificial intelligence to stop attacks in real-time. 

Cloud Zero Trust Network Access—Secure, Remote User Access, Streamlined

If you are operating in the defense industry, initiating a Zero Trust policy can guarantee that you will achieve CMMC compliance. ZTNA protocols are also highly recommended for those in industries where our national security is not at risk. 

For those in the financial industry, healthcare industry, and public institutions that have been entrusted with valuable and vulnerable user data, it is wise to put yourself in CMMC compliance even if you are not likely to face an audit by a C3PAO. Whatever industry you are operating in, if you are facing a watershed event such as a merger or acquisition, ZTNA will profoundly improve your security position and remove obstacles that might create complications.

As a big bonus, replacing your legacy access model with a Zero Trust model makes access much easier for everyone who uses your network, and much simpler for your organization to manage. Switching over from an access approach such as VPN will transform all your applications, allowing for simpler, smarter use at the same time that it allows you to achieve a truly secure business.

I hope you found this information helpful. As always, contact us anytime about your technology needs.

Until next time,


Meet the Author
Tim Burke is the President and CEO of Quest. He has been at the helm for over 30 years.
Contact Quest Today  ˄
close slider