The Relationship between DFARS/CMMC and Zero Trust Architecture (M3c)
This discussion will explore how the marriage of security and compliance within CMMC/DFARS requirements represents both an intermediary step and great leap forward to a Zero Trust world.
Description: Zero Trust requires the IT systems to be 1:1 aligned with business workflows in order to authenticate people, process, and technologies and match them to authorized purposes/functions, roles, and responsibilities. Most organizations struggle with the “relationship” awareness between IT teams, network architectures, and business functions and activities. NIST SP 800-171 requires the authorization, authentication, and verification of the relationship and alignment of authorized users, processes, and devices access to Controlled Unclassified Information.
To meet DFARS/CMMC requirements IT teams and business stakeholders have to face the challenges in aligning business processes and workflow with access restrictions to CUI data and logically connected network resources. Reconciling identity to authenticate access and access to enforce security policy means reconciling and aligning IT architecture with business process, DoD contract performance, and Controlled Unclassified Information within NIST SP 800-171/CMMC requirements.
This marriage of security and compliance serves as the cornerstone to meeting DFARS/CMMC requirements and the next giant leap toward a Zero Trust world.