Cloud Data Management for Defense Sector

Halfway through a recent CMMC scoping call, we stopped. We had mapped the CUI inside the boundary. Then a SaaS application surfaced. Cloud-hosted. ERP. Used across the business and with other defense customers. Does it handle CUI? “We don’t restrict that.” “But it has a SOC 2 report.” "Is that good enough?" I asked one more question: Is the application FedRAMP Moderate Authorized or does it have FedRAMP Moderate Equivalency? Silence. This is where disciplined scoping earns its value. Under DFARS 252.204-7012, any cloud service provider storing, processing, or transmitting Covered Defense Information must meet requirements equivalent to the FedRAMP Moderate baseline. This is a DoD requirement. Equivalency provides an alternate path. Equivalent does not mean “secure.” Equivalent does not mean SOC 2. A key distinction from the DoD CIO guidance: FedRAMP Moderate Authorization ≠ FedRAMP Moderate Equivalency. FedRAMP Moderate Authorization: • A federal ATO granted by a federal agency or JAB • Risk formally accepted by a government Authorizing Official • Listed in the FedRAMP Marketplace FedRAMP Moderate Equivalency: • No federal ATO • Requires a FedRAMP-recognized 3PAO assessment • Requires a complete, reviewable Body of Evidence • Must demonstrate full alignment to the Moderate baseline If CUI is flowing into SaaS platforms, this is a critical issue. This is why scoping is the key to CMMC success. Stay sharp. Lead well. I’ll share the DoD memo in the comments outlining the FedRAMP Moderate Equivalency for Cloud Service Provider's Cloud Service Offerings. The mission continues. #cmmc #defensebase #cloudsecurity #fedramp A-LIGN Petar Besalev Mike Gallagher Pete Dudek Patrick Sullivan

On the Topic of CMMC Help For Small Businesses US Army NCODE – Funding Status in 2025 NCODE (Next‑Gen Commercial Operations in Defended Enclaves) is an Army pilot program designed to give small businesses in the defense industrial base access to a CMMC‑compliant secure cloud environment without the prohibitive cost of building one themselves. Announced by Under Secretary of the Army Gabe Camarillo in October 2024, NCODE moved into a two‑year, $26 million pilot phase running 2025–2027. The pilot is funded and active under the FY2025 defense budget signed by President Donald J. Trump in July 2025 (P.L. 119‑21), which includes allocations for cyber and supply chain security initiatives across the services. NCODE’s initial capability set covers office productivity tools in a secure enclave, with planned expansion to development, digital engineering, and other mission‑support tools as the pilot progresses. “What’s great about it is that it’s compliant with CMMC [Cybersecurity Maturity Model Certification], so all of the department’s requirements would be met by operating in this environment.” - Army undersecretary Gabe Camarillo,  2024 My team and I piloted a program for the United States Department of War, with assistance from the National Security Agency, rather cost-effectively using an Amazon Web Services (AWS) IL4 cloud-hosted solution that was vendor agnostic I architected. Features: ➡️ Regular penetration testing, vulnerability scans, alerts for known exploited vulnerabilities (KEVs), and immediate notifications for active threats. ➡️ As the CMMC evolved, updates to the CMMC level (s) framework controls and assessment guides were loaded into the system, such that the subscribed small businesses could correlate vulnerabilities and pen test results to CMMC compliance and identify gaps. ➡️ The solution also stored body of evidence data and maintained encryption from the source network to the isolated instance for each subscribed industrial base business (DIB) at rest and in transit, in addition to leveraging multi-factor authentication and secure key and secrets management. The multi-year pilot accounted for not just IT but also OT assets on the DIB network. One of the lessons learned was that the smaller the DIB company, the more support they needed, regardless of the ease and plug-and-play aspect of the solution. This is where the National Security Agency and its Centers of Excellence in Cybersecurity were a valuable asset, allowing us to train college cybersecurity students, train them on CMMC assessment, and supervise them as they assisted each DIB company. There are a number of other solutions on the horizon that I have sat in on and provided my thoughts on how they could improve and accelerate CMMC, as well as a few other aspects of cybersecurity compliance. Specifically, I have been advising on the use of AI as an accelerator. #CMMC Maverc Technologies #AI Fernando Machado, CISSP, CISM, CCA, CCP Jacob Hill

Decision superiority isn’t just about faster jets — it’s about faster data. The MOD’s £19.68m contract with SixWorks to sustain and expand the NEXUS Air Information Platform shows that digital infrastructure is capability. As the core enabler of the wider five-part NEXUS programme, this cloud-based “data fabric” connects sensors and effectors across domains to give aircrews real-time decision advantage — turning information into a weapon system in its own right... What’s notable is how NEXUS links across services — integrating with Army ZODIAC, Navy StrikeNet, and aligning with NATO and the US Air Force’s battle management systems to create a single data layer and shared operating picture for allied forces. Keeping SixWorks onboard avoids capability regression, but it also underlines how embedded software providers are becoming mission-critical partners rather than contractors. As defence moves deeper into cloud-based, data-centric operations, how can the UK sustain agility and sovereignty while remaining interoperable with allied digital architectures? #defenceinnovation #digitaltransformation #raf #datainfrastructure #ukmod

More on why the IBM/Confluent Move is a Game-Changer for Mission-Critical Data... The tech world is buzzing with end-of-year news, but the real development that should be capturing your attention in the Defense world is IBM's acquisition of Confluent. This isn't just another corporate deal. It fundamentally validates the principle that #data in motion is just as crucial as data at rest. In complex, defense-grade environments, we are seeing an insurmountable challenge: managing immense, rapid streams of sensor, platform telemetry and maintenance, cybersecurity, operations, and logistics data. Traditional architectures are buckling under the pace... This is where Confluent steps in as the essential data ingestion and event-streaming backbone. Integrating Confluent's capability into IBM’s portfolio, combined with our DataStax acquistion in May, accelerates our #AI strategy and now means that we can fully deliver something our clients urgently need: a robust, real-time data fabric. This fabric is designed to operate seamlessly from the tactical edge to the strategic command center, across hybrid cloud settings, and within the most stringent security and disconnected environments. Here’s the practical impact that really excites me: ▪️ Elevated Situational Awareness: Moving from slow, siloed updates to continuous, real-time insights powered by streaming data. ▪️ AI at Machine Speed: Providing a powerful, real-time data foundation essential for deploying AI and autonomous decision-making at the edge. ▪️ True Resilience: Establishing a data backbone that maintains function despite outages, low bandwidth, and stressed conditions (DIL). ▪️ Accelerated Digital Transformation: Drastically reducing the friction involved in integrating decades of legacy systems with modern platforms. For any organization driving joint operations, predictive logistics, or scaled cyber defense, the IBM + Confluent synergy is a transformative force. It accelerates our ability to help our United States Department of War and national security partners build the sovereign, secure, and real-time data infrastructure that the future of defense demands. 2026 is poised to be a landmark year for digital modernization. This acquisition ensures we, and the organizations we serve, are equipped to move forward faster, with greater security and confidence! https://lnkd.in/euwctikg

Matt Bruggeman recently posted a PSA that’s worth restating and expanding on: If you’re using a cloud product (a CSO) where CUI will live, whether file storage, email, SaaS, or infrastructure, that CSO must meet the FedRAMP Moderate ATO (or properly documented Equivalent) requirement. The way a CSO meets compliance is not with a CMMC certification. It’s with FedRAMP. This distinction comes up more often than you’d think. Many still assume that CMMC applies directly to the CSO. It doesn’t. A CSO that processes CUI must be FedRAMP Moderate Authorized or Equivalent; that’s how the CSO aligns with DoD’s requirements. For contractors, this means two things. First, you must verify that your CSP’s offering is FedRAMP Moderate ATO or Equivalent before placing CUI in that environment. Second, you must still achieve CMMC Level 2 across your own systems: access controls, incident response, configuration management etc., because FedRAMP covers the provider’s environment, while CMMC covers the contractor’s. FedRAMP and CMMC share NIST DNA, but they govern different pieces of the puzzle. FedRAMP authorizes the CSO to handle federal data. CMMC ensures the defense contractor is handling that data responsibly in its own business operations. Both layers are essential, and neither substitutes for the other.

Most people think “moving to the cloud” is just spinning up servers. In the DoD world, it’s really about protecting DISN from the cloud. That’s why the DoD created SCCA (Secure Cloud Computing Architecture), a framework built to prevent cloud hosted workloads from becoming an attack path back into DoD networks. Here’s the part most folks miss. SCCA isn’t just “cloud security.” It defines who owns what and what security components must exist to safely connect commercial cloud to DoD environments. What SCCA is really doing: How do we connect IL4/IL5 mission workloads to cloud without exposing DISN? Who is responsible for security between the Mission Owner, DISA, and the cyber protection team? How do we enforce security standards in a multi cloud ecosystem? The key technical components (the backbone): CAP (Cloud Access Point) The controlled connection between DISN/NIPRNet and the cloud. VDSS (Virtual Data Center Security Stack) Security enclave in the cloud (WAF, next gen firewall, IDS/IPS). VDMS (Virtual Data Center Management Service) Where security policies are managed, updated, and enforced. TCCM (Trusted Cloud Credential Manager) The role + process that manages privileged access and enforces least privilege. If you’re an ISSO, RMF analyst, or anyone involved in ATOs, this matters because SCCA impacts: system boundary decisions inherited controls evidence collection continuous monitoring IAM and privileged access governance If you’re learning cloud in GovTech, SCCA is one of the most important frameworks to understand. Link: https://lnkd.in/eSfJD6Jw #RMF #GovTech #CloudSecurity

Governments are moving national secrets to the cloud faster than they can secure it, and spending tens of billions trying to catch up. That creates a once-in-a-generation opportunity for founders who can close these 4 critical blind spots before adversaries exploit them. The National Security Cloud Opportunity Stack for security innovators: 1) Multi-Cloud Security → Posture Management 78% of multi-cloud setups have critical flaws. → Supply Chain Risk Every dependency is a threat surface. → Identity Controls Nearly 40% of cloud breaches come from insiders, most unintentional. Cross-cloud access must be governed, scoped, and kill-switched by default. 2) AI-Driven Threat Detection → Behavior Monitoring Rules don’t catch lateral movement. AI models that flag anomalies in user behavior will fill the gap. → AI Model Security Attackers target the models themselves. Securing the AI layer, not just the infra, is the next defense frontier. → Predictive Intelligence The future is prediction. Blending open-source and classified data to forecast threats. 3) Secure Integration → Cross-Domain Sharing Data must move between classification levels securely. Tools that manage controlled transfers are core to Allied operations. → Secure Dev Pipelines Solutions that bake in policy enforcement and automated testing—inside SCIFs—will lead. 4) Zero-Trust Implementation “Never Trust, Always Verify” is now doctrine. But legacy systems aren’t going anywhere. The most valuable solutions will retrofit zero-trust across identity, access, and traffic, without requiring a rebuild. Governments don’t invent. They buy innovation at scale. But the gaps are still wide: This is a National Security vacuum. If you’re building here, this is your moment. ____________________________ P.S. Building in classified cloud, multi-cloud security, or AI integrity? Let’s talk. I’ve spent years studying how adversaries breach multi-cloud and air-gapped systems, and have built and exited 2 software firms in the GovCon space If you’re scaling hard and need deep technical and go-to-market lift, my DMs are open.

Oracle just crossed an important threshold for the national security mission: Oracle Cloud Infrastructure Generative AI is now generally available in Oracle’s Top Secret classified cloud regions. Why this matters from a cloud + AI leadership lens: When GenAI moves into TS environments, it stops being a lab demo and becomes mission infrastructure. It can help teams accelerate analysis and decision support, strengthen cyber defense, speed up training and simulation, and prototype capabilities faster, all while operating inside the boundaries required for classified workloads. This is also a big step toward reducing “time-to-mission” by bringing GenAI to where sensitive data already lives, instead of forcing programs to re-architect just to use AI. Now the real work starts: turning TS GenAI into mission advantage. Let’s Go! #NationalSecurity #GenAI #CloudComputing #ZeroTrust #Cybersecurity #DefenseTech #Intelligence #MissionEngineering #DataStrategy #OCI #xAI #mission #DoW #DoD #Security #cloud #classified

NATO's move to Google Cloud isn't just another tech deal – it's a strategic shift in how military alliances approach digital sovereignty 🔐 Google just secured a multimillion-dollar contract to build completely air-gapped, sovereign cloud systems for NATO's Joint Analysis, Training, and Education Centre. This means fully disconnected environments with absolute data residency and operational control. 🔸 Zero compromise on data sovereignty – complete autonomy regardless of scale 🔸 Air-gapped infrastructure for maximum security in training and operations 🔸 Part of NATO's broader multi-cloud strategy (AWS and Microsoft are also in the mix) This reflects a larger trend: 61% of European CIOs want to increase local cloud usage amid geopolitical uncertainty. When military alliances prioritize sovereign cloud capabilities, it signals where the future of critical infrastructure is heading. The question isn't whether organizations will adopt sovereign cloud solutions – it's how quickly they can implement them without compromising operational efficiency. More on The Register: https://ow.ly/3hNT50XzWpI