Forum Discussion
MS 365 and CMMC Level 1
CMMC Level 1 has 17 requirements. Does MS 365 address any of these requirements. NOT MS 365 + Azure but only MS 365. If so, please address each of the Level 1 requirements. If this is not the correct forum, please do a white paper.
Thank you.
Demps1787
2 Replies
Demps1787 thanks for the questions. We think of Microsoft 365 Government as part of our overall solutions to address the needs of CMMC. There are Azure products that are built into Microsoft 365 Government and others that you can apply based on the needs you have in your environment. For more details please reference the attached CMMC Level 1 slide that lists the Microsoft 365 Government GCC High solutions for compliance and what domain controls they address.
Dan:
Thank you for sending the PNG on the CMMC Level 1 domains. The response was more complex -- or just misunderstood -- than anticipated. In November 2019, DoD issued a compliance assessment grid showing that a specific CMMC Level 1 requirement was equal to a specific element of NIST-171 and therefore met a specific requirement of FAR 52.204-21. Example: FAR clause requires "limit system access to authorized users" which is a security element found at NIST-171, 3.1.1 and in turn the CMMC Matrix at A-4 will identify 3.1.1 as the CMMC Level 1 requirement (and CMMC further provides a "CMMC Clarification" at B-11 explaining NIST-171, 3.1.1). My Microsoft question is (and now I realize the preceding example is weak...): (1) the FAR clause requires "limit system access to authorized users" which (2) is a security element found at NIST-171, 3.1.1; which (3) is a requirement of CMMC Level 1; then (4) if MS 365 is installed with the network, then MS 365 can/will establish userID passwords for each user which will "limit system access to authorized users" because ... [how/why]. It's likely that MS response will include MFA because MFA is apparently a feature of MS 365. (BTW, my company's "MFA from MS 365" does not appear to work.) And then MS addresses the other 16 elements of the FAR clause and explains how MS 365 can satisfy (or not) the FAR clause requirements which equal CMMC Level 1. So the company's SSP for CMMC Level 1 is straightforward. If the MS 365 user knows that x of 17 CMMC Level 1 requirements are within MS 365's capabilities (or Microsoft Defender capabilities), then (among other things), the company may only need a limited (i.e., less expensive) "gap analysis" and can devote resources to addressing the MS 365 security gaps (e.g., some elements of MS 365 Managed Defense) and on training. But your initial response for CMMC Level 1 appeared to require an Azure account and other seemingly unnecessary subscriptions. So the apparent response is "No, MS 365 only covers about 2-4 CMMC Level 1 requirements and they are ..." Because it seems virtually certain that the entire federal government will adopt CMMC perhaps MS should consider developing an updated MS 365 that meets all of Level 1 and is the preferred springboard to Level 3.
