Microsoft Government CMMC AMA

Hi James - What specifically are you trying to back up in Compliance Manager?

Hello Mark! This AMA is all text based and we will be leaving this up after the session is over for anyone to view 🙂

Howdy Ryan! Always love your stump da chump! 🙂 Ultimately, our Federal customers must get Agency FedRAMP ATOs for connecting to O365 and Azure with supporting documentation to support the TIC. As it stands, most Federal customers enforce Express Route through their TIC to Azure Gov (incl GCCH & DoD). This is primarily assisted by our MS Federal support teams, but is really the gov't requirement as opposed to MSFT. Check out https://docs.microsoft.com/en-us/azure/architecture/example-scenario/security/trusted-internet-connections. For the mapping, TJ Banasic just released a Sentinel Solution that does some mapping. https://docs.microsoft.com/en-us/security/zero-trust/integrate/sentinel-solution. We can follow up with TJ on the cross-walk to 171/53. And the MS Federal teams if they can share some info. But my favorite aspect of TIC 3.0 is the ability to use ZTA to connect directly to the cloud. "Dynamic Routing" as we call it. Our whitepaper: https://cortacgroup.com/wp-content/uploads/2022/02/CMMC-and-Split-Tunnels_Feb2022.pdf

Howdy Ken! Regarding the CMMC Assessment Templates in GCC and GCC High: The Compliance Manager is generally available in all Microsoft 365 cloud offerings, including GCC and GCC High. The Assessment Templates for CMMC are also generally available for your use today. We have made a licensing exception for the CMMC assessment templates in GCC and GCC High. While most other assessment templates require premium template licenses, the CMMC assessment templates do not require the premium template licenses in GCC nor GCC High. You will still need the proper Microsoft 365 SKU to get the rights for a user to access the Compliance Manager. Please see the most up-to-date licensing requirements here and here. At the time of this writing, the CMMC assessment templates are included by default (free of cost) for GCC and GCC High with the following SKUs: Microsoft 365 or Office 365 G5 Microsoft 365 G5/F5 Compliance Microsoft 365 G5/F5 eDiscovery and Audit Microsoft 365 G5/F5 Insider Risk Management Microsoft 365 G5/F5 Information Protection and Governance Please note the CMMC assessment templates do require premium template licenses in Commercial. The licensing exception only applies to GCC and GCC High. As of the time of this writing, there is a 90 day trial for up to 25 premium assessment templates, including CMMC and NIST SP 800-171 in any cloud offering (Commercial, GCC, and GCC High). Please see premium assessment trial for more information. The Secure Score feature is still in preview within Commercial and GCC. Secure Score will not release in GCC High until it becomes Generally Available. As a result, automated testing does not work in GCC High. GCC High customers will need to manually implement and test their improvement actions in the Compliance Manager. For more information, please see Settings for automated testing and user history. The CMMC 2.0 templates will be drifted into Compliance Manager this quarter however, the NIST 800-171 templates are currently available. If you are preparing for a CMMC assessment you should consider taking a look at the Azure Sentinel CMMC 2.0 workbook. Read more here: https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/CybersecurityMaturityModelCertification(CMMC)2.0

GCC High customers now have access to CMMC 2.0 Levels 1 and 2 assessment templates. By mid-April WWMT, GCC and DoD customers also will have access to Compliance Manager’s updated CMMC Levels 1 and 2 assessments. Once CMMC 2.0 Level 3 regulation is published, the Compliance Manager engineering team will announce general availability for the updated CMMC Level 3 assessment templates.

Hi Shamshul - Thank you for the question. You are correct that as organizations move into GCCH it is important for them to understand how audio-conferencing works. Organizations in GCCH that want to enable audio-conferencing will need to set up direct routing with an external telecommunications company. We have a few partners with GCCH specific offerings including AT&T and Call Tower as an example. I hope this helps.

Hi Joshua, Partner Co-op funds are used for marketing efforts. You can use the "On Site Champion" option to create a solution or offering. This would allow you to hire a CMMC consultant to audit your offerings and make recommendations on how to adapt them to help your customers reach compliance. This could not be used to assess your own CMMC compliance gaps, which we recommend going to a C3PAO for an assessment.

Howdy Marcos! Microsoft is in the same position. Microsoft runs a global business with more than 180k people homed in the WW service. In order to meet our contractual commitments to the US Federal Government, Microsoft formed the Microsoft Federal business subsidiary business homed in a US//NOFORN GCC High tenant. Both the WW & FedNet tenants have separate SMTP addresses (@microsoft.com vs @microsoftfederal.com) and separate identities. We provide separate devices (both physical and virtual) to provide data isolation. We have separate administrators and cyber teams. There are some ways to wire up a Commercial tenant and a GCC High tenant such as calendar free busy, file sharing via one-time passcode (OTP) and Teams federation. There is also the idea of an extranet or a "meet me" tenant that can be used as an intermediate data repository and workspace. There is an article here that details some of the available cross-cloud and cross-tenant collaboration modalities: https://techcommunity.microsoft.com/t5/public-sector-blog/m365-cross-cloud-and-cross-tenant-collaboration-scenarios/ba-p/2967674 Microsoft is working on cross-cloud B2B (CCB2B) which will allow even more sharing modalities as just about every one of our large, strategic customers operate globally and have some requirement for national cloud use cases (US, China, France, etc.). I hope this helps! Feel free to connect with me to discuss further 🙂

Marcos, great question we are approaching that problem of CMMC as a common 3rd Party Validated standard that allows us to engage with partners at a common security posture. When we talk about bridging the commercial, or even another GCCH tenant, we have to recognize that not just MIP is an issue but citizenship access restrictions, geographic constraints, or other unique contractual terms. Establishing a DMZ offers one way to address project specific work items. It isn't perfect but it works today and we, like you, have active contracts we need to keep supporting.

Howdy David! Regarding the first part of your question: Specific to 889(a)(1)(A), relating to equipment or services produced by Huawei Technologies Co Ltd, ZTE Corporation, Hytera Communications Corporation, Hangzhou Hikvision Digital Technology Company, and Dahua Technology Company, Microsoft cloud infrastructure teams do not currently purchase from these companies. Additionally, Microsoft Surface devices and accessories do not use any parts or equipment produced by these companies. Regarding the second part of your question: Microsoft Federal is a Microsoft subsidiary that supports the US Federal Government (Federal Civilian, IC, and DOD). This organization is homed in an US//NOFORN GCC High environment. Read more about Microsoft Federal here: https://www.microsoft.com/en-us/federal/ I hope this helps!

There are some complications with encryption Assuming Microsoft uses FIPS compliant encryption, then you would have to change the default TLS configuration from opportunistic encryption to forced encryption. Transmission of CUI is allowed as long as it is enclosed in FIPS approved encryption. Though TLS only encrypts the transfer between mail servers so something like S/MIME might be needed.