Microsoft Government CMMC AMA

You certainly can be compliant on-premises, no argument about that. Cloud services do help customers get a leg up on compliance as we offer a breadth of tools and services that allow customers to meet requirements for collaboration, security, compliance, device management, hardware, compute, memory, storage, development, etc. The reason folks are using the cloud is because they may not have the technical skill sets or the capital investment and time required to manage hardware and software and networking. For large companies that do have the expertise and capital their work force is looking for modern tools to compete in the market as well as the ability to attract and retain new talent who want to work from anywhere with any device (coauthoring, text, chat, calling, email, calling, meeting join, whiteboarding, @mentioning, etc.). While you may say that you do not have much need for cloud services, I would point out that you have limited organizational resilience (BC/DR plan) with your servers in-house at a single location. You also cannot leverage cloud economies of scale to free up cash flow and transfer CAPEX to OPEX thereby gaining benefit from a positive net present value. Moreover, you are highly vulnerable to risks inside and outside the org without having advanced machine learning to reason over your behavioral analytics, logs, devices and files to expose risks and take remediating steps. Lastly, you are doing everything all on your own, there is no cloud service provider to help with shared scope of responsibility, support escalations or professional services. So yes, you can be compliant on-prem, but it may not be a good idea given the benefits of the cloud and the fact that that is the direction that every technology company is going.

You certainly can be compliant on-premises, no argument about that. Cloud services do help customers get a leg up on compliance as we offer a breadth of tools and services that allow customers to meet requirements for collaboration, security, compliance, device management, hardware, compute, memory, storage, development, etc. The reason folks are using the cloud is because they may not have the technical skill sets or the capital investment and time required to manage hardware and software and networking. For large companies that do have the expertise and capital their work force is looking for modern tools to compete in the market as well as the ability to attract and retain new talent who want to work from anywhere with any device (coauthoring, text, chat, calling, email, calling, meeting join, whiteboarding, @mentioning, etc.). While you may say that you do not have much need for cloud services, I would point out that you have limited organizational resilience (BC/DR plan) with your servers in-house at a single location. You also cannot leverage cloud economies of scale to free up cash flow and transfer CAPEX to OPEX thereby gaining benefit from a positive net present value. Moreover, you are highly vulnerable to risks inside and outside the org without having advanced machine learning to reason over your behavioral analytics, logs, devices and files to expose risks and take remediating steps. Lastly, you are doing everything all on your own, there is no cloud service provider to help with shared scope of responsibility, support escalations or professional services. So yes, you can be compliant on-prem, but it may not be a good idea given the benefits of the cloud and the fact that that is the direction that every technology company is going.

Hi Joe - Great question. Many dib companies are evaluating how they can achieve CMMC compliance using what they already have in place. With that being said, implementing and maintaining the 110 controls of CMMC and meeting all of the 300+ assessment objectives on prem can be challenging. To help we have published the CMMC placemat to help you map individual services to requirements of CMMC: https://www.microsoft.com/en-us/download/details.aspx?id=102536. You might also find our blog on understanding compliance between offerings helpful: https://techcommunity.microsoft.com/t5/public-sector-blog/understanding-compliance-between-commercial-government-and-dod/ba-p/3258326