Event banner
Event details
Thanks for holding this/these discussions! My company does not use any cloud services. It is a preferential choice made by our CEO. We are currently using Office 2021 Pro. Does this meet the requirements for NIST 800-171/CMMC 2.0? We also do not allow any remote connections, we all work in the office, not from home. Not much need for cloud services as we can store everything on our in-house physical server.
Justin_Orcutt
Microsoft
MicrosoftHi Joe - Great question. Many dib companies are evaluating how they can achieve CMMC compliance using what they already have in place. With that being said, implementing and maintaining the 110 controls of CMMC and meeting all of the 300+ assessment objectives on prem can be challenging. To help we have published the CMMC placemat to help you map individual services to requirements of CMMC: https://www.microsoft.com/en-us/download/details.aspx?id=102536. You might also find our blog on understanding compliance between offerings helpful: https://techcommunity.microsoft.com/t5/public-sector-blog/understanding-compliance-between-commercial-government-and-dod/ba-p/3258326
- RichardWakemanIn terms of rich client software running on-premises, such as Office 2021, is considered COTS when it's not connected to the cloud. In other words, compliance is 100% customer scope of responsibility to get the endpoint where the COTS software runs to be compliant. Many of our customers will lay down a STIG for Windows and for Office to harden the endpoint. That said, we do recommend you use the suggestion by Justin for the Product Placemat. You will find that Microsoft Endpoint Manager (Intune) and Defender for Endpoint (EDR) are fabulous options to assist you in demonstrating compliance.
