Microsoft Government CMMC AMA

Howdy Joshua, the CMMC 2.0 Acceleration Program was constructed as scaffolding for our partners. https://aka.ms/CMMCAccelerationProgramUpdate. Please also reach out to us directly for more discussion.

Hi James - We see many organizations leveraging one device/workstation but having those users access both commercial and government environments. Most will leverage Azure Virtual Desktop (https://azure.microsoft.com/en-us/services/virtual-desktop/). We are also really excited about Windows 365 as some of the organizations do not have the bandwidth to manage the configuration of virtual desktops (https://docs.microsoft.com/en-us/windows-365/overview). Organizations that are already in GCCH leverage W365 or AVD to access commercial resources this way users spend the majority of their time in a higher baseline environment. In the future W365 will be available for GCCH (https://www.microsoft.com/en-us/microsoft-365/roadmap?featureid=93691).

Hello! This AMA was specifically for CMMC so I am not sure how your question pertains to this. I recommend getting started with this link here: https://trainingsupport.microsoft.com/en-us/mcp/forum/all/microsoft-intune/eb3f8646-9ff4-4fb1-a562-c9ec555ff292?auth=1

You certainly can be compliant on-premises, no argument about that. Cloud services do help customers get a leg up on compliance as we offer a breadth of tools and services that allow customers to meet requirements for collaboration, security, compliance, device management, hardware, compute, memory, storage, development, etc. The reason folks are using the cloud is because they may not have the technical skill sets or the capital investment and time required to manage hardware and software and networking. For large companies that do have the expertise and capital their work force is looking for modern tools to compete in the market as well as the ability to attract and retain new talent who want to work from anywhere with any device (coauthoring, text, chat, calling, email, calling, meeting join, whiteboarding, @mentioning, etc.). While you may say that you do not have much need for cloud services, I would point out that you have limited organizational resilience (BC/DR plan) with your servers in-house at a single location. You also cannot leverage cloud economies of scale to free up cash flow and transfer CAPEX to OPEX thereby gaining benefit from a positive net present value. Moreover, you are highly vulnerable to risks inside and outside the org without having advanced machine learning to reason over your behavioral analytics, logs, devices and files to expose risks and take remediating steps. Lastly, you are doing everything all on your own, there is no cloud service provider to help with shared scope of responsibility, support escalations or professional services. So yes, you can be compliant on-prem, but it may not be a good idea given the benefits of the cloud and the fact that that is the direction that every technology company is going.

You certainly can be compliant on-premises, no argument about that. Cloud services do help customers get a leg up on compliance as we offer a breadth of tools and services that allow customers to meet requirements for collaboration, security, compliance, device management, hardware, compute, memory, storage, development, etc. The reason folks are using the cloud is because they may not have the technical skill sets or the capital investment and time required to manage hardware and software and networking. For large companies that do have the expertise and capital their work force is looking for modern tools to compete in the market as well as the ability to attract and retain new talent who want to work from anywhere with any device (coauthoring, text, chat, calling, email, calling, meeting join, whiteboarding, @mentioning, etc.). While you may say that you do not have much need for cloud services, I would point out that you have limited organizational resilience (BC/DR plan) with your servers in-house at a single location. You also cannot leverage cloud economies of scale to free up cash flow and transfer CAPEX to OPEX thereby gaining benefit from a positive net present value. Moreover, you are highly vulnerable to risks inside and outside the org without having advanced machine learning to reason over your behavioral analytics, logs, devices and files to expose risks and take remediating steps. Lastly, you are doing everything all on your own, there is no cloud service provider to help with shared scope of responsibility, support escalations or professional services. So yes, you can be compliant on-prem, but it may not be a good idea given the benefits of the cloud and the fact that that is the direction that every technology company is going.

Hi Joe - Great question. Many dib companies are evaluating how they can achieve CMMC compliance using what they already have in place. With that being said, implementing and maintaining the 110 controls of CMMC and meeting all of the 300+ assessment objectives on prem can be challenging. To help we have published the CMMC placemat to help you map individual services to requirements of CMMC: https://www.microsoft.com/en-us/download/details.aspx?id=102536. You might also find our blog on understanding compliance between offerings helpful: https://techcommunity.microsoft.com/t5/public-sector-blog/understanding-compliance-between-commercial-government-and-dod/ba-p/3258326

Hello. Marion answered this question previously but here is the answer from above : Partner Co-op funds are used for marketing efforts. You can use the "On Site Champion" option to create a solution or offering. This would allow you to hire a CMMC consultant to audit your offerings and make recommendations on how to adapt them to help your customers reach compliance. This could not be used to assess your own CMMC compliance gaps, which we recommend going to a C3PAO for an assessment.

David, we plan on achieving CMMC V2 L2 as soon as the DoD releases final guidance. We have prepared and ensured our systems, security plans, and control procedures meet or exceed the existing guidance. GCCH currently has US Cit access restrictions in place and MSFT operates our Federal tenant on GCCH using US Cit admins, operating on US soil, only. This additional constraint is NOT a CMMC control but rather derived from existing arrangements with the USGov.

In addition to being a Cloud Service Provider and System Integrator, Microsoft is also a Defense Contractor. As such, we too are undergoing our journey to meet CMMC compliance for federal business. All services released in the US Sovereign Cloud are contained within an accreditation boundary supporting US Export Controls requiring screened US persons and data sovereignty in the Continental United States (CONUS). Microsoft does not bar customers from deciding within their own tenant users who can/cannot have access nor do we screen your users for this. This is the responsibility of the customer.

Hi Nick - Thank you for asking this. We do have a Penetration Testing Rules of Engagement which outlines scope and engagement: https://www.microsoft.com/en-us/msrc/pentest-rules-of-engagement?msclkid=bf4ba221ba8711ec80349cf2bb73b179. Aside from this Microsoft also conducts penetration testing on a regular basis of our services and software.

Hi Sam - This is an important underpinning to how the service works. If you are in M365 GCCH the identity will reside in Azure Gov. If you are in M365 commercial the identity will be in commercial. Here is a blog from Richard Wakeman with more information about this. https://techcommunity.microsoft.com/t5/public-sector-blog/history-of-microsoft-cloud-offerings-leading-to-the-us-sovereign/ba-p/2157821

Hi Peter - At this point we do not have a timeline to share for Azure DevOps. With that being said we see GCCH customers leveraging both Azure DevOps Server(https://azure.microsoft.com/en-us/services/devops/server/) or Github Enterprise deployed in Azure Gov.