Azure lighthouse and CMMC Compliance

New Contributor

I work for a consulting business which uses Azure Lighthouse to manage clients Azure instances. Can we keep managing GCC or GCC high tenants in lighthouse? How do we ensure compliance with CMMC if using azure Lighthouse ( issues surrounding data locations and movement)?

1 Reply



Thank you for your question regarding using Azure Lighthouse . After discussing this with the team, we wanted to make sure to provide the proper resources as well as some clarity. Azure Lighthouse is used within Azure and not for Office 365. GCC and GCC High are different types of tenants within Office 365. Microsoft now has 116 services covered by the Federal Risk and Authorization Management Program (FedRAMP) High Provisional Authorization to Operate (P-ATO) for Azure Government. More information on those programs are found here  with supporting documentation on using Azure Lighthouse here.
CMMC requires an evaluation of the contractor’s technical security controls, process maturity, documentation, policies and processes to ensure security and resiliency. You will need to first assess what maturity level your company is aiming for and proceed with the needed changes or updates in order to qualify for that level of certification. We have a blog post on Accelerating CMMC compliance for Microsoft cloud (in depth review) here  and a blog series on CMMC with Azure here . We hope this helps!