SOLVED

CMMC Acceleration Program

Brass Contributor

Can you update us on the timing and content of Microsoft's CMMC Acceleration Program? Based on the March blog by @RichardWakeman, it appears this would be very useful to us as we work toward Level-3 compliance. We can't, however, indefinitely pause our project as we wait for more information. Can't MS incrementally provide some guidance and support as we wait for the CMMC Accreditation Body to dot i's and cross t's?

2 Replies
best response confirmed by KenStewart (Brass Contributor)
Solution

@KenStewart  We will be releasing the CMMC Acceleration program in waves.  The first wave has delayed by several months, as the CMMC roll-out of Level 3 guidance and audits have as well.  Solutions for fundamental topics such as how reciprocity will be established, and how a tenant of the Microsoft cloud will be able to inherit coverage for practices is still a work in progress.  We are collaborating with the CMMC AB and partners to establish the initial program of reciprocity.  Look for that to release in a private preview in the October timeframe.  It is close to availability, based on a broad set of assumptions made in analysis by Microsoft and Partners.  We are highly anticipating the assessment guidance from the CMMC to release in coming weeks as well, that will hopefully give us a clearer set of assumptions to work with.

 

In parallel, we are working on updates to Azure Blueprints for NIST SP 800-171 to include CMMC Level 3 policy initiatives.  This will incorporate into the Azure Security Center for integration with your Azure subscription(s).  You may access the existing blueprint today at https://aka.ms/nist800171r2-blueprint 

 

We are also working on Compliance Manager templates for CMMC Levels 1-5.  This will complement the existing NIST SP 800-171 template available today with coverage of the Microsoft 365 product suite.  We also have a roadmap and intent to make the Compliance Manager available in Microsoft 365 Government (GCC High) by the end of the year.  You may learn about the existing template in Commercial at https://docs.microsoft.com/en-us/microsoft-365/compliance/compliance-manager-overview?view=o365-worl... 

 

On the reference architecture front, we are working on an update to our Zero-Trust Architecture for Microsoft Azure.  We plan to align this architecture with the requirements of CMMC Levels 3-5 for availability as soon as we stabilize the requirements and program of reciprocity for CMMC.  The current version is available today, and is introduced at 

https://azure.microsoft.com/en-us/blog/automating-cybersecurity-guardrails-with-new-zero-trust-bluep...

 

We will have more information to come as the program evolves.  As for pausing your project, I recommend working with one of our CMMC partners as they are working closely with us to build the CMMC Acceleration Program.

 

I am also happy to answer any questions if you reach out to me on Email.

Many thanks, @RichardWakeman, for a very comprehensive response. I'll look further into the references you provided.

 

One question for now: How can I find out about the CMMC partners working closely with you to build the CMMC Acceleration Program? We'd be very open to working with someone.

1 best response

Accepted Solutions
best response confirmed by KenStewart (Brass Contributor)
Solution

@KenStewart  We will be releasing the CMMC Acceleration program in waves.  The first wave has delayed by several months, as the CMMC roll-out of Level 3 guidance and audits have as well.  Solutions for fundamental topics such as how reciprocity will be established, and how a tenant of the Microsoft cloud will be able to inherit coverage for practices is still a work in progress.  We are collaborating with the CMMC AB and partners to establish the initial program of reciprocity.  Look for that to release in a private preview in the October timeframe.  It is close to availability, based on a broad set of assumptions made in analysis by Microsoft and Partners.  We are highly anticipating the assessment guidance from the CMMC to release in coming weeks as well, that will hopefully give us a clearer set of assumptions to work with.

 

In parallel, we are working on updates to Azure Blueprints for NIST SP 800-171 to include CMMC Level 3 policy initiatives.  This will incorporate into the Azure Security Center for integration with your Azure subscription(s).  You may access the existing blueprint today at https://aka.ms/nist800171r2-blueprint 

 

We are also working on Compliance Manager templates for CMMC Levels 1-5.  This will complement the existing NIST SP 800-171 template available today with coverage of the Microsoft 365 product suite.  We also have a roadmap and intent to make the Compliance Manager available in Microsoft 365 Government (GCC High) by the end of the year.  You may learn about the existing template in Commercial at https://docs.microsoft.com/en-us/microsoft-365/compliance/compliance-manager-overview?view=o365-worl... 

 

On the reference architecture front, we are working on an update to our Zero-Trust Architecture for Microsoft Azure.  We plan to align this architecture with the requirements of CMMC Levels 3-5 for availability as soon as we stabilize the requirements and program of reciprocity for CMMC.  The current version is available today, and is introduced at 

https://azure.microsoft.com/en-us/blog/automating-cybersecurity-guardrails-with-new-zero-trust-bluep...

 

We will have more information to come as the program evolves.  As for pausing your project, I recommend working with one of our CMMC partners as they are working closely with us to build the CMMC Acceleration Program.

 

I am also happy to answer any questions if you reach out to me on Email.

View solution in original post