Aug 25 2020 09:07 AM
Hi! Is there a map for NIST 800-53 or 800-171 or any of the CMMC levels available that I can use to show which controls my Microsoft 365 G5 usage maps to for compliance auditing?
Aug 25 2020 09:13 AM
@chriskeeling I'm a fan of the free spreadsheet/matrix that ComplianceForge put out to map CMMC controls: http://examples.complianceforge.com/cmmc/ComplianceForge%20-%20Cybersecurity%20Maturity%20Model%20Ce...
Aug 25 2020 09:17 AM
@chriskeeling We are working on a/some CMMC mapping guide(s) to help customers understand how products and features meet the requirements, but it is not publicly available. However, because of the mapping of NIST to CMMC this guide would be a good starting point today to help.
https://docs.microsoft.com/en-us/microsoft-365/compliance/offering-nist-csf?view=o365-worldwide
Aug 25 2020 09:18 AM
@chriskeelingto view your G5 licensing purely from a Microsoft perspective: I would track down a commercial tenant and access Compliance Manager. There you can find a comprehensive accounting of each FedRAMP Moderate control (which is really just 800-53 Mod) and suggested 'Customer Actions' that leverage specific Microsoft Cloud technologies. Some of them may not be available in GCC High right now, however it's a starting point! From there, you're only one mapping away from 800-171 and CMMC (as found in the CMMC Appendices).
Aug 25 2020 09:20 AM
@MichaelKing Thanks! That's a fantastic spreadsheet for comparing the requirements of the different compliance models. However, it doesn't show how Microsoft 365 G5 provides services that map to any of the controls in a way that can easily be presented to an auditor or included in an internal document for tools compliance.
Aug 25 2020 09:22 AM
@dmcwee Thanks! When will those mapping guides be available and how will we get to them? Through the Compliance Manager or the MS Security Center?
Aug 25 2020 09:27 AM
@chriskeeling We've published a CMMC with Microsoft Azure (10 Part Blog Series) which will be helpful for your CMMC control mapping requirements.
Aug 25 2020 09:32 AM
@rybo3000 Thanks! I'm new to this whole compliance thing. :) I am in there now and we have a fresh install and I don't see any recommendations for Customer Actions. Are they the Improvement Actions on the MS 365 Security page?
Aug 25 2020 09:33 AM
Thanks, @TJBanasik! Now that Azure Blueprints for 800-171 (which is kinda sorta CMMC) have been announced: do you think we'll see a blog post on Configuration Management in the coming months?
Aug 25 2020 09:35 AM
@chriskeelingI would make sure you're visiting this URL: https://servicetrust.microsoft.com/ComplianceManager/V3
This tool is separate from the Security Center/Secure Score tools.
Aug 25 2020 09:37 AM
@TJBanasik Thanks! This is very useful and the mapping is straightforward. I particularly appreciate that you have included the steps for how to assign the policies and controls through Azure. Can I do them from within Microsoft 365 G5 or can I only do them by logging into our Azure portal to perform all of these tasks (as you describe on the blog)?
Aug 25 2020 09:39 AM
Aug 25 2020 09:41 AM
Aug 25 2020 09:41 AM
@rybo3000 Thanks again! Wow, this looks very comprehensive. :)
Aug 25 2020 09:44 AM
Aug 25 2020 09:45 AM
@TJBanasika big focus in the CM domain (at least for me) is demonstrating the logical access restrictions for changes made to the system. My concern is that CMMC assessors could struggle with a cloud-first architecture, and so extra diligence would be required to prove how changes to Azure resources or Microsoft 365 resources (by way of Azure AD) are restricted. I'm guessing that JIT/PIM/PAM, admin role assignments, and conditional access policies are key here, although I'm sure there are network-level restrictions and other tools I'm not thinking of.
Aug 25 2020 09:49 AM
@Dean Gross Thanks! It says I have 12,093 Microsoft-managed points achieved out of a possible total of 16,101 points between Microsoft and our internal controls. How do I see which controls the Microsoft points are contributing to? I see the places to add Improvement Actions on our end, but no data about how 365 G5 is supporting the controls.
Aug 25 2020 09:56 AM - edited Aug 25 2020 09:59 AM
@chriskeeling when you go onto the Assessment tab in Compliance Center or into Compliance Manager it is broken out by each control and shows a column for MS and a for you, see https://docs.microsoft.com/en-us/microsoft-365/compliance/compliance-score-methodology?view=o365-wor... for some background on the calculations