We are excited to announce that Microsoft Compliance Manager is generally available to Microsoft 365 Government GCC and GCC High environments and soon to be released in DoD environment. Microsoft Compliance Manager helps government customers prioritize and take risk-informed actions that can help manage compliance.
Compliance Manager offers intuitive compliance management, a vast library of scalable assessments and built-in capabilities. To ensure GCC, GCC High and DoD customers get the most value from Compliance Manager, the Cybersecurity Maturity Model Certification (CMMC) assessment templates for Levels 1 through 5 are included with G5 licensing. In addition, we are excited to inform you of the availability of Microsoft Compliance Configuration Analyzer (MCCA) available in GCC and GCC High environments. MCCA provides additional reporting capabilities for your improvement actions.
The complexity of regulations makes it challenging for government organizations, contractors and IT administrators to know what specific actions they can take to meet their compliance requirements. Compliance Manager helps solve this problem, while providing easy guided onboardingand supportingtwenty-four languages.
With simple design that works out of box, IT admins and compliance/audit officers can quickly collaborate to address compliance. With Compliance Manager, organizations can quickly identify and track the implementation of tenant-specific compliance actions againstframeworks such as CMMC and NIST 800-53.
Frequently we’ve heard government agencies and contractorsdiscussthecomplexity of mapping all technical controls toa governance, risk and compliance (GRC)or homegrown compliance management tool. In many instances,an Excelspreadsheet is used to help track compliance—which can be dauting and still not provide clarity on recommended actions or next steps.
Compliance Manager offers a vast library of 325+premium and included assessment templates, including those most important to your organization such as FedRAMP High, FedRAMP Moderate, DFARS, CJIS, and Cybersecurity Maturity Model Certification (CMMC) Levels 1-5.Throughassessment templates, Compliance Manager recommends hundreds of improvement actions for youragency and/or contractors to implement (see Figure 1: Compliance Manager assessment templates).
Figure 1: Compliance Manager Assessment templates
With Compliance Manager you can readily track compliance of any new application. You can import data from Excel, for example,into Compliance Manager and not lose your compliance tracking status.
Translating regulatory requirements into specific actions and controls can be challenging and many government organizations sometimes lack the adequate resources to do this accurately. Point-in-time assessments (e.g., for quarterly/semi-annual/annual audits) also mean that organizations tend to have ‘blind spots’ between these assessment windows. To help you with these challenges, Compliance Manager comes with built-in capabilities such as:
Compliance score: With compliance score, you get a clear quantified assessment of compliance (Figure 2 below). You can also obtain your compliance score for a specific regulation or standard (e.g., NIST 800-53) or for a specific category (e.g., ‘Protect information’).
Figure 2: Compliance score in Compliance Manager provides a risk-based score
Control mapping: With more than 220 updates every day from 1,000 regulatory bodies around the world, it’s overwhelming for organizations to keep up to date with the evolving compliance landscape. Efficiency in achieving compliance and prioritizing actions to meet multiple regulations and standards is a must-have for organizations but is challenging. At Microsoft, we have a team of subject matter experts building and maintaining a common control framework to scale our compliance effort. We are sharing this knowledge by building it into Compliance Manager so you can scale your compliance program across global, industrial, and regional regulations and standards. With the built-in control mapping in Compliance Manager, when you implement one common control, the status and the evidence of the control will be automatically synchronized to the same control in other assessments, helping you reduce duplicative work.
Continuous regulatory updates: All Compliance Manager assessments are kept up to date per evolving regulations and standards.You willsee updates to assessments that you are using and get control on when you accept these updates, helping your compliance program stay current.
Continuous assessments: Available now in GCC andin spring 2021 for GCC High, Compliance Manager scans through your environment and detects your system settings, automatically updating some of your technical control status. For example, if you configured a multi-factor authentication in the Azure Active Directory (AAD) portal, Compliance Manager can detect the setting and reflect that in the control details. Conversely, if you haven’t created multi-factor authentication, then Compliance Manager can flag that as a recommended action for you to take. We expect to extend this capability of automatic updates to additional controls in the future. With the ongoing control assessment, you can begin to proactively maintain compliance, instead of reactively fixing settings following an audit.
Extended capability with Microsoft Compliance Configuration Analyzer (MCCA) preview
The MCCA solution (in preview)is available in GCC as well as GCC High environments.MCCA can help you quickly see improvement actions fromMicrosoft Data Protection Baseline, a default assessment available in Compliance Manager,to apply to your current Microsoft 365 environment. MCCAis a PowerShell-based utility that will retrieve your organization’s current configurations, validate them against Microsoft 365 recommended best practices, and provide an overview report withcompliance posture improvement actions that your organization can take in Compliance Manager.
MCCA offers three report types:
Geolocation-based reporting to assess sensitive information types (SITs)that aligns with your country or region.
Role-based reporting to show which roles within your organization may not be able to run the tool or provide insights intoaccess limitation to certain information in the final report.
Solutions summary (see Figure 3 below) provides color-coded improvement actions broken down into three status states:
OK: the actions that meet recommended conditions and need no attention at this time
Improvement: actions that need attention
Recommendation: actions that don’t need attention, but for which we recommend best practices
Figure 3: MCCA report summary screen
Get started today
Compliance Manager is a powerful solution to help you simplify compliance and reduce risk. After assigning the appropriate permissions in Azure AD, administrators and compliance professionals can start using Compliance Manager by visiting the Compliance Portal (GCC – https://compliance.microsoft.com; GCC High at https://compliance.microsoft.us). If you already have Microsoft 365 G5 or Office 365 G5 subscription you can get started on your data protection journey by leveraging the default Microsoft Data Protection Baseline assessment, which draws elements and set of controls for key regulations and standards for data protection and general data governance.
Included assessment templates such as NIST 800-53and CMMC Levels 1-5 are available to Microsoft 365 G5, Microsoft 365 G5 Complianceand Office 365 G5 subscribers at no additional cost. Beyond the included templates, Compliance Manager also offers a vast library of premium assessment templatesfrom whichyou can select other assessmentsas needed (additional licensing required).
Watch this video to learn how to get started right away and watch these videos for further details.
Learn more about how to work with Compliance Manager here.
Visit the Virtual Hub to learn more about Microsoft Compliance and access technical training.
Read the latest Compliance Manager blog here announcing new capabilities and assessment templates that will be available in GCC and GCC High environments in the coming months and will help government organizations and contractors increase regulation visibility, further enrich the user experience, and save valuable time.
We look forward to hearing your feedback and stay tuned for additional innovation in Compliance Manager.
As the advanced compliance specialist for Microsoft 365 compliance solutions, you can connect with me here. Check out other Microsoft 365 compliance resources for US government.
Microsoft CMMC Acceleration Program Update – January 2021