Evaluate CMMC posture with Compliance Manager in GCC, GCC High
Published Mar 03 2021 06:00 AM 6,896 Views

We are excited to announce that Microsoft Compliance Manager is generally available to Microsoft 365 Government GCC and GCC High environments and soon to be released in DoD environment. Microsoft Compliance Manager helps government customers prioritize and take risk-informed actions that can help manage compliance. 


Compliance Manager offers intuitive compliance management, a vast library of scalable assessments and built-in capabilities. To ensure GCC, GCC High and DoD customers get the most value from Compliance Manager, the Cybersecurity Maturity Model Certification (CMMC) assessment templates for Levels 1 through 5 are included with G5 licensing. In addition, we are excited to inform you of the availability of Microsoft Compliance Configuration Analyzer (MCCA) available in GCC and GCC High environments. MCCA provides additional reporting capabilities for your improvement actions. 


Intuitive management 


The complexity of regulations makes it challenging for government organizationscontractors and IT administrators to know what specific actions they can take to meet their compliance requirements. Compliance Manager helps solve this problem, while providing easy guided onboarding and supporting twenty-four languages.  


With simple design that works out of box, IT admins and compliance/audit officers can quickly collaborate to address compliance. With Compliance Manager, organizations can quickly identify and track the implementation of tenant-specific compliance actions against frameworks such as CMMC and NIST 800-53.   


Scalable assessments  


Frequently we’ve heard government agencies and contractors discuss the complexity of mapping all technical controls to governance, risk and compliance (GRC) or homegrown compliance management tool. In many instances, an Excel spreadsheet is used to help track compliancewhich can be dauting and still not provide clarity on recommended actions or next steps.  


Compliance Manager offers a vast library of 325+ premium and included assessment templates, including those most important to your organization such as FedRAMP High, FedRAMP Moderate, DFARS, CJIS, and Cybersecurity Maturity Model Certification (CMMC) Levels 1-5. Through assessment templates, Compliance Manager recommends hundreds of improvement actions for your agency and/or contractors to implement (see Figure 1: Compliance Manager assessment templates) 


GCCH CM Included Templates.png


Figure 1: Compliance Manager Assessment templates 


With Compliance Manager you can readily track compliance of any new applicationYou can import data from Excel, for example, into Compliance Manager and not lose your compliance tracking status. 



Built-in capabilities 


Translating regulatory requirements into specific actions and controls can be challenging and many government organizations sometimes lack the adequate resources to do this accurately. Point-in-time assessments (e.g., for quarterly/semi-annual/annual audits) also mean that organizations tend to have ‘blind spots’ between these assessment windows. To help you with these challenges, Compliance Manager comes with built-in capabilities such as:


Compliance scoreWith compliance score, you get a clear quantified assessment of compliance (Figure below). You can also obtain your compliance score for a specific regulation or standard (e.g., NIST 800-53) or for a specific category (e.g., ‘Protect information’).   


Compliance score breakdown screenshote.png


Figure 2: Compliance score in Compliance Manager provides a risk-based score 


Control mapping: With more than 220 updates every day from 1,000 regulatory bodies around the world, it’s overwhelming for organizations to keep up to date with the evolving compliance landscape. Efficiency in achieving compliance and prioritizing actions to meet multiple regulations and standards is a must-have for organizations but is challenging. At Microsoft, we have a team of subject matter experts building and maintaining a common control framework to scale our compliance effort. We are sharing this knowledge by building it into Compliance Manager so you can scale your compliance program across global, industrial, and regional regulations and standards. With the built-in control mapping in Compliance Manager, when you implement one common control, the status and the evidence of the control will be automatically synchronized to the same control in other assessments, helping you reduce duplicative work. 


Continuous regulatory updates: All Compliance Manager assessments are kept up to date per evolving regulations and standards. You will see updates to assessments that you are using and get control on when you accept these updates, helping your compliance program stay current. 


Continuous assessmentsAvailable now in GCC and in spring 2021 for GCC HighCompliance Manager scans through your environment and detects your system settings, automatically updating some of your technical control status. For example, if you configured a multi-factor authentication in the Azure Active Directory (AAD) portal, Compliance Manager can detect the setting and reflect that in the control details. Conversely, if you haven’t created multi-factor authentication, then Compliance Manager can flag that as a recommended action for you to take. We expect to extend this capability of automatic updates to additional controls in the future. With the ongoing control assessment, you can begin to proactively maintain compliance, instead of reactively fixing settings following an audit. 



Extended capability with Microsoft Compliance Configuration Analyzer (MCCA) preview 


The MCCA solution (in preview) is available in GCC as well as GCC High environments. MCCA can help you quickly see improvement actions from Microsoft Data Protection Baseline, a default assessment available in Compliance Manager, to apply to your current Microsoft 365 environment. MCCA is a PowerShell-based utility that will retrieve your organization’s current configurations, validate them against Microsoft 365 recommended best practices, and provide an overview report with compliance posture improvement actions that your organization can take in Compliance Manager.   


MCCA offers three report types: 


  • Geolocation-based reporting to assess sensitive information types (SITs) that aligns with your country or region.  
  • Role-based reporting to show which roles within your organization may not be able to run the tool or provide insights into access limitation to certain information in the final report. 
  • Solutions summary (see Figure 3 below) provides color-coded improvement actions broken down into three status states: 
  • OK: the actions that meet recommended conditions and need no attention at this time 
  • Improvement: actions that need attention 
  • Recommendation: actions that don’t need attention, but for which we recommend best practices 


MCCA Summary.png

Figure 3: MCCA report summary screen  



Get started today 


Compliance Manager is a powerful solution to help you simplify compliance and reduce risk. After assigning the appropriate permissions in Azure AD, administrators and compliance professionals can start using Compliance Manager by visiting the Compliance Portal (GCC – https://compliance.microsoft.com; GCC High at https://compliance.microsoft.us). If you already have Microsoft 365 G5 or Office 365 G5 subscription you can get started on your data protection journey by leveraging the default Microsoft Data Protection Baseline assessment, which draws elements and set of controls for key regulations and standards for data protection and general data governance.


Included assessment templates such as NIST 800-53 and CMMC Levels 1-5 are available to Microsoft 365 G5, Microsoft 365 G5 Compliance and Office 365 G5 subscribers at no additional costBeyond the included templates, Compliance Manager also offers a vast library of premium assessment templates from which you can select other assessments as needed (additional licensing required).  


Additional resources: 


  • Watch this video to learn how to get started right away and watch these videos for further details. 
  • Learn more about how to work with Compliance Manager here. 
  • Visit the Virtual Hub  to learn more about Microsoft Compliance and access technical training.  
  • Read the latest Compliance Manager blog here announcing new capabilities and assessment templates that will be available in GCC and GCC High environments in the coming months and will help government organizations and contractors increase regulation visibility, further enrich the user experience, and save valuable time. 


We look forward to hearing your feedback and stay tuned for additional innovation in Compliance Manager. 




As the advanced compliance specialist for Microsoft 365 compliance solutions, you can connect with me here. Check out other Microsoft 365 compliance resources for US government. 


Microsoft CMMC Acceleration Program Update – January 2021 


Using Advanced Audit for your forensic investigation capability 


Advanced eDiscovery demo for Gov cloud (video) 


Enhanced regulatory, legal and forensic investigation capabilities now in the Government Cloud  


Microsoft 365 Public Roadmap link to check status on upcoming Microsoft 365 compliance solution features  

Microsoft 365 Roadmap: Microsoft 365 compliance solutions 



Version history
Last update:
‎Mar 03 2021 12:53 PM
Updated by: