Microsoft CMMC Acceleration

 

We are actively building out Microsoft CMMC Acceleration by developing resources for both partners and Defense Industrial Base (DIB) companies to leverage in their Cybersecurity Maturity Model Certification (CMMC) journey. These tools cannot guarantee a positive CMMC adjudication, but they may assist candidate organizations by improving their CMMC posture by going into a formal CMMC review in accordance with CMMC Accreditation Body standards. While we plan to release resources and guidance in waves, please keep in mind we are dependent upon the CMMC Accreditation Body finalizing the CMMC guidance itself.

 

For more information, please see Notices later in this article.

 

Here is a summary of current resources to help get you started.

 

 

Home Page for CMMC

Want to start your CMMC compliance journey on the right foot?  We have a home page for CMMC at https://aka.ms/cmmc.  Found on the Microsoft Federal site, the home page includes an outline of resources available, including references to our Microsoft Cloud service offerings and an up-to-date list of blogs and documentation we release (e.g. this article).  Please bookmark the site and leverage it as your launching point in all things Microsoft and CMMC.

 

While you are there on the Microsoft Federal site, also browse around and check out our Federal Segment on Defense and the Solutions we have for the Cybersecurity Executive Order.

 

 

 

Microsoft Product Placemat for CMMC 2.0

Microsoft Product Placemat for CMMC 2.0 is an interactive view representing how we believe Microsoft cloud products and services satisfy requirements for CMMC practices.  The user interface resembles a periodic table of CMMC Practice Families.  The default view illustrates the practices with Microsoft Coverage that are inherited from the underlying cloud platform.  It also depicts practices for Shared Coverage where the underlying cloud platform contributes coverage for specific practices but requires additional customer configuration to satisfy requirements for full coverage.  For each practice that aligns with Microsoft Coverage or Shared Coverage, verbal customer implementation guidance and practice implementation details are documented.  This enables you to drill down into each practice and discover details on inheritance and prescriptive guidance for actions to be taken by the customer to try to meet practice requirements in the shared scope of responsibility for compliance with CMMC 2.0.

 

In addition to the default view, you may select and include products, features and suite SKUs to adjust how each cloud product is placed with CMMC.  For example, you may select the Microsoft 365 E5 SKU for maximum coverage of CMMC where 6 of the CMMC practices are Microsoft Coverage and 72 practices are Shared Coverage.  This is extraordinary as over 70% of the practices for CMMC 2.0 Level 2 have coverage leveraging the spectrum of capabilities on the Microsoft cloud with the E5 SKU!

 

 

The Microsoft Product Placemat for CMMC 2.0 is currently in public preview.  It has been updated to include support for CMMC 2.0, Microsoft 365 Suite SKUs, and usability improvements based on public preview feedback.  In addition, the February 2022 public preview release has been updated to include implementation guidance for every practice in alignment with the Microsoft Technical Reference Guide for CMMC 2.0.  You may download a copy at:

 

              https://aka.ms/cmmc/productplacemat

 

Please share feedback at https://aka.ms/cmmc/productplacematfeedback.

 

 

 

Microsoft Technical Reference Guide for CMMC 2.0

The Microsoft Technical Reference Guide for CMMC includes implementation statements for an organization pursuing CMMC while leveraging relevant Microsoft services. This includes brief descriptions of relevant Microsoft cloud services and products, and links to further implementation documentation. The guide focuses on CMMC 2.0 Level 2.

 

If you think of the Microsoft Product Placemat for CMMC as being a level 100 document, the guide is level 200 and more.

 

The guide is organized in sections for each of the domains of CMMC 2.0 L2, beginning with Access Control:

 

AC.L2-3.1.1

Control Summary Information
NIST 800-53 Mapping: AC-2, AC-3, AC-17
Control : Limit information system access to authorized users, processes acting on behalf of authorized users or devices (including other information systems).
Primary Services	Secondary Services
Azure Active Directory Azure RBAC Intune/Microsoft Endpoint Manager	Microsoft Information Protection Conditional Access Customer Lockbox Privileged Identity Management (PIM) Security and Compliance Center Microsoft 365 Web Apps M365 Groups

 

You may notice the guide has the same outline of Primary and Secondary Services as identified in the Microsoft Product Placemat for CMMC 2.0.  However, this document format lets us get into much more depth of the implementation statements as compared to the Placemat spreadsheet.  Go look at the section for SC.L2-3.13.7 on split tunneling to get an idea!

 

The Microsoft Technical Reference Guide for CMMC is currently in public preview.  You may download a copy at:

 

              https://aka.ms/cmmc/techrefguide

 

Please share feedback at https://aka.ms/cmmc/techrefguidefeedback.

 

 

Microsoft Compliance Manager with Assessment Templates

 

Compliance Manager overview

Microsoft Compliance Manager is a feature in Microsoft 365 compliance center that helps you manage your organization’s compliance requirements with greater ease and convenience. Compliance Manager may help you throughout your compliance journey, from taking inventory of your apparent data protection risks to managing the complexities of implementing controls, staying current with regulations and certifications, and reporting to auditors.

 

The Compliance Manager helps simplify compliance and reduces risk by providing:

 

• Pre-built assessments for common industry and regional standards and regulations, or custom assessments to meet your unique compliance needs. 
• Workflow capabilities to help you efficiently complete your risk assessments through a single tool.
• Detailed step-by-step guidance on suggested improvement actions to help you comply with the known CMMC standards and regulations that are most relevant for your organization. For actions that are managed by Microsoft, you will see implementation details and audit results.
• A projected risk-based compliance score to help you understand your compliance posture by measuring your progress in completing improvement actions.

 

Your Compliance Manager dashboard shows your current projected CMMC compliance score, helps you see what needs attention, and guides you to key improvement actions. Below is an example of what your Compliance Manager dashboard will look like:

 

 

Please note:  The Compliance Manager dashboard is a projection of your organization’s CMMC compliance profile based on all available information to date.  Microsoft is not an accrediting body under the CMMC, and thus cannot guarantee any outcome under the formal CMMC review process.

 

Understanding your compliance score

The Compliance Manager awards you points for completing improvement actions taken to comply with a regulation, standard, or policy, and combines those points into an overall compliance score. Each action has a different impact on your score depending on the potential risks involved. Your compliance score helps you prioritize which actions to focus on to improve your overall compliance posture.

The Compliance Manager gives you an initial score based on the Microsoft 365 data protection baseline. This baseline is a set of controls that includes key regulations and standards for data protection and general data governance.

 

CMMC Assessment Templates in GCC and GCC High

The Compliance Manager is generally available in all Microsoft 365 cloud offerings, including GCC and GCC High.  The Assessment Templates for CMMC are also generally available for your use today.  We have made a licensing exception for the CMMC assessment templates in GCC and GCC High.  While most other assessment templates require premium template licenses, the CMMC assessment templates do not require the premium template licenses in GCC nor GCC High.  You will still need the proper Microsoft 365 SKU to get the rights for a user to access the Compliance Manager.  Please see the most up-to-date licensing requirements here and here.

 

At the time of this writing, the CMMC assessment templates are included by default (free of cost) for GCC and GCC High with the following SKUs:

• Microsoft 365 or Office 365 G5
• Microsoft 365 G5/F5 Compliance
• Microsoft 365 G5/F5 eDiscovery and Audit
• Microsoft 365 G5/F5 Insider Risk Management
• Microsoft 365 G5/F5 Information Protection and Governance

 

Please note the CMMC assessment templates do require premium template licenses in Commercial.  The licensing exception only applies to GCC and GCC High.

 

As of the time of this writing, there is a 90 day trial for up to 25 premium assessment templates, including CMMC and NIST SP 800-171 in any cloud offering (Commercial, GCC, and GCC High).  Please see premium assessment trial for more information.

 

The Secure Score feature is still in preview within Commercial and GCC.  Secure Score will not release in GCC High until it becomes Generally Available.  As a result, automated testing does not work in GCC High.  GCC High customers will need to manually implement and test their improvement actions in the Compliance Manager.  For more information, please see Settings for automated testing and user history.

 

 

Defender for Cloud

Microsoft uses a wide variety of physical, infrastructure, and operational controls to help secure Azure, but there are additional actions you need to take to help safeguard your workloads. You may turn on Defender for Cloud to strengthen your cloud security posture:

 

• Assess and visualize the security state of your resources in Azure, on-premises, and in other clouds with Azure Secure Score;
• Simplify enterprise compliance and view your compliance against regulatory requirements such as NIST SP 800-171 and CMMC;
• Protect all your hybrid cloud workloads with Defender for Cloud, which is integrated with the Azure Security Center; and
• Use AI and automation to cut through false alarms, quickly identify threats, and streamline threat investigation.

 

You may assess the security state of all your cloud resources, including servers, storage, SQL, networks, applications, and workloads that are running in Azure, on-premises, and in other clouds. This includes the ability to visualize your security state and improve your security posture by using Azure Secure Score recommendations.  You may view your compliance against a wide variety of regulatory requirements or company security requirements by centrally managing security policies to perform ongoing assessment and get rich, actionable insights and reports to simplify compliance.

 

 

 

Note:  The Defender for Cloud is available today in both Commercial and in Azure Government.

 

Azure Policy Initiatives

An Azure Policy initiative is a collection of Azure Policy definitions, or rules, that are grouped together towards a specific goal or purpose. Azure initiatives simplify management of your policies by grouping a set of policies together, logically, as a single item.

A security initiative defines the desired configuration of your workloads and helps ensure you're complying with the security requirements of your company or regulators.

 

Like security policies, Security Center initiatives are also created in Azure Policy. You can use Azure Policy to manage your policies, build initiatives, and assign initiatives to multiple subscriptions or for entire management groups.

 

You can add regulatory compliance standards as initiatives.  Azure Security Center's regulatory compliance dashboard shows the status of all the assessments within your environment in the context of a particular standard or regulation (such as CMMC).

 

Azure Policy Initiative for CMMC 2.0 Level 2 (NIST SP 800-171)

The Azure policy initiative for CMMC 2.0 Level 2 (NIST SP 800-171) is currently in public preview. The CMMC policy initiative builds upon the existing NIST SP 800-171 R2 policy initiative sample with the updated naming conventions defined by CMMC 2.0.

 

Note: We have deprecated the CMMC Level 3 blueprint for CMMC Model 1.2 with the release of CMMC 2.0.

 

Compliance Manager and the Azure Security Center

You may observe there are two different compliance tools depending on the use of Microsoft 365 or Microsoft Azure.  While there are currently two different tools, they are not mutually exclusive in use.  Holistic compliance with CMMC requires the use of both the Compliance Manager and the Azure Security Center.  You deploy the Compliance Manager with the Assessment Template for CMMC for coverage of Microsoft 365 products and features, such as Office 365 and Enterprise Mobility & Security.  Generally speaking, this includes coverage for most SaaS offerings.  You will also want to deploy the Azure Security Center with the Azure Policy Initiative for CMMC 2.0 Level 2 (NIST SP 800-171) for coverage of Azure IaaS and PaaS offerings.  We are working on integration between the two tools along with integration with Microsoft Sentinel in the future roadmap.  In the meantime, you will need to leverage both panes of glass for CMMC compliance.

 

Note:  Microsoft Sentinel may serve as a single pane of glass overlaying both Microsoft 365 and Microsoft Azure, as described next.

 

 

Microsoft Sentinel: Cloud-Native SIEM & CMMC 2.0 Solution

 

Microsoft Sentinel overview

See and stop threats before they cause harm, with SIEM reinvented for the modern world. Microsoft Sentinel is your bird’s-eye view across the enterprise. Put the cloud and large-scale intelligence from decades of Microsoft security experience to work. Make your threat detection and response smarter and faster with artificial intelligence (AI). Eliminate security infrastructure setup and maintenance, and elastically scale to meet your security needs—while reducing IT (information technology) costs.

 

• Collect data at cloud scale—across all users, devices, applications, and infrastructure, both on-premises and in multiple clouds
• Detect previously uncovered threats and minimize false positives using analytics and unparalleled threat intelligence from Microsoft
• Investigate threats with AI and hunt suspicious activities at scale, tapping into decades of cybersecurity work at Microsoft
• Respond to incidents rapidly with built-in orchestration and automation of common tasks

 

Invest in security, not infrastructure setup and maintenance with the first cloud-native SIEM from a major cloud provider. Never again let a storage limit or a query limit prevent you from protecting your enterprise. Start using Microsoft Sentinel immediately, automatically scale to meet your organizational needs, and only pay for the resources you need.

 

For more information, please see https://azure.microsoft.com/en-us/services/microsoft-sentinel

 

 

Collect data at cloud scale—across all users, devices, applications, and infrastructure, both on-premises and in multiple clouds

 

 

Microsoft Sentinel: CMMC 2.0 Solution

The Microsoft Sentinel: Cybersecurity Maturity Model Certification (CMMC) 2.0 Solution provides a mechanism for viewing log queries aligned to CMMC 2.0 requirements across the Microsoft portfolio. This solution enables governance and compliance teams to design, build, monitor, and respond to CMMC 2.0 requirements across 25+ Microsoft products. The solution includes the new CMMC 2.0 Workbook, (2) Analytics Rules, and (1) Playbook. While only Microsoft Sentinel is required to get started, the solution is enhanced with numerous Microsoft offerings. This Solution enables Security Architects, Engineers, SecOps Analysts, Managers, and IT Pros to gain situational awareness visibility for the security posture of cloud workloads. There are also recommendations for selecting, designing, deploying, and configuring Microsoft offerings for alignment with respective security best practice.

 

 

 

Note: A blog dedicated to this topic on the Microsoft Sentinel CMMC 2.0 Solution will be published in April 2022 and will be linked here ASAP.

 

Setting up the CMMC 2.0 Solution

This solution is designed to augment staffing through automation, query/alerting generation, and visualizations. This solution leverages Azure Policy, Azure Resource Graph, and Azure Log Analytics to align with Cybersecurity Maturity Model Certification 2.0 control requirements. A filter set is available for custom reporting by guides, subscriptions, workspaces, time-filtering, control family, and maturity level. Each CMMC 2.0 control includes a Control Card detailing an overview of requirements, primary/secondary controls, deep links to referenced product pages/portals, recommendations, implementation guides, compliance crosswalks and tooling telemetry for building situational awareness of cloud workloads. The workbook contains 200+ visualizations for situational awareness of workload posture. Select both a Level and Control Family in the main selector to start navigating the workbook.

 

Prerequisites

• Access Microsoft 365 Compliance Manager: Assessments
• Planning: Review Microsoft Product Placemat for CMMC 2.0
• Onboard: Microsoft Sentinel and Microsoft Defender for Cloud
• Add the Microsoft Defender for Cloud: NIST SP 800 171 R2 Assessment to Your Dashboard
• Continuously Export Security Center Data to Log Analytics Workspace
• Extend Microsoft Sentinel Across Workspaces and Tenants
• Review: Microsoft Service Trust Portal

Deployment

• Microsoft Sentinel > Content Hub > Search “CMMC 2.0” > Install > Create > Configure Options > Review + Create
• Review Content
  2. Microsoft Sentinel > Workbooks > Search “CMMC 2.0”
  3. Microsoft Sentinel > Analytics > Search “CMMC 2.0”
  4. Microsoft Sentinel > Automation > Active Playbooks > Search “Notify-GovernanceComplianceTeam”, “Open-JIRA-Ticket”, “Create Azure DevOps Task”
• Review: ReadMe for additional Getting Started requirements.  
• Feedback: Let us know what you think in the survey

Print/Export Report

• Open CMMC 2.0 Workbook > Select Subscriptions/Workspaces/Time > Select Options > Workbook prints what’s visible for custom reporting requirements
• Set Background Theme: Settings > Appearance > Theme: Azure > Apply
• Print/Export Report: More Content Actions (...) > Print Content
• Settings: Layout (Landscape), Pages (All), Print (One Sided), Scale (60), Pages Per Sheet (1), Quality (1,200 DPI), Margins (None) > Print
• Executive Summary: Microsoft Defender for Cloud > Regulatory Compliance > Download Report > Report Standard (NIST SP 800 171 R2), Format (PDF)

 

 

 

Azure STIG Solution Templates

Security Technical Implementation Guide (STIG) solution templates are in preview for both Windows and Linux on the Azure Marketplace (commercial) and Azure Government Marketplace. These new templates accelerate speed to achieving Defense Information Systems Agency (DISA) STIG compliance by delivering an automated, one-click solution that enables customers to deploy, monitor, and maintain non-configured STIG-compliant Window or Linux Virtual Machines.

 

STIG is the Department of Defense’s (DoD) cybersecurity methodology for standardized security configurations for computer operating systems and other software and hardware. DISA releases updated STIGs for various operating systems on a quarterly basis. DoD agencies and DIB contractors use STIG-hardened virtual machines to run software programs for compliance. Manually implementing this complex methodology often delays cloud consumption. By providing simple selections, the Azure STIG solution templates fast-track STIG compliance and ultimately aids in cloud adoption.

 

Azure STIG solution templates

 

The solution works by leveraging out-of-box (OOB) images from the Azure Marketplace gallery to reduce the complexity involved with maintaining custom images. Desired state configuration is leveraged with PowerSTIG and several VM extensions to produce pre-hardened images. The resulting VMs are 90%+ STIG compliant after a successful deployment. The templates are composed of ARM templates and a custom UI to give users a native Azure portal VM deployment experience. Diagnostic logging can be optionally stored in a storage account and/or a Log Analytics workspace to provide detailed auditing information. 

 

For more information, please see Announcing Azure STIG solution templates to accelerate compliance for DoD

 

Quickly deploy DoD STIG-compliant images and visualize compliance using Azure

The Azure Team has created sample solutions using first-party Azure tooling to deliver STIG automation and compliance reporting. The STIG Automation GitHub Repository, enables customers to: Automate STIG implementation and baseline updates with Azure Image Builder visualize compliance with Azure Monitor Log Analytics and/or Microsoft Sentinel.

 

Available for use with Azure Commercial and Azure Government, the new STIG images now include both Windows and Linux.  You can read more about the solution here:  Quickly deploy DoD STIG-compliant images and visualize compliance using Azure.

 

 

 

Zero Trust Architecture

 

Zero Trust Architecture Overview

Today, many of our customers in regulated industries are adopting a Zero Trust architecture - moving to a security model that more effectively adapts to the complexity of the modern environment, embraces the mobile workforce, and protects people, devices, applications, and data wherever they’re located.

 

Regardless of where the request originates or what resource it accesses, Zero Trust teaches us to “never trust, always verify.” In a Zero Trust model, every access request is strongly authenticated, authorized within policy constraints, and inspected for anomalies before granting access. This approach aids the process of achieving compliance for industries that use NIST-based controls including the DIB and government.

 

A Zero Trust approach should extend throughout the entire digital estate and serve as an integrated security philosophy and end-to-end strategy, across three primary principles: (1) verify explicitly, (2) enforce least privilege access, and (3) assume breach.

 

Azure’s DoD DevSecOps Enterprise Open-Source Solution

We have developed a GitHub Repo for an Azure DoD DevSecOps Enterprise Open-Source Solution enabling Infrastructure-as-Code for Azure subscriptions.  The solution for Zero Trust Architecture enables application developers and security administrators to more easily create hardened environments for their application workloads. Essentially, the solution will help you implement Zero Trust controls across six foundational elements: identities, devices, applications, data, infrastructure, and networks.

 

Using the Azure Security Center service, the solution sample will first configure your VNET to deny all network traffic by default, enabling you to extend it and/or set rules for selective traffic based on your business needs. In addition, the solution enforces and maintains Azure resource behaviors and configuration in compliance with specific NIST SP 800-53 security control requirements using Azure Policy.

 

The solution includes Azure Resource Manager templates to deploy and configure Azure resources such as Virtual Network, Network Security Groups, Azure Key Vault, Azure Monitor, Azure Security Center, and more. If you’re working with applications that need to comply with FedRAMP High or DoD Impact Level 4 requirements or just want to improve the security posture of your cloud deployment, the solution for Zero Trust is designed to help you get there faster.

 

The Zero Trust Architecture solution is currently in preview with limited support. To learn more and find instructions to deploy into Azure, see the GitHub repo. For more information, questions, and feedback, please contact us at ZTA feedback.

 

 

Azure Cloud Adoption Framework

 

Azure Landing Zone

Azure landing zones enable application migration, modernization, and innovation at enterprise-scale in Azure. The Microsoft Cloud Adoption Framework’s reference architecture and implementations, known as Enterprise-Scale Landing Zones, helps you deploy an Azure foundation that is scalable, operational, and extendable by design. Even when you have been deployed in Azure for a while and attained a level of maturity, the framework serves as a design to realign to Azure recommended practices and identify and address any technical debt accumulation.

Mapping CMMC Controls to Enterprise-Scale Policies

Enterprise-Scale deployment includes a set of policies to enforce guardrails using a policy-driven governance approach.  We have aligned these Enterprise-Scale policies to the CMMC Practices and CMMC ID#. This mapping provides guidance to assist you with implementing CMMC controls when deploying your Azure landing zone.

 

When used together, Azure Landing Zones is a great way to deploy a well-architected environment (with a lot of the design and planning work done for you) and then apply, report, and visualize your CMMC compliance.

 

For more information, please see George Wilburn’s blog https://aka.ms/alzmapcmmc

 

The Enterprise-Scale Landing zone mapping for CMMC is available in public preview.  You may download a copy at:

 

              https://aka.ms/cmmc/alzmap

 

Please share feedback at https://aka.ms/cmmc/alzmapfeedback.

 

 

 

Azure Mission Landing Zone

 

Mission Landing Zone

Mission Landing Zone is an Infrastructure-as-Code (IaC) template which IT oversight organizations can use to create a cloud management system to deploy Azure environments for their workloads and teams.

 

Mission Landing Zone addresses a narrowly scoped, specific need for a Secure Cloud Computing Architecture (SCCA) compliant hub and spoke infrastructure.

 

• Designed for US Government mission customers and the Defense Industrial Base
• Implements SCCA controls following Microsoft's SACA implementation guidance
• Deployable in Azure commercial, Azure Government, Azure Government Secret, and Azure Government Top Secret clouds
• A simple solution with low configuration and narrow scope
• Written as Bicep and Terraform templates

 

Mission Landing Zone is the right solution when:

 

• A simple, secure, and scalable hub and spoke infrastructure is needed.
• A central IT team is administering cloud resources on behalf of other teams and workloads.
• There is a need to implement SCCA.
• Hosting any workload requiring a secure environment, for example: data warehousing, AI/ML, and containerized applications.

 

Design goals include:

 

• A simple, minimal set of code that is easy to configure
• Good defaults that allow experimentation and testing in a single subscription
• Deployment via command line or with a user interface
• 100% Azure PaaS products

 

Our intent is to enable IT Admins to use this software to:

 

• Test and evaluate the landing zone using a single Azure subscription
• Develop a known good configuration that can be used for production with multiple Azure subscriptions
• Customize the deployment configuration to suit specific needs
• Deploy multiple customer workloads in production

 

You can access the GitHub repository for the Mission Landing Zone at https://github.com/azure/missionlz

 

 

 

Microsoft Cybersecurity Reference Architecture

 

Microsoft Cybersecurity Reference Architecture Overview

The Microsoft Cybersecurity Reference Architectures (MCRA) describe Microsoft’s cybersecurity capabilities. The diagrams describe how Microsoft security capabilities integrate with Microsoft platforms and 3rd party platforms like Microsoft 365, Microsoft Azure, 3rd party apps like ServiceNow and salesforce, and 3rd party platforms like Amazon Web Services (AWS) and Google Cloud Platform (GCP).

 

Download the file here

 

The reference architectures are primarily composed of detailed technical diagrams on Microsoft cybersecurity capabilities, zero trust user access, security operations, operational technology (OT), multi-cloud and cross-platform capabilities, attack chain coverage, azure native security controls, and security organizational functions.

 

 

The MCRA also includes an overview of Zero Trust and a Zero Trust rapid modernization plan (RaMP). Additionally, this includes other key information on security operations and key initiatives like protecting from human operated ransomware, securing privileged access, moving beyond VPN, and more.

 

 

Using the MCRA

We have seen these diagrams used for several purposes including:

 

• Starting template for a security architecture - The most common use case we see is that organizations use the document to help define a target state for cybersecurity capabilities. Organizations find this architecture useful because it covers capabilities across the modern enterprise estate that now spans on-premise, mobile devices, multiple clouds, and IoT / Operational Technology.
• Comparison reference for security capabilities - Some organizations use this to compare Microsoft's recommendations with what they already own and have implemented. Many organizations find that they already own quite a bit of this technology already and weren't aware of it.
• Learn about Microsoft capabilities - We have also seen this used as a learning tool. Note that in presentation mode, each capability has a "ScreenTip" with a short description of each capability + a link to documentation to learn more.
• Learn about Microsoft's integration investments - The architecture helps architects and technical teams identify how to take advantage of integration points within Microsoft capabilities and with existing security capabilities.
• Learn about Cybersecurity - Some folks, particularly those new to cybersecurity, use this as a learning tool as they prepare for their first career or a career change.

 

For up-to-date information on MCRA, please see https://aka.ms/mcra

 

 

 

Microsoft Blog Posts on CMMC

• Public Sector Blogs for CMMC - Microsoft Tech Community
• Accelerating CMMC compliance for Microsoft cloud (in depth review)
• How to prepare for CMMC compliance as a defense industrial base supplier using the Microsoft cloud |...

 

 

Scaffolding for Managed Service Providers

Behind the scenes, we are actively working with our partner community, and in particular the Managed Service Providers (MSP), to deliver scaffolding in the construction of CMMC offerings.  Microsoft CMMC Acceleration is comprised of many different components as described above, and several that are yet unannounced.  The intent is to provide building blocks, or what we call “scaffolding”, to our partners in support of their CMMC offers.  Our partners will be enabled in our partner marketplace with advance specializations for CMMC and their concentration on the Defense Industrial Base.  In alignment with our original CMMC Announcement, our MSP partners will implement reference architectures and compliance solutions for CMMC.

 

Microsoft Partners publish CMMC offerings in our marketplaces, to include Azure Marketplace (here and here), and AppSource (here and here).

 

 

Into the Future

Microsoft is actively engaged with customers, partners, the CMMC Accreditation Body, and multiple industry working groups to refine what resources we should develop and make available as part of Microsoft CMMC Acceleration.  We have many grand ideas, and welcome to feedback from the community at large.  Please fill out this short survey to join our CMMC feedback loop if you are interested in learning more about the resources.

 

 

Notices

Microsoft CMMC Acceleration provides customers and partners with resources to pursue CMMC compliance while leveraging Microsoft products and services— It does not address security practices occurring outside of Microsoft products and services.

 

Please further note that the CMMC compliance standard has yet to be implemented to assess the suitability of in-scope entities’ security practices and configurations. As a result, there may be additional nuance or complexity associated with CMMC compliance that will only materialize (if at all) through the practical application of the standard by the CMMC Accreditation Body (CMMC-AB). What’s more, as of the date this article was written, the CMMC-AB has not issued formal guidance for Cloud Service Providers. As a result, the information herein, including all Microsoft CMMC related offerings, are provisional and may be enhanced to align with future guidance from the DoD and CMMC-AB.

 

Microsoft does not guarantee nor imply any ultimate compliance outcome or determination based on one’s consumption of this article or the resources linked from it — all CMMC certification requirements and decisions are governed by the CMMC-AB, and Microsoft has no direct or indirect insight into or bearing over CMMC-AB compliance determinations. The associations between compliance domains, practices, and Microsoft CMMC Acceleration may change at any time.

 

Customers must individually determine the necessary steps required to ensure their organization fully satisfies each recommended CMMC compliance practice, in addition to or in place of what is described in resources. This responsibility spans all Microsoft (Azure, Microsoft 365, etc.) consumption decisions, including, among other things, which Microsoft offerings to procure, as well as all configuration decisions associated with such use and consumption.

 

 

For general comments on the CMMC Acceleration Program: Contact Us

 

 

Appendix

 

Please follow me here and on LinkedIn. Here are my additional blog articles:

 

 

Blog Title	Aka Link
New! Microsoft Collaboration Framework	https://aka.ms/ND-ISAC/CollabFramework
New! ND-ISAC MSCloud - Reference Identity Architectures for the US Defense Industrial Base	https://aka.ms/ND-ISAC/IdentityWP
History of Microsoft Cloud Service Offerings leading to the US Sovereign Cloud for Government	https://aka.ms/USSovereignCloud
Gold Standard! Understanding Compliance Between Microsoft 365 Commercial, GCC, GCC-High and DoD Offerings	https://aka.ms/MSGovCompliance
The Microsoft 365 Government (GCC High) Conundrum - DIB Data Enclave vs Going All In	https://aka.ms/AA6frar
Microsoft US Sovereign Cloud Myth Busters - A Global Address List (GAL) Can Span Multiple Tenants	https://aka.ms/AA6seih
Microsoft US Sovereign Cloud Myth Busters - A Single Domain Should Not Span Multiple Tenants	https://aka.ms/AA6vf3n
Microsoft US Sovereign Cloud Myth Busters - Active Directory Does Not Require Restructuring	https://aka.ms/AA6xn69
Microsoft US Sovereign Cloud Myth Busters - CUI Effectively Requires Data Sovereignty	https://aka.ms/CUISovereignty
Microsoft expands qualification of contractors for government cloud offerings	https://aka.ms/GovCloudEligibility