Microsoft Federal Successfully Completes Voluntary CMMC Assessment
Published Mar 07 2023 06:00 AM 97.6K Views

Microsoft is demonstrating its continued commitment to U.S. Department of Defense (DoD) and the Defense Industrial Base (DIB) by announcing its successful completion of a DCMA (Defense Contract Management Agency) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) Joint Surveillance Voluntary Assessment Program (JSVAP). Microsoft operates its US Federal business out of the GCC-H and Azure Government cloud. We leverage the same security and monitoring suite available to all our customers in this environment. DIBCAC and Redspin, a Certified 3rd Party Assessment Organization (C3PAO), completed their assessments and awarded Microsoft with a perfect 110-point score. This DIBCAC High certificate will be converted into a Cybersecurity Maturity Model Certification (CMMC) Level 2 accreditation as federal rulemaking allows.  


"At Microsoft Federal, we are constantly striving to enhance and ensure our products meet the highest standards of quality and security,” said John Bergin, Director Fed Security at Microsoft Federal. “The JSVAP assessment is a crucial step in this journey as it allows us to evaluate and validate the effectiveness of our cybersecurity capabilities. We are proud to take the lead in being one of the first to undergo a JSVAP assessment to reinforce our commitment to operating under strong cybersecurity protocols and providing the best technology solutions to our customers." 


Microsoft Federal, like Microsoft customers, leverages the Microsoft Azure Government cloud to meet the applicable requirements of the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting. Building on the Fedramp HIGH implementations of Azure and Microsoft Office allowed our team to focus on implementation of specific data handling controls and inherit substantive portions of our artifacts from those pre-approved controls. 


Azure Commercial and Azure Government cloud offerings have been validated by independent, third-party attestation and provide our DIB and defense contractor customers services designed to meet DFARS requirements as enumerated in the DFARS clauses of 252.204-7012 that apply to cloud service providers (CSPs). Defense contractors required to include the DFARS clause 252.204-7012 in contracts can have confidence that Microsoft is able to accept the flow down terms applicable to CSPs for Azure Government Services covered by the US Federal Risk and Authorization Management Program (FedRAMP). This is significant as the DoD and its mission partners continue to expand adoption of commercial cloud computing in support of contracts for programs and mission systems. 


We are exceptionally proud of the ongoing hard work and dedication the Microsoft Federal team brings to the table. The successful completion of this assessment validates our robust One Microsoft approach to support the US Government in meeting their data handling priorities.

1 Comment
Version history
Last update:
‎Mar 07 2023 06:15 AM
Updated by: