Blog Post

Public Sector Blog
6 MIN READ

Microsoft Product Placemat for CMMC - October 2024 Update

RichardWakeman's avatar
Oct 24, 2024

Microsoft CMMC Acceleration

 

We are actively building acceleration by developing resources for both partners and Defense Industrial Base (DIB) companies to leverage in their Cybersecurity Maturity Model Certification (CMMC) journey. These tools cannot guarantee a positive CMMC adjudication, but they may assist Organizations Seeking Certification (OSC) by improving their CMMC posture going into a formal CMMC assessment in accordance with the DOD and Cyber Accreditation Body (Cyber-AB) standards.

 

For more information, please see Notices later in this article.

 

Here is a summary of the most recent resources to help get you started.

 

Home Page for CMMC

Want to start your CMMC compliance journey on the right foot?  We have a home page for CMMC at https://aka.ms/cmmc.  Found on the Microsoft Federal site, the home page includes an outline of resources available, including references to our Microsoft Cloud service offerings and an up-to-date list of blogs and documentation we release.  Please bookmark the site and leverage it as your launching point in all things Microsoft and CMMC.

 

While you are there on the Microsoft Federal site, also browse around and check out our Federal Segment on Defense and the Solutions we have for DoD Zero Trust Strategy and the Cybersecurity Executive Order.

 

 

Microsoft Product Placemat for CMMC

 

Microsoft Product Placemat for CMMC is an interactive view representing how we believe Microsoft cloud products and services satisfy requirements for CMMC practices.  The user interface resembles a periodic table of CMMC Practice Families.  The default view illustrates the practices with Microsoft Coverage that are inherited from the underlying cloud platform.  It also depicts practices for Shared Coverage where the underlying cloud platform contributes coverage for specific practices but requires additional customer configuration to satisfy requirements for full coverage.  For each practice that aligns with Microsoft Coverage or Shared Coverage, verbal customer implementation guidance and practice implementation details are documented.  This enables you to drill down into each practice and discover details on inheritance and prescriptive guidance for actions to be taken by the customer to try to meet practice requirements in the shared scope of responsibility for compliance with CMMC.

 

In addition to the default view, you may select and include products, features and suite SKUs to adjust how each cloud product is placed with CMMC.  For example, you may select the Microsoft 365 E5 SKU or “Select All” for maximum coverage of CMMC.  You may also use the blue-colored cell on the top left to select from a drop-down menu filtering the Placemat.  You may choose between three options:

 

  1. Level 1 - Foundational: This option will display the practices associated with CMMC Level 1.
    Note: there are 17 practices in this release, but will be updated soon to reflect the Final Rule’s trim to 15 practices.
  2. Level 2 – Advanced: This filter will display 110 practices associated with CMMC Level 2. 
    Note: aligns with the controls for NIST SP 800-171.
  3. Level 3 – Expert: This filter displays the additional CMMC Level 3 practices that align with NIST SP 800-172.

 

 

The Microsoft Product Placemat for CMMC is currently in public preview.  It has been updated to include support for CMMC Level 3 and usability improvements based on public preview feedback.  In addition, the public preview release has been updated to include implementation guidance for every practice in alignment with the Technical Reference Guide.

 

Note: This release was issued prior to the final CMMC rule publication in this month (October 2024).  We are diligently working on a refresh to refine for the final rule.

 

You may download a copy at:

              https://aka.ms/cmmc/productplacemat

Please share feedback at https://aka.ms/cmmc/productplacematfeedback.

 

 

Microsoft Technical Reference Guide for CMMC

 

We are excited to update this significant artifact of CMMC Acceleration!  The Microsoft Technical Reference Guide for CMMC includes implementation statements for an organization pursuing CMMC while leveraging relevant Microsoft services. This includes brief descriptions of relevant Microsoft cloud services and products, and links to further implementation documentation. The guide focuses on CMMC Level 2 (L2) and Level 3 (L3) for this release.

 

If you think of the Microsoft Product Placemat for CMMC as being a level 100 document, the guide is level 200 and more.

The guide is organized in sections for each of the domains of CMMC, beginning with Access Control:

 

Access Control (AC)

AC.L1-3.1.1

Control Summary Information

NIST SP 800-53 Mapping: AC-2, AC-3, AC-17

Practice: Limit information system access to authorized users, processes acting on behalf of authorized users or devices (including other information systems).

Assessment Objectives:

[a] authorized users are identified;

[b] processes acting on behalf of authorized users are identified;

[c] devices (and other systems) authorized to connect to the system are identified;

[d] system access is limited to authorized users;

[e] system access is limited to processes acting on behalf of authorized users; and

[f] system access is limited to authorized devices (including other systems).

Primary Services

Secondary Services

Microsoft Entra ID
Azure RBAC
Intune/Intune Suite

Microsoft Information Protection
Conditional Access
Customer Lockbox
Privileged Identity Management (PIM)
Microsoft 365 Web Apps
M365 Groups

Microsoft Entra ID Multi-Factor Authentication

 

You may notice the guide has the same outline of Primary and Secondary Services as identified in the Microsoft Product Placemat for CMMC.  However, this document format lets us get into much more depth of the implementation statements as compared to the Placemat spreadsheet.

 

The Microsoft Technical Reference Guide for CMMC is currently in public preview. 

 

Note: This release was issued prior to the final CMMC rule publication in this month (October 2024).  We are diligently working on a refresh to refine for the final rule.

 

You may download a copy at:

              https://aka.ms/cmmc/techrefguide

Please share feedback at https://aka.ms/cmmc/techrefguidefeedback.

 

 

Notices

 

Microsoft CMMC Acceleration provides customers and partners with resources to pursue CMMC compliance while leveraging Microsoft products and services— It does not address security practices occurring outside of Microsoft products and services.

Please further note that the CMMC compliance standard has yet to be officially rolled out. As a result, there may be additional nuance or complexity associated with CMMC compliance that will only materialize through the practical application of the standard by the DoD and Cyber-AB. As a result, the information herein, including all Microsoft CMMC related offerings, are provisional and may be enhanced to align with future guidance.

 

Microsoft does not guarantee nor imply any ultimate compliance outcome or determination based on one’s consumption of this article or the resources linked from it — all CMMC certification requirements and decisions are governed by the DoD and Cyber-AB, and Microsoft has no direct or indirect insight into or bearing over compliance determinations. The associations between compliance domains, practices, and Microsoft CMMC Acceleration may change at any time.

 

Customers must individually determine the necessary steps required to ensure their organization fully satisfies each recommended CMMC compliance practice, in addition to or in place of what is described in program resources. This responsibility spans all Microsoft (Azure, Microsoft 365, etc.) consumption decisions, including, among other things, which Microsoft offerings to procure, as well as all configuration decisions associated with such use and consumption.

 

 

Appendix

 

Please follow me here and on LinkedIn. Here are my additional blog articles:

 

 

Blog Title

Aka Link

Gold Standard! Understanding Compliance Between Microsoft 365 Commercial, GCC, GCC-High and DoD Offerings

https://aka.ms/MSGovCompliance

Microsoft Collaboration Framework

https://aka.ms/ND-ISAC/CollabFramework 

ND-ISAC MSCloud - Reference Identity Architectures for the US Defense Industrial Base

https://aka.ms/ND-ISAC/IdentityWP 

Microsoft CMMC Acceleration Update

https://aka.ms/CMMC/Acceleration

History of Microsoft Cloud Service Offerings leading to the US Sovereign Cloud for Government

https://aka.ms/USSovereignCloud

The Microsoft 365 Government (GCC High) Conundrum - DIB Data Enclave vs Going All In

https://aka.ms/AA6frar

Microsoft US Sovereign Cloud Myth Busters - A Global Address List (GAL) Can Span Multiple Tenants

https://aka.ms/AA6seih

Microsoft US Sovereign Cloud Myth Busters - A Single Domain Should Not Span Multiple Tenants

https://aka.ms/AA6vf3n

Microsoft US Sovereign Cloud Myth Busters - Active Directory Does Not Require Restructuring

https://aka.ms/AA6xn69

Microsoft US Sovereign Cloud Myth Busters - CUI Effectively Requires Data Sovereignty

https://aka.ms/CUISovereignty

Microsoft expands qualification of contractors for government cloud offerings

https://aka.ms/GovCloudEligibility 

Microsoft Expands Support for the DIB – Announcing Support for DFARS in Azure Commercial

https://aka.ms/DFARsAzure

Microsoft Expands Support for the DIB – Announcing Support for DFARS in Microsoft 365 Government (GCC)

https://aka.ms/DFARsGCC

New!  Support for DFARS in Microsoft 365 Government (GCC High)

https://aka.ms/DFARsGCCH

New!  Support for FedRAMP in Microsoft 365 Government (GCC High)

https://aka.ms/FedRAMPGCCH

Microsoft Federal Successfully Completes Voluntary CMMC Assessment

https://aka.ms/JSVA

 

Updated Oct 24, 2024
Version 4.0
No CommentsBe the first to comment