Government AMA topics

That's a wrap: Microsoft CMMC AMA

Sarah_Gilbert — Tue, 25 Aug 2020 17:00:11 GMT

Thank you for joining us and voicing your questions and feedback during this fun and action-packed hour.

*Please note that you won't be able to ask new questions in this space until our next live event.

We will be disabling posting and further comments in this AMA space but encourage you to post any new questions or follow up in our Public Sector, Local/State Government Space.

We will put together a summary document of what was covered during and share it in this group as well as a follow up blog post. See you next time!

Azure Gov AIP Unified label client support for MacOS

BerlinerVice — Tue, 25 Aug 2020 16:46:00 GMT

Hello,

I'm currently setting up AIP for our tenant and it doesn't appear that the Unifield Labling client for MacOS is available. Does that mean Office Apps for Mac can't label their documents until this is available? Would they have to use the web versions?

Thanks,

Mike

Bitlocker Encryption Compliance

Anon414 — Tue, 25 Aug 2020 16:44:54 GMT

Could you detail the settings that are required for Bitlocker full-disk encryption to be compliant with CMMC (FIPS-validated encryption)? I've seen a "FIPS-mode" setting, but heard there was more than one step to being compliant.

What Operating Systems is this available on? Win7, Win10, Server 2008, Server 2012, Server 2016?

Thanks!

Securely Transferring Data from Company O365/M365 to Customers/Partners

MichaelKing — Tue, 25 Aug 2020 16:39:36 GMT

What options are available to securely transfer data/documents from company-managed Office 365 (commercial, GCC, or GCC High) environments and customer/partner ones? I realize the data could always stay in one environment to avoid this problem, but what Microsoft options exist to 'deliver' CUI to customers securely?

ITAR Compliance

Anon414 — Tue, 25 Aug 2020 16:38:56 GMT

If an organization is using ITAR data with Microsoft solutions, is GCC high required for the storage or processing of this data?

Protection of CUI in OneDrive

Anon414 — Tue, 25 Aug 2020 16:35:53 GMT

Is there a secure and compliant way to store and process data in OneDrive (FIPS validated cryptography, configuration settings, etc)? Does this require a GCC or GCC high license for this function?

Are there specific settings that are required?

Re: Welcome to the Microsoft CMMC AMA!

GOsorio — Tue, 25 Aug 2020 16:31:09 GMT

Sarah_Gilbert

Hi there, I was wondering if MS believes customers that require CMMC level 3 would be able to leverage M365 services such as EMS to become compliant or if moving to GCC high is a must?

Protection of CUI in SharePoint

Anon414 — Tue, 25 Aug 2020 16:33:51 GMT

CMMC - does it require MFA at network login?

bkaufman — Tue, 25 Aug 2020 16:31:06 GMT

"NIST 800-171 3.5.3 Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts" Some debate inside my company about whether MFA is required at network login vs MFA being required only when accessing CUI systems (not all systems on our network have CUI). So, can we place MFA at entry to CUI system and not MFA all employees at time of network login? And does CMMC require anything different that NIST 800-171 3.5.2?

What are the recommendation and procedures for flagging data as CUI and managing it?

Kalonji_ICS — Tue, 25 Aug 2020 16:25:19 GMT

In preparing for our CMMC Certification, as a company that is heavily uses SharePoint and Teams in the Office365 cloud environment -- what are the recommendations and procedures for flagging data as CUI and managing it?

Microsoft's Perspective on FCI

HaranStark — Tue, 25 Aug 2020 16:22:37 GMT

What is Microsoft's perspective on the definition of FCI that was used to assess controls implemented for Azure and O365 against CMMC practices that call out FCI?

Protection of CUI via email

Anon414 — Tue, 25 Aug 2020 16:22:24 GMT

Is there a secure and compliant way to transfer CUI using Outlook (SC.3.177 requires FIPS validated cryptography)? Does this require a GCC or GCC high license if you are only using this function?

MS 365 and CMMC Level 1

Demps1787 — Tue, 25 Aug 2020 16:21:39 GMT

CMMC Level 1 has 17 requirements. Does MS 365 address any of these requirements. NOT MS 365 + Azure but only MS 365. If so, please address each of the Level 1 requirements. If this is not the correct forum, please do a white paper.
Thank you.
Demps1787

CMMC secure score recommendations

bduszkie1980 — Tue, 25 Aug 2020 16:18:38 GMT

I know that Azure has secure score recommendations for other common compliance standards, ie HIPAA. Will Microsoft be creating ones that can apply for CMMC compliance?

Azure VM CMMC compliance

Brian Sondreal — Tue, 25 Aug 2020 16:17:11 GMT

How is Microsoft working to make Azure VMs CMMC compliant? What can we do to pass audits with these systems? My guess would be to start by reading the 10 blog series from TJ Banasik.

https://devblogs.microsoft.com/azuregov/cmmc-with-microsoft-azure-access-control-1-of-10/

Azure lighthouse and CMMC Compliance

bduszkie1980 — Tue, 25 Aug 2020 16:14:42 GMT

I work for a consulting business which uses Azure Lighthouse to manage clients Azure instances. Can we keep managing GCC or GCC high tenants in lighthouse? How do we ensure compliance with CMMC if using azure Lighthouse ( issues surrounding data locations and movement)?

Office 365 GCC High and AU compliance

twernet — Tue, 25 Aug 2020 16:13:33 GMT

Do you have a direct mapping of how GCC High meets AU compliance? Most importantly from a logging prospective?

Roadmap for collaboration tools

allHawaii — Tue, 25 Aug 2020 16:13:43 GMT

Aloha Richard,
Is there a roadmap for collaboration tools Teams/Yammer above moderate assurance level 4 in FEDRamp?

When can we use Archive Tier for blob storage on GCC-High?

A9G-Data-Droid — Tue, 25 Aug 2020 16:12:59 GMT

We need a secure blob storage target for long term retention data. (7 year and 30 year)

I would only put this data in to our Azure tenant at the Archive tier but I'm told that it's not available for GCC-High yet.

CMMC compliance of existing contracts

MarkPelea — Tue, 25 Aug 2020 16:36:56 GMT

Hello All,

How do you address CMMC compliance for existing CUI-based contracts which are not based on CMMC (could be based on ITAR/NIST SP 800-171, for instance)? The contract terms were already agreed between federal and contractors, but are still under the current "self-attestation". Or must the current contracts and environments built around the CUI protection for those systems continue with their existing terms, and are not subject to CMMC? Would they just need to complete their contract life in their original compliance terms? Meaning, CMMC only applies to new contracts with the DoD.

Thanks,

Mark