User Profile
rybo3000
Brass Contributor
Joined 7 years ago
User Widgets
Recent Discussions
Re: CMMC Control Mapping
TJBanasika big focus in the CM domain (at least for me) is demonstrating the logical access restrictions for changes made to the system. My concern is that CMMC assessors could struggle with a cloud-first architecture, and so extra diligence would be required to prove how changes to Azure resources or Microsoft 365 resources (by way of Azure AD) are restricted. I'm guessing that JIT/PIM/PAM, admin role assignments, and conditional access policies are key here, although I'm sure there are network-level restrictions and other tools I'm not thinking of.13KViews1like0CommentsRe: Pre-Built Azure AD Groups based on the SPA Roadmap
dmcweeboth of those clarifications would be great. Many orgs are looking for suggestions on how to name their accounts, how to construct the security groups behind those accounts (dynamic vs assigned, etc.), and a "starter set" of admin role assignments and permissions to layer over top of the recommendations in the Securing Privileged Access roadmap.940Views0likes0CommentsRe: CMMC Control Mapping
chriskeelingto view your G5 licensing purely from a Microsoft perspective: I would track down a commercial tenant and access Compliance Manager. There you can find a comprehensive accounting of each FedRAMP Moderate control (which is really just 800-53 Mod) and suggested 'Customer Actions' that leverage specific Microsoft Cloud technologies. Some of them may not be available in GCC High right now, however it's a starting point! From there, you're only one mapping away from 800-171 and CMMC (as found in the CMMC Appendices).13KViews3likes6CommentsRe: Welcome to the Microsoft CMMC AMA!
Hi All! My name is Ryan Bonner. I focus on DFARS and CMMC topics for a number of NIST Manufacturing Extension Partnership programs throughout the Midwest, along with some DoD OEA grant-funded programs providing CMMC resources to small businesses. I currently volunteer on the CMMC AB Industry Standards Working Group.1.7KViews3likes0CommentsKeeping Defender ATP in step with Windows versions
I'm noticing that Microsoft Defender ATP for US Government GCC High customers is supported up to Windows 10, version 1903. Since Feature Updates (Preview) is not yet available for government customers in Endpoint Manager/Intune: what is currently the best way to limit the max Windows version needed to be compatible with Defender ATP, using what we do have in Azure Gov/GCC High?Solved1.7KViews0likes4CommentsExtending the Shared Responsibility Model into CMMC
A quick review of Compliance Manager (or the Office 365 MT FedRAMP system security plan) shows that Microsoft has documented the areas where customer orgs need to implement their own controls (policies, procedures, tenant configurations) in order to fully satisfy a FedRAMP control requirement. I know that CMMC is different. We aren't focusing on just the cloud system, but rather the entire organization, its people, information, technology and facilities. That distinction aside: how much do we think Microsoft's security capabilities can be "inherited" by subscriber organizations for use in a CMMC assessment? How much still needs to be documented, performed, and managed by the organization itself? More than FedRAMP? Less? 42?652Views5likes0CommentsPre-Built Azure AD Groups based on the SPA Roadmap
Since new GCC High deployments begin with no production users or data: is there some way we could receive guidance from MFST on a preferred Azure AD structure that maps to the https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access roadmap phases?992Views0likes2Comments
Recent Blog Articles
No content to show