Forum Discussion
CMMC Control Mapping
Microsoftchriskeeling We've published a CMMC with Microsoft Azure (10 Part Blog Series) which will be helpful for your CMMC control mapping requirements.
- Access Control Maturity
- Audit & Accountability Maturity
- Asset & Configuration Management Maturity
- Identification & Authentication Maturity
- Incident Response Maturity
- Maintenance & Media Protection Maturity
- Recovery & Risk Management Maturity
- Security Assessment & Situational Awareness Maturity
- System & Communications Protection Maturity
- System & Information Integrity Maturity
Thanks, TJBanasik! Now that Azure Blueprints for 800-171 (which is kinda sorta CMMC) have been announced: do you think we'll see a blog post on Configuration Management in the coming months?
- TJBanasikHere is a link for the CM blog in the series. https://devblogs.microsoft.com/azuregov/cmmc-with-microsoft-azure-asset-configuration-management-3-of-10/ What do you have interest in seeing for CM blogs in the coming months?
TJBanasika big focus in the CM domain (at least for me) is demonstrating the logical access restrictions for changes made to the system. My concern is that CMMC assessors could struggle with a cloud-first architecture, and so extra diligence would be required to prove how changes to Azure resources or Microsoft 365 resources (by way of Azure AD) are restricted. I'm guessing that JIT/PIM/PAM, admin role assignments, and conditional access policies are key here, although I'm sure there are network-level restrictions and other tools I'm not thinking of.
TJBanasik Thanks! This is very useful and the mapping is straightforward. I particularly appreciate that you have included the steps for how to assign the policies and controls through Azure. Can I do them from within Microsoft 365 G5 or can I only do them by logging into our Azure portal to perform all of these tasks (as you describe on the blog)?
- TJBanasikThis blog series was geared towards CMMC with Azure, so I'd recommend leveraging the Azure portal as a starting point.
