How to Use the Microsoft Product Placemat for CMMC 2.0 Compliance
Learn how to use Microsoft’s product placemat to map tools like Entra ID, Defender, and Purview to CMMC 2.0 requirements and accelerate your compliance journey.
How to Use the Microsoft Product Placemat to Achieve CMMC 2.0 Compliance
Achieving compliance with CMMC 2.0 can be a complex and time-consuming process, yet it is a critical step for organizations within the Defense Industrial Base (DIB) to take if they want to maintain their defense contracts. The fact is that failing to achieve CMMC compliance could result in penalties and loss of contracts. Yet, if you operate in a Microsoft environment, you may find yourself wondering how Microsoft products like Azure and Microsoft 365 will fit into your compliance journey. The good news is that there are resources available to simplify the process of mapping Microsoft cloud services and products to CMMC 2.0, including the Microsoft Product Placemat for CMMC 2.0 (Preview).
The Microsoft Product Placemat for Cybersecurity Maturity Model Certification (CMMC) 2.0 (Preview) is an interactive view representing how Microsoft cloud products and services may satisfy requirements for CMMC practices. Presented as a period table of controls, the placemat lets you select either specific Microsoft products or CMMC controls and get a quick view of both Microsoft and Customer actions needed to meet the control. The Microsoft Product Placemat for CMMC can then prove critical by helping you understand how specific Microsoft offerings can contribute to CMMC compliance, and it can help you identify which Microsoft services and licenses you may need for each CMMC level. The Microsoft Product Placemat for CMMC can be particularly useful when paired with the Microsoft Technical Reference Guide for CMMC.
For organizations within the DIB who operate in a Microsoft cloud environment, the Microsoft Product Placemat can be an extremely valuable tool to help you achieve CMMC 2.0 compliance. Keep reading to learn more about this resource and how it can help you on your compliance journey.
Download The Microsoft CMMC 2.0 Product Placemat (Preview)
As you start your CMMC compliance journey, one of the first steps that you should take is to download the Microsoft CMMC 2.0 Product Placemat (Preview), which can be found here. When you go to this link, you will see a large blue button that says “download.” To the left of this button, there is a drop-down menu allowing you to set your preferred language for the guide. Choose your language, select download, and you should see a pop-up on your web browser that says, “Microsoft Product Placemat for CMMC-Preview Sept 2024.” Click on this, and it will open the guide in Microsoft Excel.
Using The Product Placemat
Once the Product Placemat opens in Excel, you will need to make a few adjustments before you can start using it effectively. This is because files downloaded from the internet automatically open in Protected View to protect your computer from viruses. However, since this file was downloaded directly from Microsoft’s website, this is not a concern, and you will need to exit protected view to interact with the document properly. At the top of the Excel window, you should see a yellow banner that says, “PROTECTED VIEW.” On the right side of this banner, click the button that says “Enable Editing” to exit protected view.
To take full advantage of the Product Placemat’s features, you also need to use macros for this file. Fortunately, enabling macros is just as easy as exiting protected view. When you clicked “Enable Editing,” you likely noticed that the protected view banner was replaced with a new one that says, “SECURITY WARNING Macros have been disabled.” Click the button that says “Enable Content” to enable macros and access all the features offered by the placemat. The final step you will need to take before you can start using the Microsoft Product Placemat is to select your required CMMC level, as this will ensure that you’re shown relevant information about what Microsoft cloud services and licensing that will help you achieve CMMC compliance.
The Parts of The CMMC 2.0 Placemat
Of course, to get the most out of the CMMC 2.0 Placemat, you need to understand its key components and features. The CMMC Placemat is broken down into 7 functional areas, which include the following:
Service Pane
To the far left on the Excel file, the first thing you will see is the Service Pane, which lets you select Microsoft license suites, like Microsoft 365 E5, or individual Microsoft tools, such as Microsoft Defender for Identity. When you select these tools, you will see the colors of some controls change in the controls matrix, which indicates which controls that product impacts.
Controls Matrix
To the right of the Service Pane is the Microsoft Product Placemat for CMMC 2.0 (Preview) Controls Matrix. The controls matrix is one of the best simplified views of the CMMC controls we’ve encountered, and it is broken down into columns designating the 14 control families, including everything from Access Control (AC) to System and Information Integrity (SI). On top, you can choose between CMMC Levels 1, 2, and 3. However, it’s important to note that this release specifically aligns with CMMC 2.0 Levels 1 and 2. Future releases will expand to cover Level 3. Selecting your CMMC level is essential as it changes which controls are shown to ensure they apply to your compliance journey.
In each column are cells with individual control identifiers. These identifiers are color-coded to indicate the service mapping status of the control versus the services selected in the Service pane. The colors coded are as follows:
- Blue: Primary Service – The practice is completely met with selected services.
- Yellow: Secondary Service – The practice is partially met with selected services, but there are additional services needed to fully meet the control.
- Grey: Available Enablers – The control is not met by the currently selected services, but there are available services that can be enabled to meet the control requirements.
- White: No Available Enablers – There are no active enablers aligned with this control.
By double clicking on a control, the placemat will change the view to show you the brief description of the practice in the Practice Details section and show recommended actions in the implementation guidance section. Additionally, any Microsoft solutions will be shown alongside the practice if they contribute to the specific control.
Service Mapping
Below the Controls Matrix is the Service Mapping pie chart, which gives you a quick visual of what percentage of controls are fully met, partially met, and not met by the selected services.
Responsibility Mapping
To the right is the Responsibility Mapping chart, which breaks down the shared responsibility model and how many controls are either fully Microsoft’s responsibility, shared, or fully the customer’s responsibility. Note that this is a static display.
Microsoft Inherited Service Mapping
The inherited service mapping section serves as a key that also gives you a granular account of the actual number of NIST SP 800-171 security controls enabled by the current selection of services.
CMMC Practice Details
The Practice Details section gives you a quick view of the NIST SP 800-171 control summary, as well as letting you know where the responsibility for the control lies against the service mapping.
Implementation Guidance
The implementation guidance section is perhaps the weakest part of the placemat, as it gives a VERY brief overview of best practices for meeting a specific control using Microsoft tools. But that is okay, the placemat is meant to be a visual guide to help understand how various Microsoft services can help meet CMMC compliance requirements.
In addition to these primary components that make up the CMMC Placemat, there is also a tab at the bottom of this Excel file that says “Instructions.” Click over to this tab, and you will be provided with valuable information on how the CMMC Product Placemat works and how you can use it to help you choose the right Microsoft products and licenses to help you achieve compliance.
Need Help Achieving CMMC Compliance? Contact Agile IT Today!
Microsoft’s Product Placemat for CMMC 2.0 (Preview) is an extremely valuable tool that can help you understand how Microsoft’s services can help you achieve your required CMMC compliance level. Yet, even with the tool, the prospect of achieving and maintaining CMMC compliance can feel like a daunting task. Fortunately, you do not have to start your compliance journey alone. At Agile IT, we can help guide you through the compliance process with our AgileThrive CMMC Compliance Management service. Our experienced professionals can help provide you with the expert guidance you need to meet CMMC requirements with clarity and confidence. Feel free to contact us today to learn more about our services and the role an MSP can play in helping you achieve and maintain CMMC compliance.
