In this series, we will be covering the tools and functionality available to align Microsoft Services to meet CMMC requirements. Having a comprehensive understanding of Microsoft 365 and Azure is difficult enough, but layering compliance requirements on top of them can be overwhelming. To alleviate this, Microsoft has produced a great set of tools and documentation to help guide organizations through implementing CMMC in their environments.
By far the best 30,000 foot view of CMMC is the Microsoft Product Placemat for CMMC. Presented as a period table of controls, the placemat lets you select either specific Microsoft products or CMMC controls and get a quick view of both Microsoft and Customer actions taken to meet the control.
Downloading the Microsoft CMMC Product Placemat
The Microsoft CMMC Product placemat can be downloaded at: https://www.microsoft.com/en-us/download/details.aspx?id=102536
Note that page is a bit confusing, as is is part of Microsoft’s Download Center and will have a rather large ad on the top of the page. You are looking for the red download button in the middle of the page.
Using the Microsoft CMMC Product Placemat
Enabling Macros in Microsoft Excel
The CMMC placemat requires the use of Macros in Microsoft Excel, and due to obvious security concerns, they are blocked by default. In order to enable Excel macros for just one file, you will want to:
- Go to the folder where you have downloaded the file
- Right click on the file and select properties
- Click the unblock box in the security section
The Parts of the CMMC Placemat
The CMMC Placemat is broken into 7 functional areas:
The service pane lets you select Microsoft license suites, like Microosft 365 E5, or individual Microosft tools, such as Microosft Defender for Identity. When you select these tools, you will see the colors of some controls change in the controls matrix to indicate what controls that product impacts.
The controls matrix is one of the best simplified views of the CMMC controls we’ve encountered. Broken down into columns designating the 14 control domains including access control (AC) to System and Information Integrity (SI). On top, you can choose between CMMC Levels 1, 2, and 3. Note that Level 3 is not implemented yet as the community awaits final decisions from the DODCIO around CMMC Level 3.
In each column are individual cells with the individual control identifiers. These identifiers are color coded to indicate the service mapping status of the control versus the services selected in the Service pane. The colors coded are as follows:
- Blue: Primary Service - The practice is completely met with selected services.
- Yellow: Secondary Service - The practice is partially met with selected services, but there are additional services needed to fully meet the control.
- Grey: Available Enablers - The control is not met by the currently selected services, but there are available services that can enable to control
- White: No Available Enablers - There are no active enablers available for this control. This is currently limited to background checks on employees, as all other controls have at least a secondary enabler.
By double clicking on an control, the placemat will change the view to show you the brief description of the practice in the Practice Details section, and show recommended actions in the implementation guidance section. Additionally any Microsoft solutions will change colors to indicate if they contribute to the specific control.
The Service Mapping pie-chart gives you a quick visual of what percentage on controls are fully met, partially met, and not met with the selected services.
The Responsibility mapping chart breaks down the shared responsibility model, and how many controls are either fully Microsoft’s responsibility, shared, or fully the customer’s responsibility. Note that it is a static display.
Microsoft Inherited Service Mapping
The inherited service mapping section serves as a key, as well as giving you a granular account of the actual numbers of controls enabled by the current selection of services.
CMMC Practice Details
The Practice Details section gives you a quick view of the NIST 800-171 control summary, as well as letting you know where the responsibility for the control lies against the service mapping.
The implementation guidance section is perhaps the weakest part of the placemat, as it give a VERY brief overview of best practices for meeting a specific control using Microsoft tools. But that is okay, the placemat is meant to be a visual guide to help understand how various Microsoft services can help meet CMMC compliance requirements. In part two of this guide, we’ll be breaking apart Microsoft’s Technical Reference Guide for CMMC, a 279 page document that approaches each control with service mappings, overviews of suggested actions and links to full documentation and other implementation tools.
Are You On-Track for CMMC?
Agile IT was one of the first Microsoft Partners to begin working with the defense industrial base on NIST 800-171 and CMMC compliance in GCC, GCC High, and Azure Government after DFAR 7012. Our implementation services include workshops and documentation to truly accelerate your CMMC journey. To find out how we can help, request more information below.