Meeting CMMC Compliance with Microsoft 365 Compliance Manager
With the new DFARS rules implementing CMMC going into effect, it is time to take your security posture seriously, if you haven’t already. While CMMC, a certification process developed to enhance the cybersecurity defenses of the Defense Industrial Base, will be rolled out gradually to the entire DIB over the coming 5 years, in the interim, contractors must submit current (less than 3 years old) assessments reflecting NIST 800-171 to the DOD’s Supplier Performance Risk System (SPRS) or risk being denied future contracts. This stipulation is an integral part of the initial steps outlined in the CMMC Level 2 Assessment Guide. The language also prohibits DOD contractors, pivotal in protecting Federal Contract Information (FCI), from awarding subcontracts to any organization that has not completed an assessment.
Thankfully, for organizations and defense contractors seeking to meet CMMC compliance in Microsoft 365, much of the heavy lifting has been done for you already, including the provision of a comprehensive CMMC compliance checklist. As CMMC evolves, including the transition to CMMC 2.0 controls, Microsoft provides some great tools to streamline the remaining actions.
There are three key ways that Microsoft helps meet CMMC Compliance in Microsoft 365.
- The Shared Responsibility Model
- Compliance Manager
- Sovereign Enclaves (Commercial, GCC, GCC High)
Shared Responsibility for CMMC
Shared responsibility is a term frequently used when discussing cloud compliance and security. In Microsoft 365, this is represented by customer improvement actions and Microsoft actions. Since Microsoft maintains the software and hardware of the environment, it completes many of the controls and certifications outlined in the extensive CMMC controls list necessary to meet compliance requirements.
CMMC Level | Customer Actions | Microsoft Actions | Total Actions | Practices |
CMMC Level 1 | 89 | 108 | 197 | 17 |
CMMC Level 2 | 263 | 403 | 666 | 72 |
CMMC Level 3 | 308 | 473 | 781 | 130 |
CMMC Level 4 | 319 | 524 | 843 | 156 |
CMMC Level 5 | 322 | 537 | 859 | 171 |
In the chart above, you will notice that there are WAY more actions than CMMC practices, as detailed in the CMMC compliance checklist. There are two reasons for this. Many practices require multiple actions in order to properly implement the practice, but some actions also meet multiple practices.
A good example of this is CMMC practice AC3.021, “Authorize remote execution of privileged commands and remote access to security-relevant information.” This single practice, a fundamental aspect of access control, is summarized as “Authorize Remote Execution” and consists of 1 customer action and 2 Microsoft actions. To further divorce actions from practices, this single control maps to four practices at CMMC level 3.
The excellent thing about an action-based approach is that improvement actions can easily be ranked down by risk, allowing admins to implement the most important actions first, without regard to the order of the CMMC compliance documentation. This aspect of the CMMC framework is especially critical when addressing advanced persistent threats, where the ability to prioritize and address vulnerabilities quickly can significantly impact an organization’s system security plan and posture.
How Compliance Manager Helps Reach CMMC Compliance in Microsoft 365
Compliance Manager, developed with insights from top CMMC providers, includes an impressively deep toolkit for compliance managers, including eDiscovery, legal holds, sensitivity labeling and a single pane of glass view into compliance issues such as data leaks, improperly shared sensitive information, and insider risk management. The compelling feature when trying to meet CMMC or NIST 800-171 are assessment templates.
Microsoft Compliance Manager Assessment Templates include dozens of compliance frameworks including HIPAA, PCI DSS, and of particular interest to DIB contractors, NIST 800-171, DFARS, and CMMC levels 1-5, along with a comprehensive CMMC compliance checklist. Compliance manager is available in GCC High.
Compliance Manager includes the Microsoft Data Protection Baseline assessment for all customers. Additionally, all customers can choose three premium regulation templates, such as GDPR, ISO 27001, and NIST 800-53, to use for free. Any additional premium templates beyond these three selections require separate purchase. Customers in GCC and GCC High also have access to CMMC levels 1 through 5.
How to Use Assessment Templates to Meet CMMC Compliance in Microsoft 365
While going through every action needed to meet CMMC Compliance in Microsoft 365 is far too much to fit into a blog, getting started by creating an Assessment Group, adding the correct templates in accordance with the CMMC assessment guide level 2, and then completing your first assessment will start you down the right path.
How to Access Compliance Manager for CMMC Compliance
- Access it here: Compliance Manager
The first thing we will want to do is select our assessment template and add it to an assessment group. Assessment groups are important because they cross reference all of the assessment templates in them, thus effectively helping to control internal system access. If an action meets the requirements of a NIST 800-171 control as well as a CMMC control, it exemplifies the effective integration of security controls common to both standards. This means that you will only need to document it once, and the documentation will be shared between them.
When you create your first assessment and group, no matter what you choose to name them, you should include a date reference (month – year) in the title. This little detail will avoid needless confusion the next time you need to do an assessment.
When selecting which CMMC Assessment to use, you only need to add the level you are looking to achieve, as it will have all of the controls of the lower levels. This simplifies the process to achieve CMMC compliance. (ie CMMC Level 3 includes controls for levels 1 and 2 as well.) In the event that you need to meet a different level, you will simply come back and add that assessment to the assessment group, and all completed actions will be included as soon as you add it.
Likewise with NIST 800-171. If you need to complete the DOD’s SPRS assessment using NIST 800-171, you can add this to the compliance group and all cross referenced controls will maintain their documentation and status.
Creating a CMMC Assessment Group in Compliance Manager
- Click the Assessment Templates tap towards the top of the screen
- Select CMMC Level ___ (Depending on your own requirement)
- Create Assessment
- Create Name (Add the Year and Month to avoid future confusion)
- Select Create New Group
- Create Name (Again, Add the date to avoid future confusion)
- Click Next
- Confirm information
- Click “Create Assessment”
Managing “Actions” to Meet CMMC Controls in Compliance Manager
As mentioned above, Microsoft breaks controls into specific actions needed to reach a compliant state. This approach to CMMC security program management not only simplifies the process, but also helps increase transparency, and provides the data needed to calculate your compliance score.
Anatomy of an Action
- Status – This is your overview of completion, assignments and date
- At a Glance – This section provides a list of what controls are met by this specific action. In this example, notice that CMMC Level 3 is listed four times. This is because completing this action is necessary to meet controls AC.1.002, AC.2.015, AC.3.021, and MA.2.113, as mentioned before, this is how documentation for each control is cross referenced, making compliance easier. You’ll also notice this action concurrently meets 3 requirements from NIST 800-171.
- Implementation – This section contains Microsoft’s recommended actions to implement the control. Depending on the solutions involved, you will find instructions, links to relevant documentation, and usually links to the admin console where you will need to go to implement the control.
- Notes and Documentation – This is where your evidence and process notes live. Here, you can upload documents, take notes about your implementation and test processes, and add documentation for any alternative implementations.
Steps to Completing a Compliance Action
You can approach this however you want, but having a solid workflow will help eliminate gaps, and assure that your documentation meets the requirements for a CMMC audit.
Edit Status
- Assigning the Action – It is useful to assign EVERY action even at the lower levels, but remember that Level 3 REQUIRES the naming of a directly responsible individual. Should you start out at level 1 and later need to improve to level 3 or higher, assigning the action will save extra work later. When you assign an action to an employee, they will receive an email notification of the assignment with a link to the compliance manager action.
- Implementation Status – Once you assign an action, you will want to set your implementation status as planned.
- Implementation Date – The implementation date is the date that the action was implemented, NOT a due date (You cannot select a date in the future). If you do not expect to complete the action prior to an audit or assessment, you should put that information in the Implementation notes.
- Test Status – Once the status is set as implemented and the implementation date is entered, you will be able to set the test status. One thing to note, is if the test is being completed by someone other than the implementor, you will want to enter this info in the implementation and test notes.
- Test Date – This should reflect the date of the latest test done, regardless of the status. This way, your reports will show WHEN the test occurred.
Notes and Documentation
-
Manage Documents – This section allows you to attach files to the action. These can be any sort of file, including docs, PDFs, Visio Diagrams, etc. You do not need to include files, however for some controls that require process documentation, this is a handy place to keep them. Note that these documents are canonical, and cannot be edited from within Compliance Manager. If you need to edit documents, you will need to download them.
-
Implementation Notes – This section can be used for any notes, however, there are a few things to include.
- Assignment Changes and Dates
- Steps taken towards implementation
- Workarounds
- Links to process documentation
-
Test Notes – This is where you should document your test plan, and the dates and reasons behind any failures.
-
Additional Notes – This is the catch-all for notes outside of the scope of implementation or testing. If you have a Microsoft Teams channel, this is a good place to link to any conversations about a specific action.
Automatic Testing of Compliance Actions
In some cases, Compliance Manager can detect the state of specific controls. In those cases the control will be automatically tested every 24 hours. These actions can be identified by a test note reading “Implementation is automatically tested and verified every 24 hours.” These controls include things like MFA, TLS dependencies, and use of non-privileged accounts.
Microsoft Actions
Because Microsoft maintains the hardware and infrastructure in Microsoft 365, they bear much of the responsibility of maintaining compliance for their customers. In these cases, Microsoft will document the actions they have taken to deploy and test their controls, and in the event that certification is necessary, will add links to audit results, supporting documentation and other artifacts needed for you to lean on their certifications to prove your own compliance.
Exports and Reports
Of course, none of this is any good if you can’t generate reports. There are two primary ways to pull information out of Compliance Manager. Exports, which are executed on the group level and reports, which are executed on the assessment level. Both are provided as Excel spreadsheets, though the group level export is focused more on tracking actions needed, while the assessment level report is focused more on providing documentation towards an assessment of audit.
Sovereign Clouds for CMMC, ITAR, DFARS, FedRAMP and NIST 800-171 Compliance
When attempting to meet more stringent compliance requirements such as managing CUI, or meeting ITAR, NIST 800-171, DFARS 7012, or FedRAMP High, you will need additional security from your microsoft licensing provider. In these cases, Microsoft provides GCC High, a cloud environment specifically meant to meet the cloud compliance requirements of DOD contractors, This solution is designed with the intricacies of FedRAMP vs. CMMC in mind, offering additional security features necessary for contractors who must comply with both sets of standards. Compliance Manager is now available in GCC High.Agile IT was one of the original seven Microsoft Partners authorized to license and manage GCC High and offers a comprehensive set of Cloud Compliance Services for DOD Contractors.
Need Help?
Agile IT has been performing cloud migrations for over 16 years, with over 2 million accounts migrated. In addition to being a four-time Microsoft Partner of the Year, we were also among the first partners working in Azure Government and remain one of the elite few Microsoft AOS-G partners. If you need an expert CMMC compliance consultant, we offer a full range of cloud implementation, migration, security and compliance services. To find out how we can help you meet your organization’s compliance requirements, request a free consultation today.
Published on: .