Meeting CMMC Compliance with Microsoft 365 Compliance Manager
With the new DFARS rules implementing CMMC going into effect on November 30th, it is time to take your security posture seriously, if you haven’t already. While CMMC will be rolled out gradually to the entire defense industrial base over the coming 5 years, in the interim, contractors must submit current (less than 3 years old) assessments reflecting NIST 800-171 to the DOD’s Supplier Performance Risk System (SPRS) or risk being denied future contracts. The language also prohibits DOD contractors from awarding subcontracts to any organization who has not completed an assessment.
Thankfully, for those organizations seeking to meet CMMC compliance in Microsoft 365, much of the heavy lifting has been done for you already, and Microsoft provides some great tools to streamline the remaining actions.
There are three key ways that Microsoft helps meet CMMC Compliance in Microsoft 365.
- The Shared Responsibility Model
- Compliance Manager
- Sovereign Enclaves (Commercial, GCC, GCC High)
Shared Responsibility for CMMC
Shared responsibility is a term frequently used when discussing cloud compliance and security. In Microsoft 365, this is represented by customer improvement actions and Microsoft actions. Since Microsoft maintains the software and hardware of the environment, it completes many of the controls and certifications necessary to meet compliance requirements.
|CMMC Level||Customer Actions||Microsoft Actions||Total Actions||Practices|
|CMMC Level 1||89||108||197||17|
|CMMC Level 2||263||403||666||72|
|CMMC Level 3||308||473||781||130|
|CMMC Level 4||319||524||843||156|
|CMMC Level 5||322||537||859||171|
In the chart above, you will notice that there are WAY more actions than CMMC practices. There are two reasons for this. Many practices have multiple actions required in order to properly implement the practice, but also some actions meet multiple practices.
A good example of this is CMMC practice AC3.021, “Authorize remote execution of privileged commands and remote access to security-relevant information.” This single practice is summarized as “Authorize Remote Execution” and consists of 1 customer action and 2 Microsoft actions. To further divorce actions from practices, this single control maps to four practices at CMMC level 3.
The excellent thing about an action based approach is that improvement actions can easily be ranked down by risk, allowing admins to implement the most important actions first, without regard to the order of the CMMC compliance documentation.
How Compliance Manager Helps Reach CMMC Compliance in Microsoft 365
Compliance Manager provides an impressively deep toolkit for compliance managers, including eDiscovery, legal holds, sensitivity labelling, and a single pane of glass view into compliance issues such as data leaks, improperly shared sensitive information, and insider risk management. The compelling feature when trying to meet CMMC or NIST 800-171 are assessment templates.
Microsoft Compliance Manager Assessment Templates include dozens of compliance frameworks including HIPAA, PCI DSS, and of particular interest to DIB contractors, NIST 800-171, DFARS, and CMMC levels 1-5. While compliance manager is not yet available in GCC High, it is expected to arrive in third quarter of 2020.
Without an Office 365 E5 license compliance manager only includes the Microsoft Data Governance Baseline assessment. As of this writing, Office 365 E5 includes ALL premium assessment templates, but there is a warning that soon, premium templates will have to be purchased seperately. At that time E5 will only include GDPR, ISO 27001, NIST 800-53 and the Data Protection Baseline.
How to Use Assessment Templates to Meet CMMC Compliance in Microsoft 365
While going through every action needed to meet CMMC Compliance in Microsoft 365 is far too much to fit into a blog, getting started by creating an Assessment Group, adding the collect templates and then completing your first assessment will start you down the right path.
How to Access Compliance Manager for CMMC Compliance
- Go to Office.com as an Admin
- Click Admin
- Click Show All
- Click Compliance
- Click Compliance Manager
The first thing we will want to do is select our assessment template and add it to an assessment group. Assessment groups are important because they cross reference all of the assessment templates in them. If an action meets the requirements of a NIST 800-171 control as well as a CMMC control, then you will only need to document it once, and the documentation will be shared between them.
When you create your first assessment and group, no matter what you choose to name them, you should include a date reference (month – year) in the title. This little detail will avoid needless confusion the next time you need to do an assessment.
When selecting which CMMC Assessment to use, you only need to add the level you are looking to achieve, as it will have all of the controls of the lower levels. (ie CMMC Level 3 includes controls for level 1 and 2 as well.) In the event that you need to meet a different level, you will simply come back and add that assessment to the assessment group, and all completed actions will be included as soon as you add it.
Likewise with NIST 800-171. If you need to complete the DOD’s SPRS assessment using NIST 800-171, you can add this to the compliance group and all cross referenced controls will maintain their documentation and status.
Creating a CMMC Assessment Group in Compliance Manager
- Click the Assessment Templates tap towards the top of the screen
- Select CMMC Level ___ (Depending on your own requirement
- Create Assessment
- Create Name (Add the Year and Month to avoid future confusion)
- Select Create New Group
- Create Name (Again, Add the date to avoid future confusion)
- Click Next
- Confirm information
- Click “Create Assessment”
Managing “Actions” to Meet CMMC Controls in Compliance Manager
As mentioned above, Microsoft breaks controls into specific actions needed to reach a compliant state. This simplifies the process, helps increase transparency, and provides the data needed to calculate your compliance score.
Anatomy of an Action
- Status – This is your overview of completion, assignments and date
- At a Glance – This section provides a list of what controls are met by this specific action. In this example, notice that CMMC Level 3 is listed four times. This is because completing this action is necessary to meet controls AC.1.002, AC.2.015, AC.3.021, and MA.2.113, as mentioned before this is how documentation for each control is cross referenced making compliance easier. You’ll also notice this action concurrently meets 3 requirements from NIST 800-171.
- Implementation – This section contains Microsoft recommended actions to implement the control. Depending on the solutions involved, you will find instructions, links to relevant documentation, and usually links to the admin console where you will need to go to implement the control.
- Notes and Documentation – This is where your evidence and process notes live. Here you can upload documents, take notes about your implementation and test processes, and add documentation for any alternative implementations.
Steps to Completing a Compliance Action
You can approach this however you want, but having a solid workflow will help eliminate gaps, and assure that your documentation meets the requirements for a CMMC audit.
- Assigning the Action – It is useful to assign EVERY action even at the lower levels, but remember that Level 3 REQUIRES the naming a directly responsible individual. SHould you start out at level 1 and later need to improve to level 3 or higher, assigning the action will save extra work later. When you assign an action to an employee, they will receive and email notification of the assignment with a link to the compliance manager action.
- Implementation Status – Once you assign an action, you will want to set your implementation status as planned.
- Implementation Date – The implementation date is the date that the action was implemented, NOT a due date (You cannot select a date int he future). If you do not expect to complete the action prior to an audit or assessment, you should put that information in the Implementation notes.
- Test Status – Once the status is set as implemented and the implementation date is entered, you will be able to set the test status. One thing to note, is if the test is being completed by someone other than the implementor, you will want to enter this info in the implementation and test notes.
- Test Date – This should reflect the date of the latest test done, regardless of the status. This way your reports will show WHEN the test occurred.
Notes and Documentation
- Manage Documents – This section allows you to attach files to the action. These can be any sort of file, including docs, PDFs, Visio Diagrams, etc. You do not need to include files, however for some controls that require process documentation, this is a handy place to keep them. Note that these documents are canonical, and cannot be edited from within compliance manager. If you need to edit documents, you will need to download them.
- Implementation Notes – This section can be used for any notes, however there are a few things to include.
- Assignment Changes and Dates
- Steps taken towards implementation
- Links to process documentation
- Test Notes – This is where you should document your test plan, and the dates and reasons behind any failures.
- Additional Notes – This is the catch all for notes outside of the scope of implementation or testing. If you have a Microsoft Teams channel, this is a good place to link to any conversations about a specific action.
Automatic Testing of Compliance Actions
In some cases, Compliance manager can detect the state of specific controls. In those cases the control will be automatically tested every 24 hours. These actions can be identified by a test note reading “Implementation is automatically tested and verified every 24 hours.” These controls include things like MFA, TLS dependencies, and use of non-privileged accounts.
Because Microsoft maintains the hardware and infrastructure in Microsoft 365, they bear much of the responsibility of maintaining compliance for their customers. In these cases Microsoft will document the actions they have taken to deploy and test their controls, and in the event that certification is necessary, will add links to audit results, supporting documentation and other artifacts needed for you to lean on their certifications to prove your own compliance.
Exports and Reports
Of course, none of this is any good if you can’t generate reports. There are two primary ways to pull information out of Compliance Manager. Exports, which are executed on the group level and reports, which are executed on the assessment level. Both are provided as Excel spreadsheets, though the group level export is focused more on tracking actions needed, while the assessment level report is focused more on providing documentation towards an assessment of audit.
Sovereign Clouds for CMMC, ITAR, DFARS, FedRAMP and NIST 800-171 Compliance
When attempting to meet more stringent compliance requirements such as managing CUI, or meeting ITAR, NIST 800-171, DFARS 7012, or FedRAMp High you will need additional security from your cloud solution provider. In these cases, Microsoft provides GCC High, a cloud environment specifically meant to meet the cloud compliance requirements of DOD contractors. At the time of this writing, Compliance Manager is not available in GCC High, though it is expected to arrive in the 4th quarter of 2020. Agile IT is one of only 9 Microsoft Partners capable of licensing and managing GCC High Environments for DOD Contractors and offer a comprehensive set of Cloud Compliance Services for DOD Contractors.
Agile IT has been performing cloud migrations for over 16 years, with over 2 million accounts migrated. In addition to being a four time Microsoft Partner of the Year, we were also among the first partners working in Azure Government and remain one of the elite few Microsoft AOS-G partners. We offer a full range of cloud implementation, migration, security and compliance services. To find out how we can help you meet your organizations compliance requirements, request a free consultation today.