Microsoft Product Placemat for CMMC

We are actively building acceleration by developing resources that both partners and Defense Industrial Base (DIB) companies can leverage on their Cybersecurity Maturity Model Certification (CMMC) journey. Although these tools cannot guarantee a positive CMMC determination, they can assist organizations seeking certification (OSCs) by improving their CMMC posture as they move toward formal CMMC evaluations under CMMC regulations. Ministry of Defense and Cyber Certification Agency (Cyber-AB) standard.

For more information, see: announcement Later in this article.

Here’s a summary of our latest resources to help you get started.

CMMC homepage

Want to get your CMMC compliance journey off to a good start? The CMMC homepage is as follows: https://aka.ms/cmmc. The home page on the Microsoft federal site contains an overview of available resources, including references to Microsoft cloud services products and an up-to-date list of blogs and articles we release. Bookmark the site and use it as your starting point for all things Microsoft and CMMC.

While you’re on the Microsoft Federal site, explore and check out the Federal Segment on the following websites: defense And the solution we have is DoD Zero Trust Strategy and Cybersecurity Executive Order.

The Microsoft Products for CMMC Placemat is an interactive view of how we believe Microsoft cloud products and services meet the needs of CMMC practices. The user interface is similar to the periodic table of elements in CMMC Practice Families. The default view shows Microsoft Coverage cases inherited from the underlying cloud platform. We also discuss cases for shared coverage, where the underlying cloud platform provides coverage for specific cases, but requires additional customer configuration to meet the requirements for full coverage. Verbal customer implementation guidance and practical implementation details are documented for each case eligible for Microsoft coverage or shared coverage. This allows us to look at each practice in detail and find details about inheritance and normative guidance on the steps clients need to take to meet practice requirements within the scope of shared responsibility for CMMC compliance.

In addition to the default view, you can tailor how each cloud product is deployed in CMMC by selecting and including product, feature, and suite SKUs. For example, for maximum CMMC coverage, you can select the Microsoft 365 E5 SKU or “Select All.” You can also use the blue cell in the top left to select from a drop-down menu to filter the placemats. You can choose from three options:

Level 1 – Basics: This option displays cases related to CMMC level 1.
Note: There are 17 practices in this release, but they will be updated soon to reflect the 15 practices in the final rule.
Level 2 – Advanced: This filter displays 110 cases related to CMMC level 2.
Note: Consistent with controls for NIST SP 800-171.
Level 3 – Expert: This filter displays additional CMMC Level 3 cases that comply with NIST SP 800-172.

The Microsoft Product Placemat for CMMC is currently in public preview. Updated to include support for CMMC Level 3 and usability improvements based on public preview feedback. Additionally, the public preview release has been updated to include implementation instructions for all labs, aligned with the Technical Reference Guide.

Note: This release was issued prior to the final CMMC rule being published this month (October 2024). We are working hard to improve the final rule.

You can download a copy here:

https://aka.ms/cmmc/productplacemat

Please share your feedback. https://aka.ms/cmmc/productplacematfeedback.

Microsoft Technical Reference Guide for CMMC

We are excited to update important artifacts from CMMC Acceleration! The Microsoft Technical Reference Guide for CMMC contains implementation instructions for organizations pursuing CMMC while leveraging related Microsoft services. It includes brief descriptions of relevant Microsoft cloud services and products and links to additional implementation documentation. This guide focuses on CMMC Level 2 (L2) and Level 3 (L3) in this release.

If you think of the Microsoft Product Placemat for CMMC as a level 100 document, the guides are level 200 and above.

This guide is organized into sections for each domain in CMMC, starting with access control.

Access Control (AC)

AC.L1-3.1.1

Control Summary Information
NIST SP 800-53 Mapping: AC-2, AC-3, AC-17
Practices: Restrict access to information systems to authorized users and processes acting on behalf of authorized users or devices (including other information systems). Assessment Objectives: [a] Authorized users are identified. [b] Processes acting on behalf of authorized users are identified. [c] Devices (and other systems) authorized to connect to the system are identified. [d] System access is restricted to authorized users. [e] System access is limited to processes acting on behalf of authorized users. and [f] System access is restricted to authorized devices (including other systems).
basic service	auxiliary services
Microsoft Entra ID Azure RBAC Intune/Intune Family	Microsoft Information Protection conditional access customer locker Privileged Identity Management (PIM) Microsoft 365 web apps M365 group Microsoft Entra ID multi-factor authentication

You’ll notice that the guide has the same primary and secondary service overviews as identified in the Microsoft Product Placemat for CMMC. However, this document format allows you to go much deeper into the implementation description compared to a placemat spreadsheet.

The Microsoft Technical Reference Guide for CMMC is currently in public preview.

Note: This release was issued prior to the final CMMC rule being published this month (October 2024). We are working hard to improve the final rule.

You can download a copy here:

https://aka.ms/cmmc/techrefguide

Please share your feedback. https://aka.ms/cmmc/techrefguidefeedback.

announcement

Microsoft CMMC Acceleration provides customers and partners with resources to pursue CMMC compliance while leveraging Microsoft products and services. It does not cover security practices that occur outside of Microsoft products and services.

CMMC compliance standards have not yet been officially released. As a result, there may be additional nuances or complexities associated with CMMC compliance that are only realized through actual application of standards by DoD and Cyber-AB. As a result, the information here, including all Microsoft CMMC-related products, is preliminary and may be enhanced to accommodate future guidance.

Microsoft does not guarantee or imply any final compliance outcome or decision based on the use of this document or the resources linked to it. All CMMC certification requirements and decisions are governed by DoD and Cyber-AB, and Microsoft has no direct or indirect insight into them. Involves in or influences compliance decisions. The associations between compliance domains, practices, and Microsoft CMMC Acceleration may change at any time.

Customers must individually determine the required steps necessary to ensure that their organization fully meets each recommended CMMC compliance practice, in addition to or in lieu of those outlined in the Program Resources. This responsibility applies, among other things, to all Microsoft (Azure, Microsoft 365, etc.) consumption decisions, including any products to be procured by Microsoft, as well as all configuration decisions related to their use and consumption.

appendix

follow me here And on and on linkedin. Some of my additional blog articles include:

Source link

CMMC homepage