Microsoft Product Placemat for CMMC – October 2024 Update
Microsoft CMMC Acceleration
We are actively building acceleration by developing resources for both partners and Defense Industrial Base (DIB) companies to leverage in their Cybersecurity Maturity Model Certification (CMMC) journey. These tools cannot guarantee a positive CMMC adjudication, but they may assist Organizations Seeking Certification (OSC) by improving their CMMC posture going into a formal CMMC assessment in accordance with the DOD and Cyber Accreditation Body (Cyber-AB) standards.
For more information, please see Notices later in this article.
Here is a summary of the most recent resources to help get you started.
Home Page for CMMC
Want to start your CMMC compliance journey on the right foot? We have a home page for CMMC at https://aka.ms/cmmc. Found on the Microsoft Federal site, the home page includes an outline of resources available, including references to our Microsoft Cloud service offerings and an up-to-date list of blogs and documentation we release. Please bookmark the site and leverage it as your launching point in all things Microsoft and CMMC.
While you are there on the Microsoft Federal site, also browse around and check out our Federal Segment on Defense and the Solutions we have for DoD Zero Trust Strategy and the Cybersecurity Executive Order.
Microsoft Product Placemat for CMMC
Microsoft Product Placemat for CMMC is an interactive view representing how we believe Microsoft cloud products and services satisfy requirements for CMMC practices. The user interface resembles a periodic table of CMMC Practice Families. The default view illustrates the practices with Microsoft Coverage that are inherited from the underlying cloud platform. It also depicts practices for Shared Coverage where the underlying cloud platform contributes coverage for specific practices but requires additional customer configuration to satisfy requirements for full coverage. For each practice that aligns with Microsoft Coverage or Shared Coverage, verbal customer implementation guidance and practice implementation details are documented. This enables you to drill down into each practice and discover details on inheritance and prescriptive guidance for actions to be taken by the customer to try to meet practice requirements in the shared scope of responsibility for compliance with CMMC.
In addition to the default view, you may select and include products, features and suite SKUs to adjust how each cloud product is placed with CMMC. For example, you may select the Microsoft 365 E5 SKU or “Select All” for maximum coverage of CMMC. You may also use the blue-colored cell on the top left to select from a drop-down menu filtering the Placemat. You may choose between three options:
Level 1 – Foundational: This option will display the practices associated with CMMC Level 1.
Note: there are 17 practices in this release, but will be updated soon to reflect the Final Rule’s trim to 15 practices.
Level 2 – Advanced: This filter will display 110 practices associated with CMMC Level 2.
Note: aligns with the controls for NIST SP 800-171.
Level 3 – Expert: This filter displays the additional CMMC Level 3 practices that align with NIST SP 800-172.
The Microsoft Product Placemat for CMMC is currently in public preview. It has been updated to include support for CMMC Level 3 and usability improvements based on public preview feedback. In addition, the public preview release has been updated to include implementation guidance for every practice in alignment with the Technical Reference Guide.
Note: This release was issued prior to the final CMMC rule publication in this month (October 2024). We are diligently working on a refresh to refine for the final rule.
You may download a copy at:
https://aka.ms/cmmc/productplacemat
Please share feedback at https://aka.ms/cmmc/productplacematfeedback.
Microsoft Technical Reference Guide for CMMC
We are excited to update this significant artifact of CMMC Acceleration! The Microsoft Technical Reference Guide for CMMC includes implementation statements for an organization pursuing CMMC while leveraging relevant Microsoft services. This includes brief descriptions of relevant Microsoft cloud services and products, and links to further implementation documentation. The guide focuses on CMMC Level 2 (L2) and Level 3 (L3) for this release.
If you think of the Microsoft Product Placemat for CMMC as being a level 100 document, the guide is level 200 and more.
The guide is organized in sections for each of the domains of CMMC, beginning with Access Control:
AC.L1-3.1.1
Control Summary Information
NIST SP 800-53 Mapping: AC-2, AC-3, AC-17
Practice: Limit information system access to authorized users, processes acting on behalf of authorized users or devices (including other information systems).
Assessment Objectives:
[a] authorized users are identified;
[b] processes acting on behalf of authorized users are identified;
[c] devices (and other systems) authorized to connect to the system are identified;
[d] system access is limited to authorized users;
[e] system access is limited to processes acting on behalf of authorized users; and
[f] system access is limited to authorized devices (including other systems).
Primary Services
Secondary Services
Microsoft Entra ID
Azure RBAC
Intune/Intune Suite
Microsoft Information Protection
Conditional Access
Customer Lockbox
Privileged Identity Management (PIM)
Microsoft 365 Web Apps
M365 Groups
Microsoft Entra ID Multi-Factor Authentication
You may notice the guide has the same outline of Primary and Secondary Services as identified in the Microsoft Product Placemat for CMMC. However, this document format lets us get into much more depth of the implementation statements as compared to the Placemat spreadsheet.
The Microsoft Technical Reference Guide for CMMC is currently in public preview.
Note: This release was issued prior to the final CMMC rule publication in this month (October 2024). We are diligently working on a refresh to refine for the final rule.
You may download a copy at:
https://aka.ms/cmmc/techrefguide
Please share feedback at https://aka.ms/cmmc/techrefguidefeedback.
Notices
Microsoft CMMC Acceleration provides customers and partners with resources to pursue CMMC compliance while leveraging Microsoft products and services— It does not address security practices occurring outside of Microsoft products and services.
Please further note that the CMMC compliance standard has yet to be officially rolled out. As a result, there may be additional nuance or complexity associated with CMMC compliance that will only materialize through the practical application of the standard by the DoD and Cyber-AB. As a result, the information herein, including all Microsoft CMMC related offerings, are provisional and may be enhanced to align with future guidance.
Microsoft does not guarantee nor imply any ultimate compliance outcome or determination based on one’s consumption of this article or the resources linked from it — all CMMC certification requirements and decisions are governed by the DoD and Cyber-AB, and Microsoft has no direct or indirect insight into or bearing over compliance determinations. The associations between compliance domains, practices, and Microsoft CMMC Acceleration may change at any time.
Customers must individually determine the necessary steps required to ensure their organization fully satisfies each recommended CMMC compliance practice, in addition to or in place of what is described in program resources. This responsibility spans all Microsoft (Azure, Microsoft 365, etc.) consumption decisions, including, among other things, which Microsoft offerings to procure, as well as all configuration decisions associated with such use and consumption.
Appendix
Please follow me here and on LinkedIn. Here are my additional blog articles:
Blog Title
Aka Link
Microsoft Collaboration Framework
https://aka.ms/ND-ISAC/CollabFramework
ND-ISAC MSCloud – Reference Identity Architectures for the US Defense Industrial Base
https://aka.ms/ND-ISAC/IdentityWP
Microsoft CMMC Acceleration Update
https://aka.ms/CMMC/Acceleration
History of Microsoft Cloud Service Offerings leading to the US Sovereign Cloud for Government
https://aka.ms/USSovereignCloud
The Microsoft 365 Government (GCC High) Conundrum – DIB Data Enclave vs Going All In
Microsoft US Sovereign Cloud Myth Busters – A Global Address List (GAL) Can Span Multiple Tenants
Microsoft US Sovereign Cloud Myth Busters – A Single Domain Should Not Span Multiple Tenants
Microsoft US Sovereign Cloud Myth Busters – Active Directory Does Not Require Restructuring
Microsoft US Sovereign Cloud Myth Busters – CUI Effectively Requires Data Sovereignty
Microsoft expands qualification of contractors for government cloud offerings
https://aka.ms/GovCloudEligibility
Microsoft Tech Community – Latest Blogs –Read More