Forum Discussion
CMMC Control Mapping
Hi! Is there a map for NIST 800-53 or 800-171 or any of the CMMC levels available that I can use to show which controls my Microsoft 365 G5 usage maps to for compliance auditing?
- TJBanasik
Microsoft
chriskeeling We've published a CMMC with Microsoft Azure (10 Part Blog Series) which will be helpful for your CMMC control mapping requirements.
- Access Control Maturity
- Audit & Accountability Maturity
- Asset & Configuration Management Maturity
- Identification & Authentication Maturity
- Incident Response Maturity
- Maintenance & Media Protection Maturity
- Recovery & Risk Management Maturity
- Security Assessment & Situational Awareness Maturity
- System & Communications Protection Maturity
- System & Information Integrity Maturity
TJBanasik Thanks! This is very useful and the mapping is straightforward. I particularly appreciate that you have included the steps for how to assign the policies and controls through Azure. Can I do them from within Microsoft 365 G5 or can I only do them by logging into our Azure portal to perform all of these tasks (as you describe on the blog)?
- TJBanasikThis blog series was geared towards CMMC with Azure, so I'd recommend leveraging the Azure portal as a starting point.
- TJBanasikHere is a link for the CM blog in the series. https://devblogs.microsoft.com/azuregov/cmmc-with-microsoft-azure-asset-configuration-management-3-of-10/ What do you have interest in seeing for CM blogs in the coming months?
chriskeelingto view your G5 licensing purely from a Microsoft perspective: I would track down a commercial tenant and access Compliance Manager. There you can find a comprehensive accounting of each FedRAMP Moderate control (which is really just 800-53 Mod) and suggested 'Customer Actions' that leverage specific Microsoft Cloud technologies. Some of them may not be available in GCC High right now, however it's a starting point! From there, you're only one mapping away from 800-171 and CMMC (as found in the CMMC Appendices).
rybo3000 Thanks! I'm new to this whole compliance thing. 🙂 I am in there now and we have a fresh install and I don't see any recommendations for Customer Actions. Are they the Improvement Actions on the MS 365 Security page?
- A good place to start is the M365 Compliance Score at https://compliance.microsoft.com/compliancescore?viewid=overview, then click the Improvement Actions and Assessment, to create an Assessment, you will need to go the Compliance Manager site, which is currently separate - they me be combined in the future.
- dmcwee
chriskeeling We are working on a/some CMMC mapping guide(s) to help customers understand how products and features meet the requirements, but it is not publicly available. However, because of the mapping of NIST to CMMC this guide would be a good starting point today to help.
https://docs.microsoft.com/en-us/microsoft-365/compliance/offering-nist-csf?view=o365-worldwidedmcwee Thanks! When will those mapping guides be available and how will we get to them? Through the Compliance Manager or the MS Security Center?
chriskeeling I'm a fan of the free spreadsheet/matrix that ComplianceForge put out to map CMMC controls: http://examples.complianceforge.com/cmmc/ComplianceForge%20-%20Cybersecurity%20Maturity%20Model%20Certification%20(CMMC)%20v1.02%20Requirements%20Matrix.xlsx
MichaelKing Thanks! That's a fantastic spreadsheet for comparing the requirements of the different compliance models. However, it doesn't show how Microsoft 365 G5 provides services that map to any of the controls in a way that can easily be presented to an auditor or included in an internal document for tools compliance.
