Forum Discussion
CMMC Control Mapping
Hi! Is there a map for NIST 800-53 or 800-171 or any of the CMMC levels available that I can use to show which controls my Microsoft 365 G5 usage maps to for compliance auditing?
chriskeelingto view your G5 licensing purely from a Microsoft perspective: I would track down a commercial tenant and access Compliance Manager. There you can find a comprehensive accounting of each FedRAMP Moderate control (which is really just 800-53 Mod) and suggested 'Customer Actions' that leverage specific Microsoft Cloud technologies. Some of them may not be available in GCC High right now, however it's a starting point! From there, you're only one mapping away from 800-171 and CMMC (as found in the CMMC Appendices).
rybo3000 Thanks! I'm new to this whole compliance thing. 🙂 I am in there now and we have a fresh install and I don't see any recommendations for Customer Actions. Are they the Improvement Actions on the MS 365 Security page?
- A good place to start is the M365 Compliance Score at https://compliance.microsoft.com/compliancescore?viewid=overview, then click the Improvement Actions and Assessment, to create an Assessment, you will need to go the Compliance Manager site, which is currently separate - they me be combined in the future.
Dean_Gross Thanks! It says I have 12,093 Microsoft-managed points achieved out of a possible total of 16,101 points between Microsoft and our internal controls. How do I see which controls the Microsoft points are contributing to? I see the places to add Improvement Actions on our end, but no data about how 365 G5 is supporting the controls.
chriskeeling when you go onto the Assessment tab in Compliance Center or into Compliance Manager it is broken out by each control and shows a column for MS and a for you, see https://docs.microsoft.com/en-us/microsoft-365/compliance/compliance-score-methodology?view=o365-worldwide for some background on the calculations
chriskeelingI would make sure you're visiting this URL: https://servicetrust.microsoft.com/ComplianceManager/V3
This tool is separate from the Security Center/Secure Score tools.
rybo3000 Thanks again! Wow, this looks very comprehensive. 🙂
