Forum Discussion
CMMC Control Mapping
Hi! Is there a map for NIST 800-53 or 800-171 or any of the CMMC levels available that I can use to show which controls my Microsoft 365 G5 usage maps to for compliance auditing?
TJBanasik
Microsoft
Microsoftchriskeeling We've published a CMMC with Microsoft Azure (10 Part Blog Series) which will be helpful for your CMMC control mapping requirements.
- Access Control Maturity
- Audit & Accountability Maturity
- Asset & Configuration Management Maturity
- Identification & Authentication Maturity
- Incident Response Maturity
- Maintenance & Media Protection Maturity
- Recovery & Risk Management Maturity
- Security Assessment & Situational Awareness Maturity
- System & Communications Protection Maturity
- System & Information Integrity Maturity
Thanks, TJBanasik! Now that Azure Blueprints for 800-171 (which is kinda sorta CMMC) have been announced: do you think we'll see a blog post on Configuration Management in the coming months?
- TJBanasikHere is a link for the CM blog in the series. https://devblogs.microsoft.com/azuregov/cmmc-with-microsoft-azure-asset-configuration-management-3-of-10/ What do you have interest in seeing for CM blogs in the coming months?
TJBanasika big focus in the CM domain (at least for me) is demonstrating the logical access restrictions for changes made to the system. My concern is that CMMC assessors could struggle with a cloud-first architecture, and so extra diligence would be required to prove how changes to Azure resources or Microsoft 365 resources (by way of Azure AD) are restricted. I'm guessing that JIT/PIM/PAM, admin role assignments, and conditional access policies are key here, although I'm sure there are network-level restrictions and other tools I'm not thinking of.
