Forum Discussion
CMMC Control Mapping
Hi! Is there a map for NIST 800-53 or 800-171 or any of the CMMC levels available that I can use to show which controls my Microsoft 365 G5 usage maps to for compliance auditing?
Thanks, TJBanasik! Now that Azure Blueprints for 800-171 (which is kinda sorta CMMC) have been announced: do you think we'll see a blog post on Configuration Management in the coming months?
TJBanasik
Microsoft
MicrosoftHere is a link for the CM blog in the series. https://devblogs.microsoft.com/azuregov/cmmc-with-microsoft-azure-asset-configuration-management-3-of-10/ What do you have interest in seeing for CM blogs in the coming months?
TJBanasika big focus in the CM domain (at least for me) is demonstrating the logical access restrictions for changes made to the system. My concern is that CMMC assessors could struggle with a cloud-first architecture, and so extra diligence would be required to prove how changes to Azure resources or Microsoft 365 resources (by way of Azure AD) are restricted. I'm guessing that JIT/PIM/PAM, admin role assignments, and conditional access policies are key here, although I'm sure there are network-level restrictions and other tools I'm not thinking of.
