Meeting CMMC Level 3 on Azure

Adam

Disclaimer: The CMMC Level 3 policy initiative and blueprint provides customers with a resource to support CMMC initiatives in Azure, however compliant in Azure Policy refers only to the policy definitions themselves. In addition, the compliance standard includes controls that are not addressed by any Azure Policy definitions at this time. Therefore, compliance in Azure Policy is only a partial view of your overall compliance status. Microsoft does not guarantee nor imply compliance with the regulatory framework, as all accreditation requirements and decisions are governed by the CMMC Accreditation Body. The associations between compliance domains, controls, and Azure Policy definitions for this compliance standard may change over time. 

The Azure team just released a new CMMC Level 3 initiative for Azure Policy and a corresponding blueprint sample. These preview releases are available in Azure and Azure Government. In this blog post we break down the releases and how customers can use these tools to accelerate CMMC compliance in Azure.

Why CMMC Level 3? 

Cybersecurity Maturity Model Certification (CMMC) is a new standard introduced by the US Department of Defense (DoD), which is intended to measure and certify Defense Industrial Base (DIB) contractors’ ability to safeguard Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) in accordance with Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012 regulations.

The previous iteration of the DFARS mandate specified contractors adhere to NIST SP 800-171 which consists of 110 controls derived from the NIST SP 800-53 framework. CMMC Level 3 includes all 110 controls from NIST SP 800-171, plus an additional 20 controls which are primarily focused on centralized security operations and modern cyber incident response. Additionally, each CMMC level must be certified through an audit conducted by a certified third-party assessor organization (C3PAO), as opposed to NIST SP 800-171 which only required self-attestation. While CMMC levels 4 and 5 expand further into cyber practices, federal contracts requiring those levels are not expected to roll out for some time. Thus, the CMMC Level 3 framework provides an ideal starting point for organizations that wish to continue working with the DoD, in addition to improving their overall security posture.

Regulatory compliance in Azure 

Achieving regulatory compliance extends beyond deploying a specific tool and building a compliant environment in AzureMany of the controls within a framework extend to corporate-wide policies and processes, as well as to partner organizations and suppliers. This makes implementing regulatory initiatives a lengthy and complex process. However, Microsoft has built the broadest set of compliance offerings in the industry, with tools and services designed to help organizations significantly reduce complexity and accelerate implementation.  

While this post will focus on a specific subset of Azure compliance offerings, it’s important to reiterate that a comprehensive approach will be required for most organizations to achieve full compliance with CMMC, or any other regulatory framework.  

Azure Policy 

Azure Policy helps customers enforce organizational standards and compliance across their Azure subscriptions and resources. In the Azure portal, Azure Policy provides a snapshot of overall resource compliance against assigned policiesdetailed resource-level assessment resultsand the ability to remediate non-compliant resources at scale. 

Image CMMC 1

Azure Policy overview page

Within the scope of an assignment, Azure Policy evaluates resources by comparing resource properties to JSON formatted compliance conditions and rules known as policy definitions. Customers may choose to assign built-in definitions or create their own. Multiple definitions can be grouped together to form an initiative. Initiatives help customers manage policy at scale and can be used to facilitate a specific purpose or goal such as regulatory compliance. Azure provides built-in initiatives specific to regulatory compliance, and our latest release in this category is the CMMC Level 3 initiative.

CMMC Level 3 policy initiative 

Customers can deploy the CMMC Level 3 initiative using the Azure or Azure Government portal: 

  1. Browse to Policy, then Definitions 
  2. Definition type: Initiative 
  3. Type: Built-in 
  4. Category: Regulatory Compliance 
  5. Select the [Preview]: CMMC Level 3 initiative then select an appropriate scope, and scope and click assign. 

Image CMMC 2

Azure Policy initiative deployment

The initiative preview release includes 150+ policy definitions that address several controls in the CMMC Level 3 framework. There often is not a one-to-one or complete match between a control and one or more policy definitions. There are cases where a control may have multiple policy definitions associated with it, and there are cases where a policy definition may apply to multiple controls. The compliance dashboard in Azure Policy allows customers to sort and filter by each of these categories and view individual controls, policies, and resource compliance/non-compliance to gather additional information as needed.

Image CMMC 3
Azure Policy compliance dashboard

While working toward compliance, it’s important for customers to maintain awareness of controls that may not be addressed directly by the initiative. From the Azure Policy compliance dashboard (pictured above), customers can sort using the Total policies column in the Controls tab to determine which controls have no policy definitions associated with them. While we expect future releases to expand the number of addressable controls, many controls within regulatory frameworks require non-Azure implementations such as written policies and procedures, management of personnel, or intangibles that do not have a technical implementation. Therefore, compliance in Azure Policy is only a partial view of your overall compliance status.

Here‘s how to use the CMMC L3 initiative to assess compliance: 

Image CMMC 4

Azure Policy Control Overview

Image CMMC 5

The above image shows details for one of the CMMC controlsThe overview shows: 

  1. Control ID  
  2. Control Title  
  3. Description 
  4. Customer Actions 
  5. Additional Content 

The Policies tab shows all the policy definitions associated with this specific control. In this instance the Control specifies to “control and monitor user-installed software.” To meet this requirement, three policy definitions are used to assess the control: 

  1. Adaptive application control is the primary mechanism in Azure to manage software installed on the guest OS. A policy is included to audit that this feature is enabled. 
  2. An additional policy is included to ensure that the allow list within the application control policy is configured. 
  3. Because adaptive application control is a feature of Security Center with Azure Defender enabled, a policy definition is included to ensure that the correct Security Center mode is enabled. 
  4. Windows guest configuration policy definition is also included to ensure non-privileged users cannot elevate permissions and install unauthorized software. 

The resource compliance tab shows which resources are being audited by the policy assignment as well as their current compliance state 

As you can see, Azure Policy provides an intuitive workflow for customers to implement and continuously monitor CMMC compliance in Azure using the CMMC L3 initiative 

Azure Blueprints 

Azure Blueprints enable cloud architects and central information technology groups to define a repeatable set of Azure resources that implement and adhere to an organization’s standards, patterns, and requirements. This makes it possible for development teams to rapidly build and stand-up new environments in accordance with organizational compliance. Blueprints orchestrate the deployment of various artifacts including policy assignments, role assignments, and Azure Resource Manager templates resource groups. Several built-in blueprint samples are available in the Azure portal, and the CMMC Level 3 blueprint is our latest preview release.  

CMMC Level 3 blueprint 

Customers can find the CMMC Level 3 blueprint sample in the Azure portal by browsing to Blueprints then Blueprint definitions and clicking Create blueprint 

Image CMMC 6

Azure Blueprint sample deployment

The CMMC Level 3 blueprint sample currently contains a single artifact, which is a policy assignment that deploys the CMMC policy initiative, described above. This approach allows customization of the blueprint representative to the environment and specific needs of each customer. For example, when deploying the blueprint, customers can click Add artifact to include one or more Azure resource manager templates to include during the blueprint deployment 

Image CMMC 7

Azure Blueprint add artifact

This release will be followed by an additional CMMC Level 3 blueprint that will include resource manager templates to scaffold a CMMC reference architecture. This will include automated implementation and configuration of services such as Security Center, Sentinel, Log Analytics, and Azure Active Directory Premium features to address specific controls that are audited by the policy initiative, and we are targeting an early summer preview release for this update. 

Azure Security Center regulatory compliance dashboard 

Azure Security Center (ASC) is a cloud security posture management (CSPM) and cloud workload protection (CWP) platform that provides customers with centralized views of Azure resources and security controls.  The platform includes several advanced protection features in addition to offering recommendations to mitigate risks.   

One of these features can be found under the regulatory compliance section, where customers can gain insight into their compliance posture for a set of supported standards and regulations based on continuous assessments of their Azure environment.  In fact, these dashboards are derivatives of the underlying policy initiative, and will be automatically added when the initiative is assigned to a subscription that is monitored by Security Center. 

The CMMC Level 3 regulatory compliance dashboard consolidates all the controls within the framework into a drop-down view which is organized by family > maturity level > and control. When a control is expanded, the associated policies are displayed as customer responsibilities, along with resource compliance status.  Customers can click on a recommendation to see additional information, remediate via quick fix (limited to specific recommendations), trigger a logic app, or create an exemption. 

*Certain controls will be greyed out, as these represent controls that are not currently addressable by Azure policy. 

Image CMMC 8

CMMC Level 3 regulatory compliance dashboard

Azure Sentinel Cybersecurity Maturity Model Certification (CMMC) Workbook

The Azure Sentinel CMMC Workbook provides a mechanism for viewing log queries aligned to CMMC controls across the Azure cloud including Microsoft security offerings, Office 365, Teams, Intune, Windows Virtual Desktop and many more. This workbook enables Security Architects, Engineers, SecOps Analysts, Managers, and IT Pros to gain situational awareness for the security posture of cloud workloads. There are also recommendations for selecting, designing, deploying, and configuring Microsoft offerings for alignment with respective CMMC requirements and practices. The workbook features 250+ control cards aligned to the 17 CMMC control families across all 5 maturity levels with selectable GUI buttons for navigation.

Image sentinel wb

Deploying the Workbook

Follow the steps below to enable the workbook: Requirements: Azure Sentinel Workspace and Security Reader rights.

  1. From the Azure portal, navigate to Azure Sentinel
  2. Select Workbooks > Templates
  3. Search CMMC and select Save to add to My Workbooks

Learn more about CMMC with Microsoft:  

Accelerating CMMC Compliance for Microsoft Cloud

CMMC Acceleration Program January Update 

0 comments

Comments are closed. Login to edit/delete your existing comments