Meeting CMMC Level 3 on Azure
Disclaimer: The CMMC Level 3 policy initiative and blueprint provides customers with a resource to support CMMC initiatives in Azure, however compliant in Azure Policy refers only to the policy definitions themselves. In addition, the compliance standard includes controls that are not addressed by any Azure Policy definitions at this time. Therefore, compliance in Azure Policy is only a partial view of your overall compliance status. Microsoft does not guarantee nor imply compliance with the regulatory framework, as all accreditation requirements and decisions are governed by the CMMC Accreditation Body. The associations between compliance domains, controls, and Azure Policy definitions for this compliance standard may change over time.
The Azure team just released a new CMMC Level 3 initiative for Azure Policy and a corresponding blueprint sample. These preview releases are available in Azure and Azure Government. In this blog post we break down the releases and how customers can use these tools to accelerate CMMC compliance in Azure.
Why CMMC Level 3?
Cybersecurity Maturity Model Certification (CMMC) is a new standard introduced by the US Department of Defense (DoD), which is intended to measure and certify Defense Industrial Base (DIB) contractors’ ability to safeguard Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) in accordance with Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012 regulations.
The previous iteration of the DFARS mandate specified contractors adhere to NIST SP 800-171 which consists of 110 controls derived from the NIST SP 800-53 framework. CMMC Level 3 includes all 110 controls from NIST SP 800-171, plus an additional 20 controls which are primarily focused on centralized security operations and modern cyber incident response. Additionally, each CMMC level must be certified through an audit conducted by a certified third-party assessor organization (C3PAO), as opposed to NIST SP 800-171 which only required self-attestation. While CMMC levels 4 and 5 expand further into cyber practices, federal contracts requiring those levels are not expected to roll out for some time. Thus, the CMMC Level 3 framework provides an ideal starting point for organizations that wish to continue working with the DoD, in addition to improving their overall security posture.
Regulatory compliance in Azure
Achieving regulatory compliance extends beyond deploying a specific tool and building a compliant environment in Azure. Many of the controls within a framework extend to corporate-wide policies and processes, as well as to partner organizations and suppliers. This makes implementing regulatory initiatives a lengthy and complex process. However, Microsoft has built the broadest set of compliance offerings in the industry, with tools and services designed to help organizations significantly reduce complexity and accelerate implementation.
While this post will focus on a specific subset of Azure compliance offerings, it’s important to reiterate that a comprehensive approach will be required for most organizations to achieve full compliance with CMMC, or any other regulatory framework.
Azure Policy helps customers enforce organizational standards and compliance across their Azure subscriptions and resources. In the Azure portal, Azure Policy provides a snapshot of overall resource compliance against assigned policies, detailed resource-level assessment results, and the ability to remediate non-compliant resources at scale.
Azure Policy overview page
Within the scope of an assignment, Azure Policy evaluates resources by comparing resource properties to JSON formatted compliance conditions and rules known as policy definitions. Customers may choose to assign built-in definitions or create their own. Multiple definitions can be grouped together to form an initiative. Initiatives help customers manage policy at scale and can be used to facilitate a specific purpose or goal such as regulatory compliance. Azure provides built-in initiatives specific to regulatory compliance, and our latest release in this category is the CMMC Level 3 initiative.
CMMC Level 3 policy initiative
Customers can deploy the CMMC Level 3 initiative using the Azure or Azure Government portal:
- Browse to Policy, then Definitions
- Definition type: Initiative
- Type: Built-in
- Category: Regulatory Compliance.
- Select the [Preview]: CMMC Level 3 initiative then select an appropriate scope, and scope and click assign.
Azure Policy initiative deployment
The initiative preview release includes 150+ policy definitions that address several controls in the CMMC Level 3 framework. There often is not a one-to-one or complete match between a control and one or more policy definitions. There are cases where a control may have multiple policy definitions associated with it, and there are cases where a policy definition may apply to multiple controls. The compliance dashboard in Azure Policy allows customers to sort and filter by each of these categories and view individual controls, policies, and resource compliance/non-compliance to gather additional information as needed.
While working toward compliance, it’s important for customers to maintain awareness of controls that may not be addressed directly by the initiative. From the Azure Policy compliance dashboard (pictured above), customers can sort using the Total policies column in the Controls tab to determine which controls have no policy definitions associated with them. While we expect future releases to expand the number of addressable controls, many controls within regulatory frameworks require non-Azure implementations such as written policies and procedures, management of personnel, or intangibles that do not have a technical implementation. Therefore, compliance in Azure Policy is only a partial view of your overall compliance status.
Here‘s how to use the CMMC L3 initiative to assess compliance:
Azure Policy Control Overview
The above image shows details for one of the CMMC controls. The overview shows:
- Control ID
- Control Title
- Customer Actions
- Additional Content
The Policies tab shows all the policy definitions associated with this specific control. In this instance the Control specifies to “control and monitor user-installed software.” To meet this requirement, three policy definitions are used to assess the control:
- Adaptive application control is the primary mechanism in Azure to manage software installed on the guest OS. A policy is included to audit that this feature is enabled.
- An additional policy is included to ensure that the allow list within the application control policy is configured.
- Because adaptive application control is a feature of Security Center with Azure Defender enabled, a policy definition is included to ensure that the correct Security Center mode is enabled.
- A Windows guest configuration policy definition is also included to ensure non-privileged users cannot elevate permissions and install unauthorized software.
The resource compliance tab shows which resources are being audited by the policy assignment as well as their current compliance state.
As you can see, Azure Policy provides an intuitive workflow for customers to implement and continuously monitor CMMC compliance in Azure using the CMMC L3 initiative.
Azure Blueprints enable cloud architects and central information technology groups to define a repeatable set of Azure resources that implement and adhere to an organization’s standards, patterns, and requirements. This makes it possible for development teams to rapidly build and stand-up new environments in accordance with organizational compliance. Blueprints orchestrate the deployment of various artifacts including policy assignments, role assignments, and Azure Resource Manager templates resource groups. Several built-in blueprint samples are available in the Azure portal, and the CMMC Level 3 blueprint is our latest preview release.
CMMC Level 3 blueprint
Customers can find the CMMC Level 3 blueprint sample in the Azure portal by browsing to Blueprints then Blueprint definitions and clicking Create blueprint.
Azure Blueprint sample deployment
The CMMC Level 3 blueprint sample currently contains a single artifact, which is a policy assignment that deploys the CMMC policy initiative, described above. This approach allows customization of the blueprint representative to the environment and specific needs of each customer. For example, when deploying the blueprint, customers can click Add artifact to include one or more Azure resource manager templates to include during the blueprint deployment.
Azure Blueprint add artifact
This release will be followed by an additional CMMC Level 3 blueprint that will include resource manager templates to scaffold a CMMC reference architecture. This will include automated implementation and configuration of services such as Security Center, Sentinel, Log Analytics, and Azure Active Directory Premium features to address specific controls that are audited by the policy initiative, and we are targeting an early summer preview release for this update.
Azure Security Center regulatory compliance dashboard
Azure Security Center (ASC) is a cloud security posture management (CSPM) and cloud workload protection (CWP) platform that provides customers with centralized views of Azure resources and security controls. The platform includes several advanced protection features in addition to offering recommendations to mitigate risks.
One of these features can be found under the regulatory compliance section, where customers can gain insight into their compliance posture for a set of supported standards and regulations based on continuous assessments of their Azure environment. In fact, these dashboards are derivatives of the underlying policy initiative, and will be automatically added when the initiative is assigned to a subscription that is monitored by Security Center.
The CMMC Level 3 regulatory compliance dashboard consolidates all the controls within the framework into a drop-down view which is organized by family > maturity level > and control. When a control is expanded, the associated policies are displayed as customer responsibilities, along with resource compliance status. Customers can click on a recommendation to see additional information, remediate via quick fix (limited to specific recommendations), trigger a logic app, or create an exemption.
*Certain controls will be greyed out, as these represent controls that are not currently addressable by Azure policy.
CMMC Level 3 regulatory compliance dashboard
Azure Sentinel Cybersecurity Maturity Model Certification (CMMC) Workbook
The Azure Sentinel CMMC Workbook provides a mechanism for viewing log queries aligned to CMMC controls across the Azure cloud including Microsoft security offerings, Office 365, Teams, Intune, Windows Virtual Desktop and many more. This workbook enables Security Architects, Engineers, SecOps Analysts, Managers, and IT Pros to gain situational awareness for the security posture of cloud workloads. There are also recommendations for selecting, designing, deploying, and configuring Microsoft offerings for alignment with respective CMMC requirements and practices. The workbook features 250+ control cards aligned to the 17 CMMC control families across all 5 maturity levels with selectable GUI buttons for navigation.
Deploying the Workbook
Follow the steps below to enable the workbook: Requirements: Azure Sentinel Workspace and Security Reader rights.
- From the Azure portal, navigate to Azure Sentinel
- Select Workbooks > Templates
- Search CMMC and select Save to add to My Workbooks
Learn more about CMMC with Microsoft: