{"id":19477,"date":"2020-05-05T07:00:08","date_gmt":"2020-05-05T14:00:08","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/azuregov\/?p=19477"},"modified":"2020-06-01T15:40:11","modified_gmt":"2020-06-01T22:40:11","slug":"cmmc-with-microsoft-azure-asset-configuration-management-3-of-10","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/azuregov\/cmmc-with-microsoft-azure-asset-configuration-management-3-of-10\/","title":{"rendered":"CMMC with Microsoft Azure: Asset & Configuration Management (3 of 10)"},"content":{"rendered":"

This is the third in a ten-part blog series where we\u2019ll demonstrate principles of the Cybersecurity Maturity Model Certification aligned with Microsoft Azure. Subsequent blogs in the series will delve into identification & authentication, incident response, maintenance & media protection, recovery & risk management, security assessment & risk management, system & communications protection and system & information integrity. In this third blog of the series we will explore how to leverage Microsoft Azure for asset and configuration management.<\/em><\/p>\n

Please note that the information cutoff date for this post is October 2020, and that as of the date of this writing, CMMC developments and guidance are in progress. Additionally, as of the date of this writing, the CMMC Accreditation Body has not certified any the third-party assessors and guidance on the formal assessment process is still under development.\u00a0 As a result, the information herein, including our CMMC related offerings, may be enhanced in the future to align with future guidance from the DoD and CMMC Accreditation Body. Microsoft is closely tracking developments related to the CMMC.<\/em><\/p>\n

Stay tuned for the published and upcoming CMMC blogs in the series:<\/strong><\/p>\n

    \n
  1. Access Control Maturity<\/a> – live<\/li>\n
  2. Audit & Accountability Maturity<\/a> – live<\/li>\n
  3. Asset & Configuration Management Maturity<\/a> \u2013 this blog<\/li>\n
  4. Identification & Authentication Maturity<\/a> – live<\/li>\n
  5. Incident Response Maturity<\/a> – live<\/li>\n
  6. Maintenance & Media Protection Maturity<\/a> – live<\/li>\n
  7. Recovery & Risk Management Maturity<\/a> – live<\/li>\n
  8. Security Assessment & Situational Awareness Maturity<\/a> – live<\/li>\n
  9. System & Communications Protection Maturity<\/a> – live<\/li>\n
  10. System & Information Integrity Maturity (5\/28)<\/li>\n<\/ol>\n

    What is Cybersecurity Maturity Model Certification (CMMC)?<\/strong><\/p>\n

    \"Image<\/p>\n

    The Defense Industrial Base (DIB) is charged with implementing Defense Federal Acquisition Regulation Supplement (DFARS)<\/a> 252.204-7012. DFARS requires organizations supporting the Department of Defense (DoD) to implement NIST SP 800-171<\/a> and FedRAMP<\/a> Moderate Impact level controls. DoD has mandated CMMC with periodic assessments in order to strengthen cybersecurity across the DIB. CMMC builds upon DFARS 7012 by verifying an organization\u2019s readiness to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) such as International Traffic in Arms Regulation (ITAR) and Export Administration Regulations (EAR) export-controlled data.<\/p>\n

    CMMC extends beyond the parent organization into sub-contractors, partners, and suppliers. The framework is intended to enforce critical thinking approaches for comprehensive security. The CMMC framework specifies 5 levels of maturity measurement from Maturity Level 1 (Basic Cyber Hygiene) to Maturity Level 5 (Proactive & Advanced Cyber Practice). The Certification levels will be determined through audits from independent, third-party assessment organizations (C3PAO).<\/p>\n

    What preparation is required for CMMC alignment to access & configuration management?<\/strong><\/p>\n

    \"Image<\/p>\n

    It\u2019s important to understand that compliance is a shared responsibility between the customer and the Cloud Services Provider (CSP). The graphic on the left demonstrates the CSP responsibility in respective cloud models (On-Prem, IaaS, PaaS, SaaS) with dark blue aligning with customer responsibility and light blue aligning with CSP responsibility. For example, CMMC requirements such as Physical Protection (PE) for limiting physical access (C028) is managed by the CSP. Establishment of respective policies and procedures are the customer\u2019s responsibility. It\u2019s important to note that this blog series is aligned with setting the foundation of controls for CMMC Maturity Levels 1 & 2. Once C3PAOs are identified by the CMMC Accreditation Body, customers are advised to work with their respective C3PAO for guidance on comprehensive alignment of controls, audit and certification.<\/p>\n

    The administrative controls for the CMMC Asset Management Maturity Capability (AM-MC) and Configuration Management Maturity (CM-MC) are listed here. These controls fall within the customer\u2019s responsibility. This starts with establishing polices to include asset & configuration management (ML2) and progresses to a documented approach across all applicable organizational units (ML5). These controls should be formally created, documented in the System Security Plan (SSP) and implemented within the organization.<\/p>\n

    \"Image<\/p>\n

    Microsoft Azure Security Controls Aligned to CMMC: Asset & Configuration Management<\/strong><\/p>\n

    \"Image<\/p>\n

    \u00a0<\/strong>Azure Security Controls Aligned to CMMC: Asset & Configuration Management<\/strong><\/p>\n

    Microsoft Azure Government has developed a 9-step process to facilitate asset & configuration management with the security principles within CMMC, NIST SP 800-53 R4 and NIST SP 800-171 standards. Note this process is a starting point, as CMMC requires alignment of people, processes, policy and technology so refer to organizational requirements and respective standards for implementation. Azure has several offerings to facilitate asset & configuration management including Azure Security Center<\/a>, Azure Active Directory<\/a>, Azure AD Privileged Identity Management<\/a>, Azure Policy<\/a> and Azure Information Protection<\/a><\/p>\n