{"id":19575,"date":"2020-05-11T16:05:05","date_gmt":"2020-05-11T23:05:05","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/azuregov\/?p=19575"},"modified":"2020-06-01T10:54:46","modified_gmt":"2020-06-01T17:54:46","slug":"cmmc-with-microsoft-azure-incident-response-maturity-5-of-10","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/azuregov\/cmmc-with-microsoft-azure-incident-response-maturity-5-of-10\/","title":{"rendered":"CMMC with Microsoft Azure: Incident Response Maturity (5 of 10)"},"content":{"rendered":"

This is the fifth in a ten-part blog series where we\u2019ll demonstrate principles of the Cybersecurity Maturity Model Certification aligned with Microsoft Azure. Subsequent blogs in the series will delve into maintenance & media protection, recovery & risk management, security assessment & risk management, system & communications protection and system & information integrity. In this fifth blog of the series we will explore how to leverage Microsoft Azure for incident response maturity.<\/em><\/p>\n

Please note that the information cutoff date for this post is October 2020, and that as of the date of this writing, CMMC developments and guidance are in progress. Additionally, as of the date of this writing, the CMMC Accreditation Body has not certified any the third-party assessors and guidance on the formal assessment process is still under development.\u00a0 As a result, the information herein, including our CMMC related offerings, may be enhanced in the future to align with future guidance from the DoD and CMMC Accreditation Body. Microsoft is closely tracking developments related to the CMMC.<\/em><\/p>\n

Stay tuned for the upcoming CMMC blogs in the series:<\/strong><\/p>\n

    \n
  1. Access Control Maturity<\/a> – live<\/li>\n
  2. Audit & Accountability Maturity<\/a> – live<\/li>\n
  3. Asset & Configuration Management Maturity<\/a> – live<\/li>\n
  4. Identification & Authentication Maturity<\/a> \u2013 live<\/li>\n
  5. Incident Response Maturity<\/a> \u2013 this blog<\/li>\n
  6. Maintenance & Media Protection Maturity<\/a> – live<\/li>\n
  7. Recovery & Risk Management Maturity<\/a> – live<\/li>\n
  8. Security Assessment & Situational Awareness Maturity<\/a> – live<\/li>\n
  9. System & Communications Protection Maturity<\/a> – live<\/li>\n
  10. System & Information Integrity Maturity – 5\/28<\/li>\n<\/ol>\n
    What is Cybersecurity Maturity Model Certification (CMMC)?<\/strong><\/h5>\n

    \"ImageThe Defense Industrial Base (DIB) is charged with implementing Defense Federal Acquisition Regulation Supplement (DFARS)<\/a> 252.204-7012. DFARS requires organizations supporting the Department of Defense (DoD) to implement NIST SP 800-171<\/a> and FedRAMP<\/a> Moderate Impact level controls. DoD has mandated CMMC with periodic assessments in order to strengthen cybersecurity across the DIB. CMMC builds upon DFARS 7012 by verifying an organization\u2019s readiness to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) such as International Traffic in Arms Regulation (ITAR) and Export Administration Regulations (EAR) export-controlled data.<\/p>\n

    CMMC extends beyond the parent organization into sub-contractors, partners, and suppliers. The framework is intended to enforce critical thinking approaches for comprehensive security. The CMMC framework specifies 5 levels of maturity measurement from Maturity Level 1 (Basic Cyber Hygiene) to Maturity Level 5 (Proactive & Advanced Cyber Practice). The Certification levels will be determined through audits from independent, third-party assessment organizations (C3PAO).<\/p>\n

    What preparation is required for CMMC alignment to incident response management?<\/strong><\/h5>\n

    \"Image<\/p>\n

    It\u2019s important to understand that compliance is a shared responsibility between the customer and the Cloud Services Provider (CSP). The graphic on the left demonstrates the CSP responsibility in respective cloud models (On-Prem, IaaS, PaaS, SaaS) with dark blue aligning with customer responsibility and light blue aligning with CSP responsibility. For example, CMMC requirements such as Physical Pro<\/p>\n

    tection (PE) for limiting physical access (C028) is managed by the CSP. Establishment of respective policies and procedures are the customer\u2019s responsibility. It\u2019s important to note that this blog series is aligned with setting the foundation of controls for CMMC Maturity Levels 1 & 2. Once C3PAOs are identified by the CMMC Accreditation Body, customers are advised to work with their respective C3PAO for guidance on comprehensive alignment of controls, audit and certification.<\/p>\n

    The administrative controls for the CMMC Incident Response Capability (IR-MC) are listed here. These controls fall within the customer\u2019s responsibility. This starts with establishing polices to include incident response management (ML2) and progresses to a documented approach across all applicable organizational units (ML5). These controls should be formally created, documented in the System Security Plan (SSP) and implemented within the organization.<\/p>\n

    \"Image<\/p>\n

    Microsoft Azure Security Controls Aligned to CMMC: Incident Response<\/strong><\/h5>\n

    \"Image<\/p>\n

    Azure Security Controls Aligned to CMMC: Incident Response Maturity<\/strong><\/h5>\n

    Microsoft Azure Government has developed an 8-step process to facilitate incident response maturity with the security principles within CMMC, NIST SP 800-53 R4 and NIST SP 800-171 standards. Note this process is a starting point, as CMMC requires alignment of people, processes, policy and technology so refer to organizational requirements and respective standards for implementation. Azure has several offerings to facilitate incident response including Azure Sentinel<\/a>, Azure Security Center<\/a>, Azure Logic Apps<\/a>, Log Analytics Workspace<\/a> and the Microsoft Graph Security API<\/a>.<\/p>\n