{"id":19680,"date":"2020-05-21T07:00:59","date_gmt":"2020-05-21T14:00:59","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/azuregov\/?p=19680"},"modified":"2020-06-01T10:33:17","modified_gmt":"2020-06-01T17:33:17","slug":"cmmc-with-microsoft-azure-security-assessment-situational-awareness-8-of-10","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/azuregov\/cmmc-with-microsoft-azure-security-assessment-situational-awareness-8-of-10\/","title":{"rendered":"CMMC with Microsoft Azure: Security Assessment & Situational Awareness (8 of 10)"},"content":{"rendered":"

This is the eighth in a ten-part blog series where we\u2019ll demonstrate principles of the Cybersecurity Maturity Model Certification aligned with Microsoft Azure. Subsequent blogs in the series will delve into system & communications protection and system & information integrity. In this eighth blog of the series we will explore how to leverage Microsoft Azure for security assessment & situational awareness.<\/em><\/p>\n

Please note that the information cutoff date for this post is October 2020, and that as of the date of this writing, CMMC developments and guidance are in progress. Additionally, as of the date of this writing, the CMMC Accreditation Body has not certified any the third-party assessors and guidance on the formal assessment process is still under development.\u00a0 As a result, the information herein, including our CMMC related offerings, may be enhanced in the future to align with future guidance from the DoD and CMMC Accreditation Body. Microsoft is closely tracking developments related to the CMMC.<\/em><\/p>\n

Stay tuned for the upcoming CMMC blogs in the series:<\/strong><\/p>\n

    \n
  1. Access Control Maturity<\/a>\u00a0\u2013 live<\/li>\n
  2. Audit & Accountability Maturity<\/a>\u00a0\u2013 live<\/li>\n
  3. Asset & Configuration Management Maturity<\/a>\u00a0\u2013 live<\/li>\n
  4. Identification & Authentication Maturity<\/a>\u00a0\u2013 live<\/li>\n
  5. Incident Response Maturity<\/a>\u00a0\u2013 live<\/li>\n
  6. Maintenance & Media Protection Maturity<\/a>\u00a0\u2013 live<\/li>\n
  7. Recovery & Risk Management Maturity<\/a> – live<\/li>\n
  8. Security Assessment & Situational Awareness Maturity<\/a> – this blog<\/li>\n
  9. System & Communications Protection Maturity<\/a> – live<\/li>\n
  10. System & Information Integrity Maturity (5\/28)<\/li>\n<\/ol>\n
    What is Cybersecurity Maturity Model Certification (CMMC)?<\/strong><\/h5>\n

    \"Image<\/p>\n

    The Defense Industrial Base (DIB) is charged with implementing Defense Federal Acquisition Regulation Supplement (DFARS)<\/a> 252.204-7012. DFARS requires organizations supporting the Department of Defense (DoD) to implement NIST SP 800-171<\/a> and FedRAMP<\/a> Moderate Impact level controls. DoD has mandated CMMC with periodic assessments in order to strengthen cybersecurity across the DIB. CMMC builds upon DFARS 7012 by verifying an organization\u2019s readiness to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) such as International Traffic in Arms Regulation (ITAR) and Export Administration Regulations (EAR) export-controlled data.<\/p>\n

    CMMC extends beyond the parent organization into sub-contractors, partners, and suppliers. The framework is intended to enforce critical thinking approaches for comprehensive security. The CMMC framework specifies 5 levels of maturity measurement from Maturity Level 1 (Basic Cyber Hygiene) to Maturity Level 5 (Proactive & Advanced Cyber Practice). The Certification levels will be determined through audits from independent, third-party assessment organizations (C3PAO).<\/p>\n

    What preparation is required for CMMC alignment to security assessment & situational awareness?<\/strong><\/h5>\n

    \"Image<\/p>\n

    It\u2019s important to understand that compliance is a shared responsibility between the customer and the Cloud Services Provider (CSP). The graphic on the left demonstrates the CSP responsibility in respective cloud models (On-Prem, IaaS, PaaS, SaaS) with dark blue aligning with customer responsibility and light blue aligning with CSP responsibility. For example, CMMC requirements such as Physical Protection (PE) for limiting physical access (C028) is managed by the CSP. Establishment of respective policies and procedures are the customer\u2019s responsibility. It\u2019s important to note that this blog series is aligned with setting the foundation of controls for CMMC Maturity Levels 1 & 2. Once C3PAOs are identified by the CMMC Accreditation Body, customers are advised to work with their respective C3PAO for guidance on comprehensive alignment of controls, audit and certification.<\/p>\n

    The administrative controls for the CMMC Security Assessment (CA-MC) and Situational Awareness Maturity (SA-MC) are listed here. These controls fall within the customer\u2019s responsibility. This starts with establishing polices to include security assessment & situational awareness (ML2) and progresses to a documented approach across all applicable organizational units (ML5). These controls should be formally created, documented in the System Security Plan (SSP) and implemented within the organization.<\/p>\n

    \"Image<\/strong><\/p>\n

    Microsoft Azure Security Controls Aligned to CMMC: Security Assessment & Security Awareness<\/strong><\/h5>\n

    \"Image<\/p>\n

    Azure Security Controls Aligned to CMMC: Security Assessment & Situational Awareness<\/strong><\/h5>\n

    Microsoft Azure Government has developed a 7-step process to facilitate security assessment & situational awareness with the security principles within CMMC, NIST SP 800-53 R4 and NIST SP 800-171 standards. Note this process is a starting point, as CMMC requires alignment of people, processes, policy and technology so refer to organizational requirements and respective standards for implementation. Azure has several offerings to facilitate security assessment & situational awareness including Azure Security Center<\/a>, Azure Sentinel<\/a>, Azure Blueprints<\/a> and the Microsoft Graph Security API<\/a>.<\/p>\n