{"id":20448,"date":"2021-05-06T06:00:14","date_gmt":"2021-05-06T13:00:14","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/azuregov\/?p=20448"},"modified":"2021-05-18T09:35:05","modified_gmt":"2021-05-18T16:35:05","slug":"meeting-cmmc-level-3-on-azure","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/azuregov\/meeting-cmmc-level-3-on-azure\/","title":{"rendered":"Meeting CMMC Level 3 on Azure"},"content":{"rendered":"

Disclaimer<\/span><\/i><\/b>: <\/span>The CMMC Level 3 policy initiative and blueprint provides customers with a resource to support CMMC initiatives in Azure, however\u00a0compliant\u00a0in Azure Policy refers only to the policy definitions themselves. In addition, the compliance standard includes controls that are not addressed by any Azure Policy definitions at this time. Therefore, compliance in\u00a0Azure\u00a0Policy is only a partial view of your overall compliance status. Microsoft does not guarantee\u00a0nor\u00a0imply compliance with the regulatory framework, as all accreditation requirements and decisions are governed by the\u00a0CMMC Accreditation Body<\/a>. The associations between compliance domains, controls, and Azure Policy definitions for this compliance standard may change over time.\u00a0<\/em><\/p>\n

The Azure team just released a new CMMC Level 3 initiative for Azure Policy and a corresponding blueprint sample. These preview releases are available in Azure and Azure Government. In this blog post we break down the releases and how customers can use these tools to accelerate CMMC compliance in Azure.<\/p>\n

Why\u00a0CMMC\u00a0Level\u00a03?\u00a0<\/strong><\/p>\n

Cybersecurity Maturity Model Certification (CMMC) is a new standard introduced by the US Department of Defense (DoD), which is intended to measure and certify Defense Industrial Base (DIB) contractors\u2019 ability to safeguard Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) in accordance with Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012 regulations.<\/p>\n

The previous iteration of the DFARS mandate specified contractors adhere to NIST\u00a0SP\u00a0800-171 which consists of 110 controls derived from the NIST\u00a0SP\u00a0800-53 framework.\u00a0CMMC Level 3 includes all 110 controls from NIST\u00a0SP\u00a0800-171, plus an additional 20 controls which are primarily focused on centralized security operations and modern cyber incident response. Additionally, each CMMC level must be certified through an audit conducted by a\u00a0certified\u00a0third-party\u00a0assessor\u00a0organization (C3PAO), as opposed to NIST\u00a0SP\u00a0800-171 which only required self-attestation.\u00a0While CMMC levels 4 and 5 expand further into cyber practices,\u00a0federal\u00a0contracts requiring those levels\u00a0are not expected to roll out\u00a0for some time.\u00a0Thus,\u00a0the\u00a0CMMC Level 3 framework provides an ideal starting point for\u00a0organizations\u00a0that wish to continue working with the DoD, in addition\u00a0to improving\u00a0their\u00a0overall security posture.<\/p>\n

Regulatory\u00a0<\/span><\/b>compliance\u00a0<\/span><\/b>in Azure<\/span><\/b>\u00a0<\/span><\/p>\n

Achieving<\/span>\u00a0regulatory compliance\u00a0<\/span>extends beyond<\/span>\u00a0deploying a\u00a0<\/span>specific tool<\/span>\u00a0<\/span>and\u00a0<\/span>building a compliant environment<\/span>\u00a0in Azure<\/span>.\u00a0<\/span>M<\/span>any of the controls within a framework extend to corporate-wide policies and processes, as well as to partner organizations and suppliers. This makes implementing regulatory initiatives a lengthy and complex process. However, Microsoft has\u00a0built\u00a0<\/span>the\u00a0<\/span>broadest set of compliance offerings\u00a0<\/span>in the industry<\/span><\/a>, with tools and services designed to help organizations significantly reduce complexity and accelerate implementation.\u00a0<\/span>\u00a0<\/span><\/p>\n

While this post will focus on a specific subset of Azure compliance offerings, it\u2019s important to reiterate that\u00a0<\/span>a comprehensive approach<\/span>\u00a0will be required for most organizations to achieve full compliance with CMMC, or any other regulatory framework.\u00a0<\/span>\u00a0<\/span><\/p>\n

Azure Policy<\/span><\/b>\u00a0<\/span><\/p>\n

Azure Policy helps customers enforce organizational standards and compliance across <\/span>their\u00a0<\/span>Azure\u00a0<\/span>subscriptions and resources.\u00a0<\/span>I<\/span>n the Azure\u00a0<\/span>p<\/span>ortal<\/span>, Azure Policy<\/span>\u00a0<\/span>provides a snapshot of\u00a0<\/span>overall\u00a0<\/span>resource compliance\u00a0<\/span>against assigned policies<\/span>,\u00a0<\/span>detailed<\/span>\u00a0resource-level\u00a0<\/span>assessment results<\/span>,\u00a0<\/span>and<\/span>\u00a0the ability to remediat<\/span>e<\/span>\u00a0<\/span>non-compliant resources<\/span>\u00a0at scale<\/span>.<\/span>\u00a0<\/span><\/p>\n

\"Image<\/a><\/p>\n

Azure Policy overview page<\/em><\/p>\n

Within the scope of an assignment, Azure Policy evaluates resources by comparing resource properties to JSON formatted compliance conditions and rules known as policy definitions. Customers may choose to assign built-in definitions or create their own. Multiple definitions can be grouped together to form an initiative. Initiatives help customers manage policy at scale and can be used to facilitate a specific purpose or goal such as regulatory compliance. Azure provides built-in initiatives specific to regulatory compliance, and our latest release in this category is the CMMC Level 3 initiative<\/a>.<\/p>\n

CMMC Level 3\u00a0<\/span><\/b>policy initiative<\/span><\/b>\u00a0<\/span><\/p>\n

Customers can deploy the CMMC Level 3 initiative\u00a0<\/span>using\u00a0<\/span>the\u00a0<\/span>Azure\u00a0<\/span>or Azure Government\u00a0<\/span>portal<\/span>:<\/span>\u00a0<\/span><\/p>\n

    \n
  1. Browse\u00a0<\/span>to Policy<\/span>, then\u00a0<\/span>Definitions<\/span>\u00a0<\/span><\/li>\n
  2. Definition type<\/span>:<\/span>\u00a0<\/span>Initiative<\/span><\/i>\u00a0<\/span><\/li>\n
  3. Type:\u00a0<\/span>Built-in<\/span><\/i>\u00a0<\/span><\/li>\n
  4. Category<\/span>:<\/span>\u00a0Regulatory Compliance<\/span><\/i>.\u00a0<\/span>\u00a0<\/span><\/li>\n
  5. Select the\u00a0<\/span>[<\/span><\/i>Preview<\/span><\/i>]:<\/span><\/i>\u00a0CMMC Level 3<\/span><\/i>\u00a0<\/span>i<\/span>nitiative<\/span>\u00a0then\u00a0<\/span>select<\/span>\u00a0an appropriate\u00a0<\/span>scope<\/span>,<\/span> and\u00a0<\/span>scope and<\/span>\u00a0click assign.<\/span>\u00a0<\/span><\/li>\n<\/ol>\n

    Azure Policy initiative deployment<\/em><\/p>\n

    The initiative\u00a0preview\u00a0release includes\u00a0150+\u00a0policy definitions\u00a0that address\u00a0several\u00a0controls in the CMMC Level 3 framework.\u00a0There often is not a one-to-one or complete match between\u00a0a control\u00a0and one or more policy definitions. There are cases where a\u00a0control may have multiple policy definitions associated\u00a0with\u00a0it, and there are cases where a\u00a0policy definition may apply to multiple controls.\u00a0The compliance dashboard in\u00a0Azure\u00a0Policy allows customers to sort and filter by each of these categories\u00a0and view\u00a0individual controls, policies,\u00a0and resource compliance\/non-compliance\u00a0to gather additional information\u00a0as needed.<\/p>\n

    \"Image<\/a>
    Azure Policy compliance dashboard<\/figcaption><\/figure><\/p>\n

    While working toward compliance, it\u2019s important for customers to maintain awareness of controls that may not be addressed directly by the initiative. From the Azure Policy compliance dashboard (pictured above), customers can sort using the Total policies column in the Controls tab to determine which controls have no policy definitions associated with them. While we expect future releases to expand the number of addressable controls, many controls within regulatory frameworks require non-Azure implementations such as written policies and procedures, management of personnel, or intangibles that do not have a technical implementation. Therefore, compliance in Azure Policy is only a partial view of your overall compliance status.<\/p>\n

    Here<\/span>‘s\u00a0<\/span>how to use the\u00a0<\/span>CMMC L3\u00a0<\/span>initiative to assess compliance:<\/span>\u00a0<\/span><\/p>\n

    \"Image<\/a><\/p>\n

    Azure Policy Control Overview<\/em><\/p>\n

    \"Image<\/a><\/span><\/p>\n

    T<\/span>he above image <\/span>shows\u00a0<\/span>details<\/span>\u00a0for one of the CMMC\u00a0<\/span>c<\/span>ontrols<\/span>.\u00a0<\/span>T<\/span>he overview\u00a0<\/span>shows<\/span>:<\/span>\u00a0<\/span><\/p>\n

      \n
    1. Control ID\u00a0<\/span>\u00a0<\/span><\/li>\n
    2. Control Title\u00a0<\/span>\u00a0<\/span><\/li>\n
    3. Description<\/span>\u00a0<\/span><\/li>\n
    4. Customer Actions<\/span>\u00a0<\/span><\/li>\n
    5. Additional Content<\/span>\u00a0<\/span><\/li>\n<\/ol>\n

      The Policies tab<\/span>\u00a0<\/span>shows\u00a0<\/span>all the\u00a0<\/span>policy definitions\u00a0<\/span>associated with this specific control. In this instance the Control specifies to \u201ccontrol and monitor user-installed software<\/span>.”<\/span>\u00a0<\/span>To meet this requirement, <\/span>three<\/span>\u00a0policy definitions\u00a0<\/span>are used\u00a0<\/span>to\u00a0<\/span>assess\u00a0<\/span>the control<\/span>:<\/span>\u00a0<\/span><\/p>\n

        \n
      1. Adaptive application control is the primary mechanism in Azure to manage software installed on the guest OS.\u00a0<\/span>A policy is included to\u00a0<\/span>audit that this feature is\u00a0<\/span>enabled<\/span>.<\/span>\u00a0<\/span><\/li>\n
      2. An additional policy is included to\u00a0<\/span>ensure<\/span>\u00a0that<\/span>\u00a0the\u00a0<\/span>allow list<\/span>\u00a0within the application control policy is configured.<\/span>\u00a0<\/span><\/li>\n
      3. B<\/span>ecause adaptive application control is a feature of Security Center\u00a0<\/span>with Azure De<\/span>f<\/span>ender enabled,\u00a0<\/span>a policy\u00a0<\/span>definition\u00a0<\/span>is\u00a0<\/span>included\u00a0<\/span>to ensure that the\u00a0<\/span>correct Security Center mode\u00a0<\/span>is enabled.<\/span>\u00a0<\/span><\/li>\n
      4. A\u00a0<\/span>Windows\u00a0<\/span>guest configuration policy\u00a0<\/span>definition\u00a0<\/span>is also included to ensure non-privileged users\u00a0<\/span>cannot elevate permissions and install unauthorized software<\/span>.<\/span>\u00a0<\/span><\/li>\n<\/ol>\n

        The resource compliance tab\u00a0<\/span>shows<\/span>\u00a0which resources are being audited by the policy\u00a0<\/span>assignment\u00a0<\/span>as well as their current compliance state<\/span>.\u00a0<\/span>\u00a0<\/span><\/p>\n

        As you can see<\/span>,<\/span>\u00a0<\/span>Azure\u00a0<\/span>Policy provides an intuitive workflow for customers to implement and continuously monitor CMMC compliance in Azure<\/span>\u00a0using the CMMC L3 initiative<\/span>.\u00a0<\/span>\u00a0<\/span><\/p>\n

        Azure Blueprints<\/span><\/b>\u00a0<\/span><\/p>\n

        Azure Blueprints enable cloud architects and central information technology groups to define a repeatable set of Azure resources that implement and adhere to an organization’s standards, patterns, and requirements. This makes it possible for development teams to rapidly build and stand-up new environments in accordance with organizational compliance. Blueprints orchestrate the deployment of various artifacts including\u00a0<\/span>p<\/span>olicy\u00a0<\/span>a<\/span>ssignments,\u00a0<\/span>r<\/span>ole\u00a0<\/span>a<\/span>ssignments,<\/span>\u00a0and<\/span>\u00a0Azure Resource Manager\u00a0<\/span>templates resource<\/span>\u00a0groups<\/span>. Several\u00a0<\/span>built-in\u00a0<\/span>blueprint<\/span>\u00a0<\/span>samples\u00a0<\/span>are available\u00a0<\/span>in\u00a0<\/span>the Azure portal, and the CMMC Level 3\u00a0<\/span>b<\/span>lueprint is our latest preview release.\u00a0<\/span>\u00a0<\/span><\/p>\n

        CMMC Level 3\u00a0<\/span><\/b>blueprint<\/span><\/b>\u00a0<\/span><\/p>\n

        Customers can\u00a0<\/span>find<\/span>\u00a0the CMMC Level 3\u00a0<\/span>blueprint sample in the Azure\u00a0<\/span>portal by browsing to Blueprints<\/span>\u00a0<\/span>then\u00a0<\/span>Blueprint\u00a0<\/span>definitions\u00a0<\/span>and clicking Create\u00a0<\/span>b<\/span>lueprint<\/span>.\u00a0<\/span>\u00a0<\/span><\/p>\n

        \"Image<\/a><\/p>\n

        Azure Blueprint sample deployment<\/em><\/p>\n

        The CMMC Level 3\u00a0<\/span>b<\/span>lueprint\u00a0<\/span>sample\u00a0<\/span>currently contains\u00a0<\/span>a single<\/span>\u00a0artifact, which is a\u00a0<\/span>policy a<\/span>ssignment that deploys the CMMC <\/span>p<\/span>olicy\u00a0initiative<\/span>,<\/span>\u00a0described above. This approach\u00a0<\/span>allows\u00a0<\/span>customization of the b<\/span>lueprint<\/span>\u00a0<\/span>representative to\u00a0<\/span>the\u00a0<\/span>environment and specific needs<\/span>\u00a0of each\u00a0<\/span>customer<\/span>.<\/span>\u00a0<\/span>For example, when deploying the\u00a0<\/span>blueprint<\/span>, customers can click\u00a0<\/span>Add\u00a0<\/span><\/i>artifact<\/span><\/i>\u00a0<\/span>to include one or more<\/span>\u00a0Azure resource manager<\/span>\u00a0template<\/span>s<\/span>\u00a0to include during the\u00a0<\/span>blueprint\u00a0<\/span>deployment<\/span>.\u00a0<\/span>\u00a0<\/span><\/p>\n

        \"Image<\/a><\/p>\n

        Azure Blueprint add artifact<\/em><\/p>\n

        This release will be followed by\u00a0<\/span>an additional CMMC Level 3\u00a0<\/span>blueprint\u00a0<\/span>that will include\u00a0<\/span>resource manager<\/span>\u00a0templates to scaffold a CMMC reference architecture. This will include automated implementation and configuration of services\u00a0<\/span>such as Security Center, Sentinel, Log Analytics, and Azure Active Directory Premium features to address specific controls that are audited by the policy initiative<\/span>, and we are targeting an early summer preview release for this update.<\/span>\u00a0<\/span><\/p>\n

        A<\/span><\/b>zure Security Center r<\/span><\/b>egulatory\u00a0<\/span><\/b>c<\/span><\/b>ompliance\u00a0<\/span><\/b>d<\/span><\/b>ashboard<\/span><\/b>\u00a0<\/span><\/p>\n

        Azure Security Center<\/span>\u00a0(ASC)<\/span>\u00a0is<\/span>\u00a0a\u00a0<\/span>c<\/span>l<\/span>oud security posture management (CSPM) and\u00a0<\/span>c<\/span>loud workload protection (CWP)\u00a0<\/span>platform that provides customers with<\/span>\u00a0<\/span>c<\/span>entralized<\/span>\u00a0views o<\/span>f<\/span>\u00a0Azure<\/span>\u00a0resources\u00a0<\/span>and security controls<\/span>.<\/span>\u00a0\u00a0<\/span>The platform\u00a0<\/span>includes<\/span>\u00a0several advanced\u00a0<\/span>p<\/span>rotection<\/span>\u00a0features in addition to offering recommendations to mitigate risks.<\/span>\u00a0\u00a0<\/span>\u00a0<\/span><\/p>\n

        One of these features can be found under the\u00a0<\/span>regulatory compliance section,\u00a0<\/span>where\u00a0<\/span>customers can gain<\/span>\u00a0insight into\u00a0<\/span>their\u00a0<\/span>compliance posture for a set of supported standards and regulations<\/span>\u00a0<\/span>based on continuous assessments of\u00a0<\/span>the<\/span>ir Azure environment.<\/span>\u00a0 In fact, these dashboards are derivatives of the underl<\/span>y<\/span>ing<\/span>\u00a0policy initiative, and will be automatically added when the initiative is assigned to a subscription that is monitored by\u00a0Security\u00a0Center.<\/span>\u00a0<\/span><\/p>\n

        The CMMC Level 3 regulatory compliance dashboard\u00a0<\/span>consolidates\u00a0<\/span>all<\/span>\u00a0the controls within the framework\u00a0<\/span>into<\/span>\u00a0a drop-down\u00a0<\/span>view\u00a0<\/span>which is organized by\u00a0<\/span>family > maturity level > and control.<\/span> When a control is expanded,\u00a0<\/span>the associated policies are displayed as customer responsibilities, along with resource compliance status.<\/span>\u00a0\u00a0<\/span>Customers can click on a recommendation to see additional information, remediate via quick fix (<\/span>limited to specific recommendations), trigger a logic app, or create an exemption<\/span>.<\/span>\u00a0<\/span><\/p>\n

        *C<\/span>ertain controls will be greyed out, as these\u00a0<\/span>represent\u00a0<\/span>controls\u00a0<\/span>that\u00a0<\/span>are not currently address<\/span>able<\/span>\u00a0by Azure policy.<\/span>\u00a0<\/span><\/p>\n

        \"Image<\/a><\/p>\n

        CMMC Level 3 regulatory compliance dashboard<\/em><\/p>\n

        Azure Sentinel Cybersecurity Maturity Model Certification (CMMC) Workbook<\/span><\/b><\/p>\n

        The Azure Sentinel CMMC Workbook provides a mechanism for viewing log queries aligned to CMMC controls across the Azure cloud including Microsoft security offerings, Office 365, Teams, Intune, Windows Virtual Desktop and many more. This workbook enables Security Architects, Engineers, SecOps Analysts, Managers, and IT Pros to gain situational awareness for the security posture of cloud workloads. There are also recommendations for selecting, designing, deploying, and configuring Microsoft offerings for alignment with respective CMMC requirements\u00a0and practices.\u00a0The workbook features 250+ control cards aligned to the 17 CMMC control families across all 5 maturity levels with selectable GUI buttons for navigation.<\/p>\n

        \"Image<\/a><\/p>\n

        Deploying the Workbook<\/b><\/p>\n

        Follow the steps below to enable the workbook: Requirements: Azure Sentinel Workspace and Security Reader rights.<\/p>\n

          \n
        1. From the Azure portal<\/a>, navigate to\u00a0Azure Sentinel<\/b><\/li>\n
        2. Select Workbooks > Templates<\/b><\/li>\n
        3. Search CMMC<\/i>\u00a0and select\u00a0Save\u00a0<\/b>to add to\u00a0My Workbooks<\/b><\/li>\n<\/ol>\n

          Learn more about CMMC with Microsoft:\u00a0<\/span><\/b>\u00a0<\/span><\/p>\n

          Accelerating CMMC Compliance for Microsoft Cloud<\/a><\/p>\n

          CMMC Acceleration Program January Update<\/span><\/a>\u00a0<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

          The Azure team just released a new CMMC Level 3 initiative for Azure Policy and a corresponding blueprint sample. These preview releases are available in Azure and Azure Government. In this blog post we break down the releases and how customers can use these tools to accelerate CMMC compliance in Azure.<\/p>\n","protected":false},"author":60096,"featured_media":20496,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[75,91,95,3055,216],"class_list":["post-20448","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-azuregov","tag-azure","tag-azure-gov","tag-azure-government","tag-cmmc","tag-cybersecurity"],"acf":[],"blog_post_summary":"

          The Azure team just released a new CMMC Level 3 initiative for Azure Policy and a corresponding blueprint sample. These preview releases are available in Azure and Azure Government. In this blog post we break down the releases and how customers can use these tools to accelerate CMMC compliance in Azure.<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/azuregov\/wp-json\/wp\/v2\/posts\/20448","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/azuregov\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/azuregov\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/azuregov\/wp-json\/wp\/v2\/users\/60096"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/azuregov\/wp-json\/wp\/v2\/comments?post=20448"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/azuregov\/wp-json\/wp\/v2\/posts\/20448\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/azuregov\/wp-json\/wp\/v2\/media\/20496"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/azuregov\/wp-json\/wp\/v2\/media?parent=20448"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/azuregov\/wp-json\/wp\/v2\/categories?post=20448"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/azuregov\/wp-json\/wp\/v2\/tags?post=20448"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

    \"Image<\/a><\/p>\n