M365 CMMC Assessment Templates Now Available

Written By John Igbokwe

July 2021 Update: Compliance Manager premium assessment templates will no longer require a Microsoft 365 E5 or Office 365 E5 license as a prerequisite.

January 2021 Update: “The Compliance Manager is now available in all Microsoft 365 cloud offerings, including GCC and GCC High!”

The Defense Information Systems Agency (DISA) produces Security Technical Implementation Guides (STIGs). Many STIGs were written with the traditional security perimeter mindset; and as of September 2020, there is no publicly available STIG for M365/Azure. In today’s cloud first world where “Identity is the new security "perimeter"”, how do you assess and benchmark your M365/Azure tenant against the CMMC levels?

I expect that DISA will release a M365/Azure STIG in the future. In the meantime, Microsoft’s Compliance Manager provides a set of templates and premium templates for creating assessments. One of the premium templates include CMMC Level 1, Level 2, Level 3, Level 4, Level 5 (Microsoft 365). These templates can help your organization comply with national, regional, and industry-specific requirements governing the collection and use of data. For more details, see https://docs.microsoft.com/en-us/microsoft-365/compliance/compliance-manager-templates-list?view=o365-worldwide

The M365 CMMC templates are available in the commercial tenant today and are expected to be available in GCC High by the end of 2020.

John Igbokwe https://techaxia.com
Previous

Microsoft Product Placemat for CMMC
Next

Is GCC High Required for CUI?