Today we’re going to share with you some new guidance for configuring Azure Active Directory (Azure AD) to meet the Cybersecurity Maturity Model Certification (CMMC) Level 1 and Level 2 requirements.
Identity continues to be the most common way bad actors get through cyber defenses. Therefore, identity controls are one of the most fundamental aspects of CMMC and this post is going to focus on Azure AD as a way of meeting CMMC's identity requirements.
Azure AD is Microsoft's cloud-based identity and access management service that helps your employees sign in and access resources in your organization. Azure AD also provides a range of security features that can help you protect your identity data and meet the CMMC requirements related to identity and access management.
We’re excited to share new our new guidance for configuring Azure AD to meet CMMC Level 1 and Level 2. This guidance is part of our larger series of identity focused compliance guidance we have created. Guidance may differ slightly in some areas based on the CMMC level of maturity required for your organization.
CMMC Level 1 requires organizations to perform basic cyber hygiene practices to protect Federal Contract Information (FCI), which is any information provided by or generated for the DoD that is not intended for public release.
In CMMC Level 1, there are 3 domains that have one or more practices related to identity:
CMMC Level 2 is the intermediate level of cybersecurity that requires you to establish and document 72 practices across 13 domains. These practices are intended to protect Controlled Unclassified Information (CUI), which is any information that requires safeguarding or dissemination controls pursuant to federal law or regulation. The 13 domains that have one or more practices related to identity are:
Our CMMC identity guidance is designed to be consumed by both administrators and auditors, and to highlight how Azure AD features can be configured to meet CMMC requirements. A good starting point is our comprehensive Azure compliance documentation landing page that enables a deeper dive into multiple guidelines/regulations for configuring your Microsoft platform to demonstrate compliance. In combination with our Zero Trust Guidance Center, our comprehensive set of security guidance enables you to make the right decisions for your environment to both meet regulatory audit requirements while accelerating your Zero Trust journey.
In addition to the Cybersecurity Maturity Model Certification (CMMC) Levels 1 and 2 required by the Defense Industrial Base to compete for US government contracts, our set of Azure AD compliance documentation includes the following:
We approach our guidance holistically, for each control and its applicability to identity. We developed prescriptive guidance to help you understand the Azure AD features and configurations needed to meet the requirement. We briefly describe what must be demonstrated and provide links to detailed guidance to make changes. For example, in the following guidance from our CMMC Level 1 Access Control guidance, we include CMMC AC.L1-3.1.1, provide the verbatim practice statement and objectives from CMMC, and then provide specific guidance and recommendations on using Azure AD to meet the requirements. Our guidance for each identity related CMMC practice is structured in this way.
Additionally, in case you missed it, we want to highlight new features released that increase your security posture, specifically:
We hope you find these features and guidance helpful in enabling you to comply with CMMC. We would love your feedback on this identity focused guidance as it relates to your need to comply with your compliance requirements. Please send your thoughts/feedback to IdentityCompliance@microsoft.com and let us know so that we can get better at helping you comply with guidelines/requirements with Azure AD.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.