Cybersecurity Maturity Model Certification (CMMC)

CMMC overview

The Cybersecurity Maturity Model Certification is a new framework developed by the US Department of Defense (DoD) that requires formal third-party audits of defense industrial base (DIB) contractor cybersecurity practices. The audits are conducted by independent CMMC third-party assessor organizations (C3PAO) accredited by the Cyber AB (formerly CMMC Accreditation Body). CMMC expands upon DFARS 252.204-7012 while adding a third-party audit and certification requirement. It represents an evolution of DoD efforts to safeguard federal contract information (FCI) and controlled unclassified information (CUI) processed by the DIB. The National Institute of Standards and Technology (NIST) SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations provides guidelines for the protection of CUI in nonfederal information systems and organizations. CMMC requirements are evolving as the framework is still being finalized.

CMMC introduces stronger accountability for the prime contractor to ensure that appropriate security requirements are met across their supply chain. A prime contractor must validate appropriate levels of subcontractor compliance to reinforce security across the entire supply chain prior to contract award.

Note

CMMC is not applicable directly to cloud services, which is why there is no corresponding certification for a cloud services platform such as Azure. Instead, CMMC is intended to assess a DIB contractor's implementation of processes and practices associated with the achievement of a target cybersecurity level. A DIB contractor who provides a cloud-based solution must ensure that the underlying cloud services platform maintains a minimum of FedRAMP Moderate authorization. CMMC requirements are subject to change as the framework is being finalized.

CMMC certification will become a pre-requisite for DoD contract award. CMMC requires an evaluation of the contractor’s technical security controls, documentation, policies, and processes to ensure security and resiliency.

CMMC 2.0

In November 2021, DoD published an advanced notice of proposed rulemaking, disclosing significant changes to the CMMC program designated as CMMC 2.0. DoD does not intend to approve inclusion of a CMMC requirement in any contract prior to completion of the CMMC 2.0 rulemaking process. Once CMMC 2.0 is codified through rulemaking, DoD will require DIB contractors to adhere to the revised CMMC framework according to requirements set forth in regulation. The rulemaking process and timelines can take 9-24 months starting from November 2021.

CMMC 2.0 builds upon the initial CMMC 1.0 framework to dynamically enhance DIB cybersecurity against evolving threats. The CMMC framework is designed to protect sensitive unclassified information that is shared by DoD and ensure accountability while minimizing barriers to compliance with DoD requirements. CMMC 2.0 will replace the five cybersecurity compliance levels with three levels that rely on well established NIST cybersecurity standards:

  • Level 1: Foundational, based on basic cybersecurity practices.
  • Level 2: Advanced, based on practices aligned with NIST SP 800-171.
  • Level 3: Expert, based on all practices in Levels 1 and 2 augmented by NIST SP 800-172, which supplements NIST SP 800-171 to mitigate attacks from advanced cyber threats.

Under the CMMC program, DIB contractors will be required to implement certain cybersecurity protection standards, and, as required, perform self-assessments or obtain third-party certification as a condition of DoD contract award. For more information, see Securing the Defense Industrial Base CMMC 2.0.

Azure support for CMMC 2.0

Both Azure and Azure Government provide the same controls for data encryption, including support for customer-managed encryption keys stored in FIPS 140 validated hardware security modules (HSMs) managed by Azure Key Vault. Moreover, an accredited third-party assessment organization (3PAO) has attested that both Azure and Azure Government meet the applicable requirements of DFARS Clause 252.204-7012.

Note

For more information about Microsoft support for CMMC, see our CMMC landing page.

Both Azure and Azure Government provide:

  • FedRAMP High provisional authorization to operate (P-ATO) issued by the FedRAMP Joint Authorization Board (JAB). FedRAMP High P-ATO addresses security controls related to the safeguarding of federal contract information (FCI), controlled unclassified information (CUI), and covered defense information (CDI).
  • Attestation of compliance with the DFARS Clause 252.204-7012 provided by an independent third-party assessment organization (3PAO) that is accredited by FedRAMP.

Azure Government offers extra assurances:

  • DoD Cloud Computing Security Requirements Guide (SRG) Impact Level 4 (IL4) and Impact Level 5 (IL5) provisional authorizations (PA) issued by the Defense Information Systems Agency (DISA).
  • Contractual commitments regarding storage of customer data in the United States and limiting potential access to systems processing customer data to screened US persons.

Microsoft Product Placemat for CMMC

Microsoft Product Placemat for CMMC is an interactive dashboard representing how Microsoft cloud services satisfy requirements for CMMC practices. The user interface resembles a periodic table of CMMC practice families. The default view illustrates the practices with Microsoft coverage that are inherited from the underlying cloud platform. It also depicts practices for shared coverage where the underlying cloud platform contributes coverage for specific practices but requires additional customer configuration to satisfy the full-coverage requirements. Customer implementation guidance and practice implementation details are documented for each practice that aligns with Microsoft coverage or shared coverage. This capability enables you to drill down into each practice to discover customer-owned actions needed to meet practice requirements for CMMC compliance. For more information, see the Microsoft Product Placemat for CMMC.

Microsoft Technical Reference Guide for CMMC

Microsoft Technical Reference Guide for CMMC includes implementation statements for an organization pursuing CMMC while using relevant Microsoft services. The guide includes descriptions of relevant Microsoft services and products, and links to further implementation guidance. It is intended for government personnel, government contractors, managed service providers, compliance personnel, and IT security architects who are responsible for evaluating Microsoft services for control alignment and implementation to meet CMMC requirements. The Microsoft Technical Reference Guide for CMMC is especially useful when paired with the Microsoft Product Placemat for CMMC described previously. For more information, see the Microsoft Technical Reference Guide for CMMC.

Microsoft Sentinel CMMC 2.0 solution

Microsoft Sentinel is a cloud service that provides intelligent security analytics and threat intelligence across the enterprise. To help you address CMMC 2.0 control requirements at scale, Microsoft provides the Microsoft Sentinel CMMC 2.0 solution, which empowers governance and compliance teams to design, build, monitor, and respond to CMMC 2.0 requirements across cloud, on-premises, hybrid, and multi-cloud workloads.

The solution contains:

  • Workbook – Provides a dashboard that relies on Azure Policy, Azure Resource Graph, and Azure Monitor Log Analytics to align with CMMC 2.0 control requirements across Azure, Microsoft 365, multi-cloud, on-premises, and hybrid workloads. It also provides recommendations for selecting, designing, deploying, and configuring Microsoft cloud services for alignment with respective CMMC 2.0 requirements and best practices.
  • Analytics rules – Provide an alerting mechanism that uses Microsoft Defender for Cloud regulatory compliance mappings to measure CMMC 2.0 alignment across Level 1 (Foundational) and Level 2 (Advanced) requirements. The mappings are derived from NIST SP 800-171. The alert gets triggered if policy compliance falls below 70 percent within one week, or as configured per organizational requirements.
  • Playbooks – Drive consistent and automated responses, ensuring that security teams can focus on providing remediation based on insights collected from Microsoft Sentinel instead of navigating across portals for relevant data. Automation allows you to notify impacted teams of findings via email and Teams chat, and document change requirements within IT service management tooling such as Azure DevOps.

To get started, go to your Azure or Azure Government portal to access the solution:

  • Microsoft Sentinel > Content Hub > Search “CMMC 2.0” > Install

For more information, see the Microsoft Sentinel CMMC 2.0 solution.

Azure Policy regulatory compliance built-in initiatives

For extra customer assistance, Microsoft provides the Azure Policy regulatory compliance built-in initiatives for Azure and Azure Government, which map to NIST SP 800-171 compliance domains and controls:

Regulatory compliance in Azure Policy provides built-in initiative definitions to view a list of controls and compliance domains based on responsibility – customer, Microsoft, or shared. For Microsoft-responsible controls, we provide extra audit result details based on third-party attestations and our control implementation details to achieve that compliance. Each NIST SP 800-171 control is associated with one or more Azure Policy definitions. These policies may help you assess compliance with the control; however, compliance in Azure Policy is only a partial view of your overall compliance status. Azure Policy helps to enforce organizational standards and assess compliance at scale. Through its compliance dashboard, it provides an aggregated view to evaluate the overall state of the environment, with the ability to drill down to more granular status.

For more information about Azure support for NIST SP 800-171, see Azure NIST SP 800-171 documentation.

Applicability

  • Azure
  • Azure Government

Services in scope

  • Azure services in scope for CMMC reflect the Azure FedRAMP High P-ATO scope.
  • Azure Government services in scope for CMMC reflect the Azure Government FedRAMP High P-ATO scope.

For more information, see Cloud services in audit scope.

Frequently asked questions

Which DFARS requirements are supported by Azure?
Azure and Azure Government can help defense industrial base customers meet the requirements stated in the DFARS Clause 252.204-7012 that apply to cloud service providers. For more information, see Azure DFARS documentation.

What is the relationship between controlled unclassified information (CUI) and covered defense information (CDI)?
CUI is information that requires safeguarding or disseminating controls according to law, regulation, or government-wide policy. The CUI Registry identifies approved CUI categories and subcategories.

CDI is controlled technical information or other information (as described in the CUI Registry) that requires safeguarding or dissemination controls and is either:

  • Marked or otherwise identified in the contract, task order, or delivery order, and provided to the contractor by or on behalf of DoD in connection with the performance of the contract, or
  • Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.

How do Azure services meet the adequate security requirements pertinent to CMMC?
In October 2016, the Department of Defense (DoD) promulgated a final rule implementing Defense Federal Acquisition Regulation Supplement (DFARS) clauses that apply to all DoD contractors who process, store, or transmit covered defense information through their information systems. The rule states that such systems must meet the security requirements set forth in NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, or an “alternative, but equally effective, security measure” that is approved by the DoD contracting officer. Where a DoD contractor uses an external cloud service provider to process, store, or transmit covered defense information, such provider must meet security requirements that are equivalent to the FedRAMP Moderate baseline.

In November 2021, DoD published an advanced notice of proposed rulemaking, disclosing significant changes to the CMMC program designated as CMMC 2.0, which builds upon the initial CMMC 1.0 framework to dynamically enhance DIB cybersecurity against evolving threats. CMMC 2.0 will replace the five cybersecurity compliance levels present in CMMC 1.0 with three levels that rely on well established NIST cybersecurity standards. CMMC is intended to assess a DIB contractor's implementation of processes and practices associated with the achievement of a target cybersecurity level. A DIB contractor who provides a cloud-based solution must ensure that the underlying cloud services platform maintains a minimum of FedRAMP Moderate authorization.

Azure and Azure Government each maintain a FedRAMP High provisional authorization to operate (P-ATO) issued by the FedRAMP Joint Authorization Board (JAB), which represents the highest bar for FedRAMP compliance. NIST SP 800-171 mapping tables in Appendix D (D1 through D14) provide control mapping between CUI security requirements and relevant security controls in NIST SP 800-53, indicating that NIST SP 800-171 represents a subset of the NIST SP 800-53 controls for which Azure and Azure Government have already been assessed and authorized under FedRAMP. Therefore, you can be assured that FedRAMP High baseline addresses fully and exceeds the requirements of NIST SP 800-171. All Azure and Azure Government services that have received FedRAMP High authorization conform to the NIST SP 800-171 requirements and can help you deploy CUI workloads.

Moreover, Azure Government maintains a DoD IL5 provisional authorization (PA), which adds extra controls and control enhancements to the FedRAMP High control baseline.

Should I use Azure or Azure Government for workloads that are subject to CMMC?
If you are subject to CMMC compliance obligations, both Azure and Azure Government can help you meet those obligations. You can obtain CMMC certification for solutions deployed to either cloud environment. The decision will rest with you based on your business requirements and target DoD contracts. Most DIB contractors are best aligned with Azure Government, which provides an extra layer of protection to customers through contractual commitments regarding storage of customer data in the United States and limiting potential access to systems processing customer data to screened US persons. However, the need for CMMC certification is not a deciding factor for choosing your cloud environment.

Resources