Configure CMMC Level 1 controls
Microsoft Entra ID meets identity-related practice requirements in each Cybersecurity Maturity Model Certification (CMMC) level. To be compliant with requirements in CMMC, it's the responsibility of companies performing work with, and on behalf of, the US Dept. of Defense (DoD) to complete other configurations or processes. In CMMC Level 1, there are three domains that have one or more practices related to identity:
- Access Control (AC)
- Identification and Authentication (IA)
- System and Information integrity (SI)
Learn more:
- DoD CMMC website - Office of the Under Secretary of Defense for Acquisition & Sustainment Cybersecurity Maturity Model Certification
- Microsoft Download Center - Microsoft Product Placemat for CMMC Level 3 (preview)
The remainder of this content is organized by domain and associated practices. For each domain, there's a table with links to content that provides step-by-step guidance to accomplish the practice.
Access Control domain
The following table provides a list of practice statement and objectives, and Microsoft Entra guidance and recommendations to enable you to meet these requirements with Microsoft Entra ID.
| CMMC practice statement and objectives | Microsoft Entra guidance and recommendations |
|---|---|
| AC.L1-3.1.1 Practice statement: Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems). Objectives: Determine if: [a.] authorized users are identified; [b.] processes acting on behalf of authorized users are identified; [c.] devices (and other systems) authorized to connect to the system are identified; [d.] system access is limited to authorized users; [e.] system access is limited to processes acting on behalf of authorized users; and [f.] system access is limited to authorized devices (including other systems). |
You're responsible for setting up Microsoft Entra accounts, which is accomplished from external HR systems, on-premises Active Directory, or directly in the cloud. You configure Conditional Access to only grant access from a known (Registered/Managed) device. In addition, apply the concept of least privilege when granting application permissions. Where possible, use delegated permission. Set up users Set up devices Configure applications Conditional Access |
| AC.L1-3.1.2 Practice statement: Limit information system access to the types of transactions and functions that authorized users are permitted to execute. Objectives: Determine if: [a.] the types of transactions and functions that authorized users are permitted to execute are defined; and [b.] system access is limited to the defined types of transactions and functions for authorized users. |
You're responsible for configuring access controls such as Role Based Access Controls (RBAC) with built-in or custom roles. Use role assignable groups to manage role assignments for multiple users requiring same access. Configure Attribute Based Access Controls (ABAC) with default or custom security attributes. The objective is to granularly control access to resources protected with Microsoft Entra ID. Set up RBAC Set up ABAC Configure groups for role assignment |
| AC.L1-3.1.20 Practice statement: Verify and control/limit connections to and use of external information systems. Objectives: Determine if: [a.] connections to external systems are identified; [b.] the use of external systems is identified; [c.] connections to external systems are verified; [d.] the use of external systems is verified; [e.] connections to external systems are controlled and or limited; and [f.] the use of external systems is controlled and or limited. |
You're responsible for configuring Conditional Access policies using device controls and or network locations to control and or limit connections and use of external systems. Configure Terms of Use (TOU) for recorded user acknowledgment of terms and conditions for use of external systems for access. Set up Conditional Access as required Use Conditional Access to block access Configure terms of use |
| AC.L1-3.1.22 Practice statement: Control information posted or processed on publicly accessible information systems. Objectives: Determine if: [a.] individuals authorized to post or process information on publicly accessible systems are identified; [b.] procedures to ensure FCI isn't posted or processed on publicly accessible systems are identified; [c.] a review process is in place prior to posting of any content to publicly accessible systems; and [d.] content on publicly accessible systems is reviewed to ensure that it doesn't include federal contract information (FCI). |
You're responsible for configuring Privileged Identity Management (PIM) to manage access to systems where posted information is publicly accessible. Require approvals with justification prior to role assignment in PIM. Configure Terms of Use (TOU) for systems where posted information is publicly accessible for recorded acknowledgment of terms and conditions for posting of publicly accessible information. Plan PIM deployment Configure terms of use |
Identification and Authentication (IA) domain
The following table provides a list of practice statement and objectives, and Microsoft Entra guidance and recommendations to enable you to meet these requirements with Microsoft Entra ID.
| CMMC practice statement and objectives | Microsoft Entra guidance and recommendations |
|---|---|
| IA.L1-3.5.1 Practice statement: Identify information system users, processes acting on behalf of users, or devices. Objectives: Determine if: [a.] system users are identified; [b.] processes acting on behalf of users are identified; and [c.] devices accessing the system are identified. |
Microsoft Entra ID uniquely identifies users, processes (service principal/workload identities), and devices via the ID property on the respective directory objects. You can filter log files to help with your assessment using the following links. Use the following reference to meet assessment objectives. Filtering logs by user properties Filtering logs by service properties Filtering logs by device properties |
| IA.L1-3.5.2 Practice statement: Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. Objectives: Determine if: [a.] the identity of each user is authenticated or verified as a prerequisite to system access; [b.] the identity of each process acting on behalf of a user is authenticated or verified as a prerequisite to system access; and [c.] the identity of each device accessing or connecting to the system is authenticated or verified as a prerequisite to system access. |
Microsoft Entra ID uniquely authenticates or verifies each user, process acting on behalf of user, or device as a prerequisite to system access. Use the following reference to meet assessment objectives. Set up user accounts Configure Microsoft Entra ID to meet NIST authenticator assurance levels Set up service principal accounts Set up device accounts |
System and Information Integrity (SI) domain
The following table provides a list of practice statement and objectives, and Microsoft Entra guidance and recommendations to enable you to meet these requirements with Microsoft Entra ID.
| CMMC practice statement | Microsoft Entra guidance and recommendations |
|---|---|
| SI.L1-3.14.1 - Identify, report, and correct information and information system flaws in a timely manner. SI.L1-3.14.2 - Provide protection from malicious code at appropriate locations in organizational information systems. SI.L1-3.14.4 - Update malicious code protection mechanisms when new releases are available. SI.L1-3.14.5 - Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed. |
Consolidated Guidance for legacy managed devices Configure Conditional Access to require Microsoft Entra hybrid joined device. For devices joined to an on-premises AD, it's assumed that the control over these devices is enforced using management solutions such as Configuration Manager or group policy (GP). Because there's no method for Microsoft Entra ID to determine whether any of these methods has been applied to a device, requiring a Microsoft Entra hybrid joined device is a relatively weak mechanism to require a managed device. The administrator judges whether the methods applied to your on-premises domain-joined devices are strong enough to constitute a managed device, if the device is also a Microsoft Entra hybrid joined device. Consolidated guidance for cloud-managed (or co-management) devices Configure Conditional Access to require a device to be marked as compliant, the strongest form to request a managed device. This option requires device registration with Microsoft Entra ID, and indicated as compliant by Intune or a third-party mobile device management (MDM) system that manages Windows 10 devices via Microsoft Entra integration. |
Next steps
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for