CMMC Compliance With Microsoft Azure

Probably of the most talked about topics this year has been about the Cybersecurity Maturity Model Certification, also known as the CMMC. This is essentially where all of the contractors and subcontractors from the Defense Industrial Base (DIB) must come into some sort of certification level in order to have the ability to bid on future contracts or even finish current projects.

In this article, we take a look at some of the tools that are available in Microsoft Azure that will help you to come into compliance.

What Is Available?

  • The Compliance Manager: This is a tool that will help you to manage, at a macro level, your compliance efforts for the CMMC. It does this in the following ways:
  • There are prebuilt assessment tools that you can use to analyze the existing state of the controls that you have already in place. This will help you to identify the weaknesses or gaps that exist, and pinpoint those areas that need remediation. Also, you can customize these templates per the advice of your C3PAO. Remember, the DoD wants everything to be corrected, it will not accept any form of partial remediations.
  • There are workflow templates that you can make use of rather quickly that will help you to model and visualize the work which needs to get done. This will help you to avoid make any guesses or leaving something out.
  • For the CMMC tools that are directly supported by Microsoft, you will even receive real time suggestions and strategies as to how you can rectify the issues that you may be having with your controls.
  • It also comes with what is known as a “Compliance Risk Score”. This is very similar to a credit score, but instead, it shows you how close or far away you are in achieving CMMC Compliance. An example of this can be seen in the illustration below:
CMMC Azure
Image Source <a href=httpsdocsmicrosoftcomen usmicrosoft 365compliancecompliance managerview=o365 worldwide target= blank rel=noreferrer noopener>Microsoft<a>
  • The Product Placemat: Essentially, this is an interactive map (which actually resembles the Periodic Table of Elements) and gives you detailed information as to how the M365 tools you are currently using is helping you to achieve CMMC Compliance. The default view is known as the “Microsoft Coverage”, and this aggregates all of the tools that you are using in your Cloud platform into one dashboard. This will display to you areas in which you have achieved 100% compliance. From here, there is also another functionality which is known as the “Shared Coverage”, which shows you those areas which need much work. This is the result of using CMMC compliant tools with those that are possibly non-compliant at the present time. Strategies are also given on a real time basis to help you rectify what is presented in this situation. From the Placemat, you can also choose which tools you want to keep using or not from your M365 account. This is illustrated below:
Microsoft product placemat for CMMC level 3
Image Source <a href=httpswwwnimbus logiccomuncategorizedmicrosoft product placemat for cmmc target= blank rel=noreferrer noopener>Nimbus Logic<a>
  • The CMMC Workbook:This is a specific functionality that allows you and your team to view the actual queries that have been set forth by other third parties, such as your C3PAO. This is all put into one centralized location, for easy viewing and responding. These queries are collected from a huge plethora of tools in Azure, and they include the following:
    • Azure Active Directory
    • Azure Active Directory Identity Protection
    • Azure Activity
    • Azure DDoS Protection
    • Azure Firewall
    • Azure Information Protection
    • Azure Security Center
    • Common Event Format
    • DNS
    • Intune
    • Microsoft 365 Defender
    • Microsoft Cloud App Security
    • Microsoft Defender for Endpoint
    • Microsoft Defender for Identity
    • Office 365
    • Security Events
    • Syslog
    • Threat Intelligence Platforms
    • Windows Firewall
    • Teams
    • User Entity Behavior Analytics
    • Windows Virtual Desktop

Information Source: Microsoft

  • The Azure Policy and Blueprint: This is a functionality that has been designed to help your organization come into compliance with Maturity Level (ML) 3 specifically. This allows you to create central set of security policies and controls that are dedicated to just this particular level. These are used in an effort to:
    • Making specific database configurations in which the FCI and CUI datasets will be stored, processed, and archived.
    • Avoid data leakages to the furthest extent possible, whether they are intentional or not.
    • The ability to create a Zero Trust Framework in your private cloud in which you will be conducting work specifically for the DoD.

The Azure Policy and Blueprint has been designed in accordance with the tenets that have been set forth by the NIST SP 8—53, Version 4.


Overall, this article has examined some of the key tools that can be used to help you achieve CMMC Compliance. But before embarking on using any of them, you first need to have a solid understanding of how they can fit into your specific environment, as these tools simply do not take a one size fits all approach.

Also, if you are planning to achieve CMMC Certification beyond Maturity Level 3, then you will need to make use of what is known as the GCC and GCC High. These are acronyms that stand for “Government Community Cloud”, and are super secure Cloud based platforms for housing the CUI and FCI datasets.

But not just every contractor can make use of them, you will have to go through an exhaustive background check, as well as receive special permission from both Microsoft and the DoD.

Looking for more CMMC information? Talk with one of our CMMC RPO‘s today to figure out how to best prep your organization.

author avatar
Ali Allage CEO
A visionary leader in cybersecurity, with expertise that encompasses a deep understanding of the latest cybersecurity trends, technologies, and best practices, making a significant impact on enhancing organizational security postures in the digital age.