Microsoft CMMC Acceleration Program Overview

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

all right everybody we're going to go and get started there is a lot of ground to cover today obviously uh there's a lot of news as it pertains to the dfar70 series with 7019 7020 and 70 21. but really today um this most applies to dfr 7021 and some of the cmmc requirements um obviously there's some overlap here but really we spun this webinar up mainly just to have richard join us and talk through the acceleration program what's present day what's at the by the end of the year what's going to be next year there's a lot of moving pieces on this particular program and we're really excited that microsoft has continued to put a lot of emphasis on helping their clients and their customers meet compliance in the microsoft 365 platform as well as in azure and so i'm really excited to bring scott also from our team because obviously this impacts how we provide services to our clients as well and uh and kind of talking through how to use these tools as a business or if you uh outsource any of any of your projects and efforts towards meeting cmc and defaults compliance how to essentially use these tools to the best of your abilities to meet these requirements so hopefully we'll kind of address most of those again feel free to shoot in questions we'll try to get to those rather in the live talk or afterwards but nevertheless i'm going to go in intro and get out of the way here so first off we have scott edwards from summit 7. he is the president and brings 20-plus years of experience uh providing thought leadership around security compliance and cloud services as a national speaker this thought leadership has resulted in being invited to participate in cmmc working groups and speak at other conferences throughout the dod community before summit seven scott spent six plus years working as a senior computer engineer and nasa data center chief engineer scott is a graduate of the us military academy at west point and obtained a master of science in computer science from james madison university from microsoft we have mr richard wakeman richard wegman is the senior director of aerospace and defense for azure global at microsoft he specializes in the dib adopting cloud services from microsoft richard engages with microsoft partners and clients for end-to-end engineering and driving adoption for azure government and microsoft 365 gcc high dod and dynamics 365 gcc high as solutions within the microsoft us sovereign cloud richard joined microsoft in 2007 and has worked with hundreds of the most prominent worldwide accounts so again richard and scott thank you so much and i'm gonna hand it over to scott and richard all right well thank you very much sean i appreciate it and so we're going to go ahead and get started here this morning i'm really happy to have richard with us um richard brings obviously a great deal of background and information uh to us today as we get you know as we get ready to jump into this new world of the cmmc acceleration program and what that's going to do uh for you as customers in the in the in the govcloud getting ready for um dfars and cmmc requirements so we're really excited to have richard today so what you can see now is the uh the government platform is going to be the first thing we'll talk about a little bit richard's going to kind of give the overview that he gives many times um about the government platform how it's how it's structured i see we already actually have a question um on the difference between the government platforms and and the commercial platform and such and so richard's going to address some of those actually right away um so omar you know you're in good shape we're going to get that question answered right off the bat so um you know richard i'm going to go ahead and uh and hand it over to uh hand it over to you to uh to jump into the uh the next piece here so let's jump in yeah thank you for having me and hosting me today this is a wonderful opportunity to to present the microsoft uh cmmc acceleration program you know in terms of looking at probably the most frequent question that we receive from our defense industrial based customers is in alignment with which cloud they would choose especially in protection of controlled unclassified information you know in terms of looking at uh the multiple clouds i typically like to go through a quick history lesson in terms of how we ended up evolving our cloud services uh to include multiple different data enclaves you can see here that uh that there is a build going on a little and a little ahead of the dialogue but if you look at for example the very first public multi-tenant offering that microsoft made available i was working with our education community and public sector community deploying our very first productivity suite which was back in the days of over 10 years ago with our business productivity online suite and what's now evolved into our microsoft 365 and the enterprise offering is a global multi-tenant solution where we offer data residency in multiple different geographic locations around the world this does meet a number of the requirements that we have for jurisdictions that would span for example different industries as well as uh government uh and and and offer an ability to even do a multi-geo tenant to address uh multiple different compliance requirements that you would have globally now if you look at the microsoft 365 enterprise it is a uh you know a worldwide uh solution so you do have for example a fall of the sun support model you have a global network and of course routing and so forth and i get into quite a bit of the details of disseminating you know the differences between uh how we would manage data residency within our commercial cloud versus what we'll introduce as we get into our government clouds uh where we would introduce uh true data serenity now if you look at uh the introduction of our government community cloud or what we oftentimes refer to as gcc that came along about eight years ago in which case we we had a gap in terms of being able to address the the requirements for state and local government and primarily federal civilian agencies so gcc is predominantly government entities that you would find within that environment and it was ultimately a region of the commercial multi-tenant environment in which case we could be able to achieve for example a fed ramp accreditation we just announced that we do have a fedramp high accreditation within gcc uh and that's now paired with uh what came along in terms of uh an introduction of our azure services uh with infrastructure as a service and platform as a service was introduced around the same time as gcc so you'll find that there is a pairing between public multi-tenant gcc and azure infrastructure as a service and platform as a service within the commercial multi-tent environment so azure commercial does has a have a federal empire accreditation as well as i mentioned the there's still a global network and of course follow the sun support model around azure commercial and for certain components of uh you know gcc that are paired up with azure commercial that really prevented us from being able to capture the the especially the us department of defense as well as some of the federal cabinet level agencies that had a true requirement for uh for example uh data severity that's aligned with the no foreign uh and that's where we introduced the uh azure government environment there we go so so richard yes before we jump into the azure go side you know i would like for you to dive in a little bit on what you said about follow the sun support can you explain a little bit about what that means with regard to the personnel who are involved in that support infrastructure and where that support actually comes from yeah so so what by way of example if you have an issue with azure active directory uh and you submit a support ticket then you'll you'll of course get a support engineer that's aligned with uh the azure commercial environment which would in that case could be a support engineer that would be outside the continental united states now if you look at those support engineers they by default do not have access to any customer data so there is some controls that you can put into place like customer lock box but the key but because we do have uh the ability for foreign nationals to for example do support of those systems like with an azure active directory etc it does prohibit microsoft from being able to provide a contractual obligation to new form uh which would align with us being able to say that we can give you a contractual amendment in gcc to protect uh you know itar uh qe that is is ultimately uh in alignment with export control data that's where we introduce the uh sovereign cloud okay great thank you so looking at azure government we built that about approximately five years ago and primarily in support of the us department of defense it was initially built out as a disa security requirements guide impact level five environment uh it also gave us a base foundation to begin delivering additional services within what i'll call the us sovereign cloud uh so if you if you just step on one forward in the build you'll notice that we built a cloud for the productivity suite which is office 365 department of defense or dod and this cloud was built to an srg impact level 5 control set as well as fedramp high and ultimately the dod environment is restricted to use by only those networks federal information systems that are managed by the us department of defense proper uh which prohibits even some of the federal cabinet level agencies for being able to have access to that environment so what we do is we build a twin copy of the usdod office 365 productivity suite and that's what you'll find is now branded microsoft 365 gcc high now what you'll find is that that the gcc high environment is managed to an srg impact level five control set we'll oftentimes label it as an aisle four equivalency by virtue of the fact that most of the customers that would be within that environment are more in alignment with an il-4 as opposed to an l5 of course for the defense industrial base there's not a specific requirement that you would have for the srg those are for federal information systems and that's where we align with for example the requirements for the the for the div to include uh dfar7012 as well as nest 800 171 coverage and we'll go into that in a bit more depth as we go through our presentation today but don't get tripped up by by branding uh what you'll find is that uh oftentimes we'll refer to branding of azure for the infrastructure as a service and platform as a service whereas uh software as a service is branded gcc high in this in the sovereign cloud so there are services in azure government such as azure active directory that are truly sovereign to the united states with only managed by screened us persons in which case uh you know that that uh azure active directory instance in azure government is branded gcc high so oftentimes gcc high and azure government are interchangeable in terms of branding uh and looking at that's why i differentiate oftentimes everything you see on the right side of this chart would be our u.s sovereign cloud versus the left side would be more of our public multi-tenant environment great thanks that's a really good overview and i think that uh you know most of the people watching some many of them may have seen some of this before but you know this is always a great a great topic to to cover especially as we start jumping in to talk about you know some of the next items that we have on the list here so so next we have the shared responsibility model um so obviously as we are deploying out for these compliance requirements in the microsoft cloud there's a shared responsibility model um you know between the organization that is deploying in the infrastructure and then microsoft and so richard can you talk a little bit about you know how this shared responsibility model works with regards to nist under 171 and you know even nist 853 you know for those organizations that need you know that kind of that kind of control set yeah absolutely yeah and you know oftentimes what we'll refer to as a shared responsibility model would be a set of controls that of course you can inherit natively from the microsoft platform assuming that you're in a cloud native configuration as well as those that are shared scope of responsibility or an organization only responsibility uh of course the the amount of that pi chart if you will will will change depending on whether it's software as a service or naturally infrastructure as a service has a greater scale of number of controls that would be owned by the organization responsibility i like to put it really into three different categories right there there are in in context of the cyber security maturity model certification now there's 130 practices for cmmc level three and of those there's only a few like approximately 15 percent that you can natively inherit from the microsoft platform those are mostly physical controls and in your system security plan of course you can be able to document uh that that microsoft would have coverage of those especially those physical controls in which case solutions are deployed on the cloud uh as opposed to you know of course you'd still have to document the your on premises of our environment as well but to to look at um the vast majority of those practices approximately you know 60 percent are ones that are shared responsibility between microsoft and the organization right the tenant owner so by way of example there's a lot of access control uh practices within cmmc of which case we provide capabilities right in order for you to be able to demonstrate compliance for those specific specific practices and we'll provide you know of course prescriptive guidance on how you would do that and provide solutions for example uh for our for our partners to be able to extend to you but it's still your responsibility to configure those in a compliant fashion and to go and demonstrate compliance to for example an assessor for a cmmc audit and then of course what you see left over there's a lot of there are many processes that are aligned with cmnc that simply would be a hundred percent of the organization's responsibility now if you if you flip forward one more slide there you go uh the the amount of your shared scope of responsibility will be different depending on as i mentioned if you are deploying infrastructure as a service and platform as a service as opposed to software as a service naturally with with office 365 the port the the put is considerably shorter but then there's still a vast amount of customer responsibility to for example configure access control as i mentioned as well as device management etc to to control access into the software as a service environment so to net it out you know what we have been focusing on with the cmmc acceleration program is to maximize the coverage for cyber security maturity model certification level three uh and above right because level one is of course more process oriented once you get into level three that's where you have the alignment with ness 800-171 in which case we would be able to for example map out how the capabilities of our service will help you to you know to to meet your compliance requirements using microsoft technology for their shared scope of responsibility uh and we've got you know of course uh quite a bit more investments in is here initially because there is a larger scope for for infrastructure as a service great thanks richard so as we as we are about to you know flip into talking about the acceleration program in you know in specific can you address a little bit about you know as we go through this you know the percentage is you know with 800 171 and the cmmc you know level three requirements for 130 you know 130 different practices that are there um you know obviously a significant portion of those are you know on microsoft from a responsibility standpoint um you know with the infrastructure and there's a larger position that's really going to be about configuration and now with the acceleration program we're gonna have a portion of those uh that may be configured through you know through the acceleration program uh to help you know to help people get you know further down that road toward a compliant configuration right that's kind of the whole goal so if you could you know just address you know you know in general numbers of controls if you if you have that kind of information that would be great yeah one of the one of the deliverables that we have that i'll present here in a moment is our product placemat uh and the the the uh what this illustrates is the ability for you to map all the microsoft capabilities and products to become uh compliant running in the microsoft cloud and in some cases even for hybrid deployments that would extend to on-premises and to other cloud service providers using our suite of for example security and compliance tools now for those if you maximize those numbers what we found is approximately 70 coverage most of which is shared responsibility model between microsoft and the tenant owner or the customer so you know the vast majority as i mentioned but you still get if you for example if you went all in with microsoft technology and you used a microsoft 365 e5 and you leveraged the capabilities that we have within uh azure and office 365 for uh compliance uh that that you would be able to get approximately 70 percent of the way there with guidance right but we we know that closing the gap a to get through that configuration to the seventy percent plus closing the gap to a hundred percent is going to be customer responsibility in which case we will rely heavily on our partner community and have been working and ultimately building the cmnc acceleration program an intention to be scaffolding for uh for our partners and our customers but many of our specially managed service providers that we know are required to be able to uh scale to the the sheer numbers of the defense industrial base especially you know going into the small medium-sized market with the tier three in the supply chain that there's just such vast quantities that we're looking to have and enable our partner community like summit seven to be able to address and help with a lot of that configuration to the seventy percent plus the process is beyond that close gap yeah that's that's really great and so there are so many companies that have to move in into you know these compliant infrastructures and you know everything that we can do working together you know as we've been working with you on the on the acceleration program for the last few months you know anything that we can do that's going to speed that process for for for the dib is going to be you know obviously well received um and so that i'm really excited about about what we have here and uh and you know i'm really excited about getting this out you know out for customers so yeah likewise it's been wonderful working with summit seven and helping to uh you know to really steer where microsoft helped you know helping us to to even put some of these uh cmc acceleration program artifacts together if you look at the blogs that we have uh published those are available uh links on the slide here as well as if you go to uh my linkedin page or to our microsoft tech community for public sector it's where most of these blogs have been published uh one of the fair the very first call of table stakes that we have with the microsoft cmnc acceleration program is to work with our partners in the the cmmc accreditation body and various other stakeholders for cmmc for us to define and have an agreement on what the program of reciprocity will be from the cloud service provider as you know if you look at nest 800 171 a and as written many of the controls with with nist as well as even with the cnc practices do not have many accommodations for a csp or for cloud use uh so we've been going through this process of looking at well what what's the best way for us to establish reciprocity so that you can inherit from us so that you can be able to have compliance solutions that leverage the underlying platform and so that you can be able to accelerate for example an assessment with a cmn cmmc c3pao audit because uh you know there's certain aspects of the underlying cloud platform that you as a customer shouldn't have to go and and one at a time have to assess the the cloud service provider so we would establish that reciprocity for you be able to inherit that naturally before 7012 has a strict requirement for a fedramp moderate accreditation which we hold a fedramp high provisional authorization within azure all of azure uh commercial and government as well as now fedramp high within our government clouds including gcc and gcc high so we meet that that that benchmark that's required uh for reciprocity for ns8r171 and d47012 requirements of a cloud service provider now if you look in and the the data protection that's required for controlled and classified information that's where you get into an alignment oftentimes with uh department of defense cloud computing security requirements guide and if you look at our government clouds we do have srg alignment and we can demonstrate compliance for example with srg impact level five in our u.s sovereign cloud including uh you know looking at the equivalency for il-4 and gcc high so that does have the call it the higher watermark for compliance that you can be able to demonstrate for protection of controlled and classified information especially paired together with in the u.s sovereign cloud of us having a uh contractual obligation for itar right so those are of course all things that we can demonstrate and our customers can leverage right yeah that's that's really great now if we if we step forward into the cmmc acceleration program uh intention as i mentioned before we have been targeting cmnc level three initially we will of course go to full level five as more details uh emerge especially from the accreditation body and from disa uh that are they're still working on assessment guides etc um the the the intention initially is to have of course as i mentioned scaffolding for our partners to build managed solutions on so that would give capabilities establishing the reciprocity etc for the intention that microsoft working with our partners can be able to deliver pre-configured environments and if you look at that pre-configured environment that may be you know a fully hosted environment where you would lift and shift an entire organization into the cloud i call it you know cloud native solution for an entire company versus there's also opportunities to build out shared data enclaves oftentimes i call them mission enclaves this may be an environment that's hosted for example by one of the tier one prime contractors where they would have a control environment that would control data egress so that they can invite in their supply chain right within that environment and be able to uh you know meet the higher bar for compliance not necessarily eliminating those uh you know subcontractors from having to go get cmmc themselves they will need to but it does enable for example especially once you start introducing the higher levels of four or five where these dip prime contractors simply would have a higher level of requirements for these mission clouds so they're ultimately segmenting environments that you have i mean we see that with our customers today we're seeing more and more attraction more customers asking for an enclave type approach especially the larger businesses you know smaller businesses are typically going kind of all in like you were saying earlier right but but the larger businesses many of them are starting to build out enclave approaches especially leveraging things like windows virtual desktop in azure um to uh to have kind of that fully you know full desktop environment sitting in azure uh leveraging office 365 and the rest of the azure services and basically um separating it out from from you know some of their um on-prem infrastructure and such so it's definitely an approach that i see more happening more often with our customers and i think we're going to continue to see that um that method of configuration yeah absolutely yeah and you know there's you could go on for probably hours on the topic of whether or not you go all in or if you uh decide to swivel seat as i call where you have two different panes of glass and of course control uh data transfer between environments uh that would protect controlled unclassified information especially important for cover defense information technical documentation that would be export control you know one of the things that you brought up a second ago you see here that you know we're currently targeting cmmc level three with the acceleration program as it sits today right but you brought up cmmc level four and level five and especially from an enclave standpoint you know supporting you know down level uh down level subcontractors to be able to get access to a level four level five environment that's certainly an area that i think that you know you're going to see primes moving into um and you know we've done some analysis of the platform you know obviously some of that with you and we'd see no blockers right now within the microsoft cloud to be able to get to level four level five within the microsoft cloud have you run across anything that you think that may be a hurdle um at this point for level four level five within the microsoft gov cloud no not at all i mean we already achieve um a higher level of obligations and you know standards and compliance that that would even exceed a level five there's some unique aspects to to uh you know especially level five that we believe will be a significant concern for our customers uh which is why there's you know a this this run to you know partner up and and make sure that there's a whole community to support our customers out there for example once you get into a level five you have a very strict requirement for uh you know for real real-time monitoring and having a security operations center a sock and many of the smaller companies even medium-sized companies to stand up a sock is less than trivial right absolutely i mean with level four and level five really the biggest piece is around people and process it's really not even the technology at those levels it's it's really do you have the right people doing the right processes threat hunting um investigation those kinds of capabilities that that really sets level four and level five apart yeah for certain in leveraging capabilities of our platform such as you know microsoft uh azure sentinel that's our sim and source solution play a very significant role in those socks and then in those real-time monitoring and threat honey etc so we're you know we we've been making investments for example into building out uh workbooks that align with cmmc that are available within the uh sentinel and and that works across both azure and office uh so looking at uh some of the announcements that we've made here in our our recent uh blog is around the microsoft compliance manager we're really excited about this it went general availability for the first time just this last month in october aligned with ignite and inside of you think of the microsoft compliance manager as being a grc tool that we have built into our microsoft 365 compliance center so it has coverage over the microsoft 365 product suite that's of course the product the the productivity suite with office 365 as well as many of our security products like such as uh entune and mcas cloud app security uh that we have as part of our security suite and azure information protection and we have the ability to for example overlay a set of assessment templates into the compliance manager so those assessment templates are a set of uh of templates that would define the rules in alignment with each of the the um you know controls or practices in the case of cmmc that you would need to configure in order to raise your compliance score so there's both a a set of actions that you would take by way of example one of the uh the actions for cmnc in this 800 171's you must implement multi-factor authentication and enforce it across the entire uh tenant so there is a a you know a set of guidance where you point you to for example azure active directory to configure a conditional access policy that'll enforce mfa and if you do so and you complete that successfully then it's going to raise your compliance score now i will just caution you that the compliance story score today is something that's fairly arbitrary based on the developers of the assessment templates we have had some interest in some open discussions now to looking at how that compliance score could be weighted better in alignment with the nist 800 171 a uh assessment guide so that uh that those could align as as we speak we have the assessment templates for nest 800 171 as well as cmmc levels one through five and we of course would embrace any feedback that you would have as you begin to use these now it is limited to commercial but the good news is is that the team that manages the compliance manager has committed to deploying this within the government clouds by the end of this year it may even surprise us with uh early release here this month in november so that would become available within microsoft 365 gcc high by the end of this calendar year so richard a couple questions on that so you mentioned um that the uh the scoring you're looking at doing some waiting with that are you going to make that waiting you know matched kind of the dib cac uh the dip cac process around you know the uh the scoring that we have for the moderate the medium and the high assessments that dcma would be would be doing um or are you looking at you know just straight 800 171 how how are you looking at potentially making that uh that work out uh it's early in the discussion i would say we're we're very malleable on that front and open to feedback uh the one thing that i will call out is that you know these these assessment templates do not have full coverage of any one practice in many cases where there's still a shared scope of responsibility by the customer uh and you know so any score that you would see coming out of the compliance manager would be mostly partial in contribution to most of the practices right like it shows and demonstrates where you are uh doing the right configurations within your tenant to meet those those compliance requirements per control uh but keeping in mind that there still is uh shared scope responsibility even beyond that that you would have to be accountable can you just dive in a little bit on that because you know one of the things on the on the previous slide if we could go back real quick um you know there's a difference between configuration and you know configuration versus reporting and how does you know how does compliance manager uh fit within that scope um you know does compliance does compliance compliance manager allow you to actually do one-click configuration or is it more of a reporting tool basically uh showing you what you have configured in your environment yeah it's more of a reporting tool this point it is tied into a real-time configuration of your tenant by way of example if you've enforced mfa then it would show you a real-time uh you know reporting but also you know have a a an ability for you to one click go and enable multi-factor authentication that may be a you know acceptable for that default rule by many organizations especially small medium size but we all know that there's especially within the defense industrial base exceptions to that mfa rule such as if you're using windows hello for business on windows or if you're using another third provider such as duo for multi-factor on mac and linux or you know wherever else that uh naturally a compliance manager is not going to report back on what your configuration is on do it so absolutely yeah but it is it's very valuable i mean it's that we've gotten really good feedback and would love to continue to evolve that now the azure security center is is similar to the compliance manager but the azure security center is part of infrastructure as service and platform as a service uh we've now rebranded this into azure defender and within defender we have the ability to to be able to present what are called azure blueprints uh blueprints are a set of policy initiatives as well as automations through such as uh you know resource manager uh you know scripts and templates that you can be able to apply to an azure subscription and uh similar to the compliance manager it results in a view or you know reporting back to you on how you would achieve you know very specific controls and how they're configured on for example virtual machines or virtual network uh within azure so they're they're synonymous you know the azure blueprints are similar to to azure as the assessment templates and compliance manager applied to the software as a service world with microsoft 365. we do have currently a azure blueprint sample for nest 800 171 that you can apply to subscriptions in both azure commercial and azure government today we have as part of this acceleration program uh are building a cmmc level three azure blueprint that will actually preview next week so we're beginning the the previews for that we we will go into a public preview next month in december uh we have no line of sight on general availability though for any cnmc level three uh deliverables that we have until i believe we will probably get through the whole provisional period with uh you know the assessments that are being done especially for level three because there's still a lot of unknowns out there but we'll you know we'll continue to uh to evolve these blueprints and assessment templates as we learn more about how cnnc level 3 will be ultimately assessed that's great so from an infrastructure standpoint which is what the you know the azure piece really does so you know laying down these blueprints is going to allow us to quickly configure an environment at least a minimal environment to some percentage of configuration say what 50 60 a configuration for cmmc is that kind of what the target is that is target yeah it is and you know of course a holistic solution would would require components that are over in the microsoft 365 side so if you deploy an azure blueprint for example that would apply to an azure subscription for virtual networking and virtual machines or azure sql etc you would still need to have uh you know coverage for example of the microsoft 365 suite that would include device management through intune making sure that any of the devices that are connecting into your network are our trusted devices and currently in policy for example yeah you know i tell you as we have done you know hundreds now of these implementations and you know you know to to the cmc or nist 171 standard and the migrations into the platforms um you know that is really the sticky point you know that we run across every time it's it's migration and device management you know those are the two big ones those are the two difficult places that it takes so much time and so much effort to to get correct because you start touching users and start touching user data and when you start touching your users and you start touching your user data that's where that's where a lot of the time comes in so it's certainly something that has to get a lot of a lot of attention it sure does in fact i would say one of the big differences in the defense industry especially the div is compared to many of the customers that i've worked with you know don't actually been doing migrations to office 365 for over 13 years or the previous technologies before that and and often times you would evolve into a state where you would say hey our goal is to get to a point to where we would only allow access by trusted devices and people that are connecting from you know you know trusted networks or some combination of of conditional access controls whereas the div have a very strict requirement that you have to come right out of starting gate with enforcing these rules especially protection and controlled unclassified information so there isn't an option to say we're going to get there we have in our poem that we're going to start managing all of our devices no all your devices have to be managed now be compliant which is where zero trust comes into play if you look at zero trust you know the whole principle here is to never trust and always verify so if you want to go and get access for example to some data repository or application hosted in azure for example that may contain controlled and classified information then nobody may have access to access to that data as a standing concern it may be that the only way that they can get access to it is through some sort of you know privileged workstation or through a trusted device as i mentioned maybe even trusted networks etc so the xero trust model is really something the department of defense has been embracing uh we are also making significant investments across microsoft and of course within azure global to deliver a zero trust architecture and we we have already uh built a number of automations that are available for applying an azure blueprint to an azure subscription that is available as a repo on github i've linked to it here as well as into my blog i'll just say that we have a major refresh of that coming next month so the the xero trust architecture is being developed in coordination with our microsoft design for zero trust much of which is in alignment with the nest uh definition as well uh now i've because there's been such a moving target with cmmc special level three i haven't yet mapped the uh the xero trust architecture blueprint to cmmc level three so our intent is to go ahead and release this zero trust architecture next month and then we'll do an exercise in the first half of 2021 to then go and and fine-tune it and provide documentation to be specific for cmmc product placemat super excited about this we have it coming out in preview next week as well so the pre the product placemat is think of it as our uh consolidated set of guidance around the cyber security maturity model certification the level three placemat to have a screenshot of here is an interactive uh user interface so it's not static in fact i've had some people say hey can you give me a better screenshot of this and i'm like well actually the placemat is not just a screenshot it is literally the ability for you to you know be able to identify how microsoft products would be able to contribute to compliance across all the different families of of cmmc practices uh and there's also a mapping that's inherently built in here for an s800 171 as well so that schema for cmmc of course is uh what's representing the periodic chart but you'd have a crosswalk into this 800 171 as well and uh illustrated here you can see that this is the maximum set of uh microsoft products in which case you know we are able to achieve uh you know over 70 percent of cmc practice coverage now that that is a shared scope of responsibility in in in almost all these controls if you were to reverse out so this is the maximum using for example microsoft 365 e5 sku if you were to uh look at a view of it with no products applied then it would be closer like 17 as opposed to over 70 yeah this is a great product and you know kudos for the work that's been done on this um you know like you said 70 coverage within the product stack if everything is configured appropriately obviously there's shared responsibility there right so you know while microsoft does a lot of the infrastructure pieces the customer still has to you know do a lot of configuration here and you know that 70 percent maps to you know i'm thinking back to to to kind of the bigger map you know there's still over you know i think it's 12 to 1300 different configuration items um you know when you look across all those all those products so you know there's a significant amount of stuff behind that product placemat that really uh that really has to get done uh from a shared responsibility model standpoint so but this is a great product and this is going to be great for uh for our customers uh to be able to get a better view of what's going on absolutely and it has customer implementation guidance also built into it we'll distill that out into a mini ssp that our customers can leverage as well so if you look at the uh the cyber security reference architecture quickly this is just a single visualization of all of our especially our security suite and how that applies for doing access information protection you know client management etc we do have a new version of this that will be aligned with all the rebranding that we did especially around the defender that will be coming out here in a couple of weeks as well so uh great great tool i think of the the reference architecture as being like a a level 100 view versus the the product placemat would be a level 200 view with more depth and then of course getting into the reference architectures that are paired with documentation such as system security plans etc would be the level 300 above right it would be getting down to the nuts and bolts again the re even with the reference architectures are in they're still uh paired together with with customer scope or responsibility for those so many questions too so i'm not sure how much time we have left yeah so i've got a few more slides i'm going to go through here and then we're going to jump into some questions there has been a very active uh set of questions come through i don't know if we'll be able to get to all of them but we will try to get to some of them and we will follow up with those that we're not able to get to we'll follow up with those offline so that um so that we get answers to everybody who did ask questions um where possible so so where does this leave us i mean you know richard you've gotten you know you've added um you know fuel to the fire here right you've gotten a lot of people excited about you know what this capability is going to be how it's going to help the div really get secure in the microsoft cloud which is all of our goals right we want to make sure that the dib can do that as quickly and as easily as possible and so where do we go from here um so what is the bottom line microsoft is investing uh it's investing in the support of this infrastructure and the in the government and infrastructure to protect the government data they have gone above and beyond in my opinion on what they've done with things like the acceleration program and and the work that you've done richard and your team has done so i think that's great there are tools in this package that are being released all of these are tools that can be used there are no silver bullets here but it is a set of tools that can be used to help speed your way in to the platform help you secure the environment and do it in a way that maybe it cuts your time to deploy down a little bit um there's going to be more just like richard said coming out in 2021 obviously the placemats coming out there's there's new azure blueprints coming out and there's going and these products are going to continue to get revved as we go through the year and then you know toward the end of this year we're going to have the uh all of this the compliance manager being pushed into gcc high which everybody's going to be very excited to see i'm sure um it it is a an ongoing and maturing effort you know richard you know what would you say when we get to this time next year what would you say that this product is going to look like at that point yeah the way i think of the acceleration program is instead of it being a product in and of itself it's really a collection as you see of many different tools in fact it's been a a cross-team effort naturally i'm within azure global and most of the work that i would deliver with our teams are very specifically aligned with with azure infrastructure as a service and platform as a service right so we're working joining together uh with for example the office product group and the security product group and microsoft consulting services and various other uh organizations across microsoft to really pull together this collection of resources so you'll you'll find that as we continue to evolve this program into next year that uh especially as we get more clarity on how cmc level three will be assessed what you'll see is we'll continue to refine the reference architectures and especially the documentation that gets paired with it so by this time next year we should be able to say that we have uh for example a mini ssp that would be the configuration of your environment on the microsoft platform and uh that would be you know ultimately close this close the gap or be the what we like to cr try and call the easy button to help uh accelerate to getting through an assessment for cmc level three or the of course nets they are 171 a uh assessed as well for for registration sbrs um yeah yeah so that mean that is going to be a great help when you start talking about taking you know the configuration you know with this ssp output if you will and it's really an input is what it is it's an input into your actual ssp it's not going to be a case where you're going to be able to take that deliverable and turn that over to an assessor and say here's our ssp right it's an input into your overall organizational ssp for the uh for the system as it's scoped and so that's kind of brings us to the next slide i hear is what do you have to do beyond the program uh to continue to move toward either this data 171 deforest compliance or cmmc level 3 compliance the first thing is you still have to have that full sscp you've got to make sure that you are documenting everything that you have you know all the information about both your cloud environments your on-prem environments your endpoints all of that has to be documented in the ssp with the appropriate scope around it um you know when you're looking at migrating into these platforms there's still migration to deal with and endpoints to deal with so there's a lot that you have to do you know work that you have to do around that kind of that kind of project there's additional configuration going to be required for azure even if you lay down these blueprints like richard said you're going to have to you know close the gap between that 50 to 60 configuration and the actual fully compliant configuration that's going to meet all of your specific needs for features and infrastructure as you're deploying these things out the configuration for office 365 you know as richard said earlier the uh the compliance manager today is really a reporting tool um you know there is going to be a movement long term to to add in some configuration capability linking two configuration items and those kinds of things but you're still going to have to execute the configuration of the office 365 environment is that is that accurate richard it is and and you know there's i would say an opportunity for for microsoft and our partners to work to come together on for example templates for data protection policies that are reusable across multiple organizations so you'll find that there are components of office 365 where we can be able to have like uh community or or industry-led solutions especially for office 365 and protection of controlled unclassified information that's over prevention capabilities and so forth labeling capabilities but yeah the configuration for office 365 is manual at this point in time and and will take a community effort to really get to i'd say a consensus on how you would for example label cui effectively outside of office 365. okay great thank you so you know for the next point i have here is really about you know the full scope reporting against level three um you know there's a lot that has to be done process procedure um you know the maturity level processes all of those still have to be done um this is not going to provide that for you so um you know none of that the documentation outside of what eventually may happen with you know kind of the ssp output as an input to your ssp outside of that all of the other stuff is still going to have to be done um you know this acceleration program is not going to help you there um as as there's no way it could um and then you know the ongoing management reporting pieces um you know everybody and you know our customers you know right now everybody is really focused on getting this these platforms configured appropriately getting you know into the platform using the platform right off the bat but the ongoing management reporting of these infrastructures that's going to be the next hurdle that people have to to grapple with is okay i've gotten into the platform it's functional it's secured i've built it correctly i've i've built my ssp i got my procedures and policies now i have to do that day-to-day ongoing management of the environment and how are you going to do that do you do that in-house do you leverage an mssp do you leverage an msp to help you with that that is going to have to still be have to still be tackled right so what are we doing at summit 7 how are we going to leverage this specific product and or this capability this tool set we are going to fully integrate the acceleration program into all of our projects so um as we are revving our projects and we do go through constant revs of our projects uh for configuration as new products are deployed into the microsoft platform um as things change with configuration requirements and compliance requirements we'd rev those products and as part of that we're going to integrate this whole capability into that and what that might do is it might it is going to allow us to quit get to a configured environment uh potentially quicker which hopefully results in some cost savings for our customers long term um and but i think the biggest impact is going to be on deliverables uh because we're now going to be able to provide more detailed uh more rich deliverables based on the data that we're going to be able to pull out of the platforms using compliance manager um using potentially this ssp you know export capability for the configuration uh you know we do provide some of that today all of that today but it's not as automated and so it's a more manual process which obviously you know that should eventually end up you know bringing costs down of these projects and the timeline to deploy which is great and then you know beyond the configuration and implementation component this is going to help us dramatically on the managed services side for updates and reporting capabilities so we're going to be able to get a lot more information out of the tenants using these tool sets uh than we're able to get today you know from a security standpoint from a from a monitoring standpoint using defender and using azure security center very excited about what we're able to do uh with with the acceleration program uh and what's coming out of the acceleration program for uh the ongoing support pieces um so uh what are our next steps we're about out of time here i think we've got just a couple minutes left if you have questions please feel free to send email to cmmc to the cmmc email address there we have we have to continue the efforts that we have in place obviously the sprs november 30th deadline is out there everybody's trying to get everything ready for that november 30th deadline so continue on that path do what you're doing uh to to close whatever gaps you have left and get those reports done correctly uh for sprs be on the lookout for the continued updates for the cmx cmmc acceleration program they're going to continue to roll out over the next you know the next year additional capabilities coming out integrate those into your processes and procedures integrate those into your infrastructure and leverage the capability it's great capability that microsoft's providing and you should really take advantage of it don't forget about your on-premises and other cloud services configurations you know obviously if you're doing on-prem you're fully responsible for that you've got to do all of this you know kind of work there documenting it and such if you're in other cloud services um then you know you're going to have to get these same kinds of capabilities and those are the cloud services and so you've got to make sure that you're focused on that too um and then you know one of the last points i want to make is don't forget the policy and procedure piece of this okay there there are you know lots of people out there that can help you if you need help with documenting your policies and procedures uh getting those maturity level processes identified uh writing those up making sure that you're following them and it's more than just writing them up and and and having them on a shelf it's integrating them into your infrastructure integrating them into your way of doing business into the culture of your organization this is a sea change in how most organizations are managing data and so we have to drive all of these new processes and procedures into the fabric of the organization otherwise we're going to end up in in a situation where we're not actually doing the things that we need to do to maintain the environments once they get in place okay with that i think that's that's my last slide for today we're going to jump in and do a couple questions like i said we did get a lot of questions uh throughout throughout the presentation um but i want to get as many of these as we can and uh and sean you have some questions teed up for us uh yes let's see here let me make a comment really quick uh yeah go for it richard we've been noticing that we've had uh kickbacks for people emailing the cmmc at microsoft.com uh we i'm trying to service that on the back end to find out why that distribution group is uh currently broken if if you uh if if you are unable to get through on cmmc at microsoft.com i hope to have that resolved today uh you can all you can always reach out to me to my uh my email address is myfirstname.lastname at microsoft.com so richard.wakeman at microsoft.com and and uh you can use that in lieu of the cmc yeah you heard it here folks uh send as many emails as you can to richard.wakeman at microsoft.com all right so getting into some of these questions um i thought this was interesting richard um this one's gonna be for you do you think microsoft will offer a certification course of any kind uh in as a part of this acceleration program so there is a lot of discussion around readiness both for our partner community as well as even potentially and and looking at how even c-3po the the assessors would be cloud-ready for being able to understand how to score and understand reciprocity and everything on on the on the cloud service provider and that's not just specifically unique to microsoft uh you know there's that challenge i believe for for any assessor understanding uh how to how to go in and assess a you know a customer that's running in the cloud so the short answer is yes we have we have training that's coming out that will target for customers and partners here uh within by the end of this year uh and then we're also in discussions with for example the the cmnc accreditation body and what it would look like to uh to build training or to have supplementary training even for assessors and registered provider organizations all right awesome next question is what so many folks have asked okay november 30th that's looming i need to get through some of the dfar's requirements and some of the reporting requirement requirements uh for default 20 70 19 and 70 20. what are some things that companies can begin using now for gcc high yeah so you know if you look at uh gcc high being specifically the productivity suite you know we we have been working on and have of course uh materials that around how we demonstrate compliance for missed 800.71 there's the compliance manager with the assessment templates that will come to gcc high here in the next uh month or so so those those will become available uh in terms of looking at uh you know the the the full picture there's there are a number of those reference architectures that i mentioned that we're in currently in development of that will will extend out into 2021 so we'll we'll have more announcements as those evolve as part of the cmc acceleration program okay awesome let's see here from a licensing standpoint compliance manager currently limited to e5 subscriptions um is there a chance that some of the compliance manager features will eventually be a part of e3 um etc or an add-on situation yeah i i've been getting that question quite a bit i you know i'm an engineer i don't necessarily you know deal with licensing as much i will say this it's it's not a license and required per user in order to use the compliance manager right there needs to be a license for e5 to be able to enable that capability so the way that that i would typically rationalize it is that for you to you know have access to the compliance manager with the assessment templates that your administrators that would be using it would of course be licensed for e5 okay i think one of the last questions that we've gotten several different versions of it has a lot to do with your blog richard and that is as far as from platforms and how to choose which first question we'll keep it cmmc and then we'll go dfars and really cui requirements can you meet level three compliance and as you guys have continued to work towards uh the program and all the various pieces parts of the program can you meet cmmc level three requirements via the microsoft 365 commercial platform or within that version of the platform so you know in terms of looking at cmmc it is a set of practices especially in alignment with uh with this 800 171 that can you can demonstrate compliance with cmmc in any of the clouds right i mean that's why you even have like a requirement for you know dfar7012 it says federate moderate or equivalent right so what's the definition of that how would that be enforced by uh assessors uh you know i wrote a full article uh rationalizing some of this is based on you know an argument for protecting controlled and classified information there's no definition that's outlined in cmmc that would differentiate between for example cm sorry qe basic versus qa specified such as those that would be export control data right and and at the end of the day if you're looking at protecting controlled unclassified information to the higher water mark then naturally that would have to include export control data so that would be in itar if you were to look at becoming compliant with itar within the commercial side environment it is fully your scope of responsibility you will not get a contractual obligation from microsoft to protect itar data we will only provide that in our u.s sovereign cloud which is microsoft 365 gcc high and azure government where we know that all of our backend systems our continental united states conus networks are restricted to conus we've got only screened u.s persons in fact citizens that manage that environment so that's how we're able to get to the aisle five plus no foreign requirements and and have a contractual obligation for it so uh you know there's a lot of discussion have been around uh how to potentially protect itar data in the commercial side environment uh you know if you look if you use for example uh you know encryption maybe third-party encryption and and that it would be applied on for example documentation before it's stored in the cloud so it's opaque to the cloud service provider there may be a path for you to demonstrate compliance for itar and commercial but it's full your scope of responsibility right it's not something that that microsoft is going to give you a cookbook on how to become itar compliant in commercial right right all right well i think that more or less covers it and thank you so much for your time today and we look forward to seeing you next time

Info

Channel: Summit 7 Systems

Views: 1,522

Rating: undefined out of 5

Keywords: CMMC, Microsoft, Azure Government, Office 365 GCC High, CMMC Acceleration Program, DFARS, NIST, DoD, Government, Cloud, Defense, Cybersecurity, Microsoft 365 GCC High, Cloud Security, Microsoft Security, Microsoft Compliance, Microsoft Government, Summit 7

Id: wKJMxjw_-ew

Channel Id: undefined

Length: 67min 14sec (4034 seconds)

Published: Wed Nov 04 2020