DoD Cybersecurity Maturity Model Certification (CMMC)
DoD is creating security controls for the Cybersecurity Maturity Model Certification, a certification that all federal contractor companies must obtain in the very near future. It will be nice to have the CMMC compliance requirements added as an assessment template.
Thanks for adding this feedback, Alan. I am shocked it has so few votes. Hopefully Microsoft adds CMMC to Compliance Manager before any change to DFARS is made. The fact that there are varying levels to CMMC (1-5) might be the reason we haven't seen it yet. Also, do you think this verbiage in compliance manager for the NIST 800-171 assessment might be adding another monkey wrench to the problem?
"Only Office 365 US Government plans Office 365 Government Cloud Community (Office 365 GCC) and Office 365 Government Cloud Community – High (Office 365 GCC-High) environments can be configured to become compliant with NIST 800-171. Assessments for NIST 800-171 are provided to all Office 365 customers as a way to provide exposure to additional security controls that may be of interest to them."
CMMC Level 3 "encompasses all of the security requirements specified in NIST SP 800-171" therefore it would be logical to assume that Office (Microsoft?) 365 can only become compliant with CMMC Levels 3-5 on the Office 365 GCC or Office 365 GCC-High environments whereas Levels 1-2 might be able to become compliant on the commercial environment?
The rollout of CMMC has been a mess so I can't really fault MSFT for not having this certification in Compliance Manager yet but I hope it is sorted out soon.