Microsoft announced the CMMC Acceleration Program in April 2020 to arm the Defense Industrial Base (DIB) with information and enablement services for compliance with the Cybersecurity Maturity Model Certification (CMMC) set of practices.
“The defense industry is looking to Microsoft for leadership in assisting the DIB to secure the supply chain. Our cloud technologies and compliance solutions available provide a major step forward. By working with the DIB community of customers and partners, we are developing solutions for CMMC leveraging the comprehensive capabilities of the cloud. In particular, our CMMC Acceleration Program is being developed with and for partners to deliver end-to-end compliant solutions,” said Richard Wakeman, Senior Director of Aerospace & Defense with Microsoft Azure Global.
The Aerospace and Defense organizational unit of Microsoft announced an update this month providing greater detail on the program and an updated vision and timeline. Before the latest update, Microsoft created a series of educational materials for CMMC compliance and best practices information pertaining to Microsoft 365 GCC High and Azure Government.
Additionally, Microsoft has actively met with regulatory council, stakeholders, and special advisors from industry like Summit 7 Systems (Summit 7), a national leader for Cybersecurity and Compliance Solutions for the Aerospace and Defense industry, to build out a knowledge base for DIB companies. Scott Edwards, President of Summit 7, commented on the recent update and shared “Microsoft has and continues to be out in front with reference documentation for meeting CMMC and DFARS requirements, but now that transition to Microsoft 365 GCC High and Azure Government will be streamlined for greater ease and adoption.”
The reinvigorated CMMC Acceleration Program includes learning resources and tools to identify and report proper security configurations within respective Microsoft environments for meeting applicable compliance requirements.
Microsoft intends to release several artifacts by the end of 2020: Microsoft Product Placemat for CMMC, Control Implementation Summary, and Azure blueprint for CMMC Level 3. Additional tools are expected to become generally available in 2021 – such as the Microsoft Compliance Manager for GCC High, System Security Plan (SSP) covering Microsoft and customer responsibilities, and scripted architecture for Managed Service Providers (MSP).
Edwards added, “We are excited to work with the industry in creating and using some of these tools to speed up the path to compliance and provide additional cost savings when transitioning to Microsoft 365 Government.”
It is important to note many of the Program resources are samplings and require some additional revising or policies to match a company’s full security landscape and environment. Moreover, Microsoft explicitly states these resources do not equate to compliance or a successful CMMC assessment.
About Microsoft 365 GCC High
Microsoft 365 GCC High is built on Microsoft Azure Government within dedicated US-sovereign data centers. Azure Government is currently certified to FedRAMP High, as well as the entire suite of GCC High services hosted in Azure Government. Many DoD contractors choose GCC High and Azure Government because the infrastructure is managed by background checked US persons, Microsoft attests to meet DFARS flowdown clauses, and reporting requirements for regulatory compliance.
About Summit 7 Systems
Summit 7 Systems is a national leader in cybersecurity and compliance for the Aerospace and Defense industry and corporate enterprises. Summit 7 won the 2020 Microsoft US Partner Award in Security and Compliance for its Microsoft Cloud solutions regarding CMMC, DFARS, NIST 800-171, ITAR, and CUI. Summit 7 Systems is privately held and headquartered in Huntsville, Alabama.