Microsoft CMMC Acceleration Program Update – January 2021

by Contributed | Jan 8, 2021 | Technology

This article is contributed. See the original author and article here.

We are actively building out our program by developing resources for both partners and Defense Industrial Base (DIB) companies to leverage in their Cybersecurity Maturity Model Certification (CMMC) journey. These tools cannot guarantee a positive CMMC adjudication, but they may assist candidate organizations by improving their CMMC posture going into a formal CMMC review in accordance with CMMC Accreditation Body (AB) standards. While we plan to release resources and guidance in waves, please keep in mind we are dependent upon the CMMC AB finalizing the CMMC guidance itself.

Here is a summary of current resources to help get you started:

Microsoft Product Placemat for CMMC

The Microsoft Product Placemat for CMMC is an interactive view representing how Microsoft cloud products and services satisfy requirements for CMMC practices.  The user interface resembles a periodic table of CMMC Practice Families.  The default view illustrates the practices with Microsoft Coverage that are inherited from the underlying cloud platform.  It also depicts practices for Shared Coverage where the underlying cloud platform contributes coverage for specific practices but requires additional customer configuration to satisfy requirements for full coverage.  For each practice that aligns with Microsoft Coverage or Shared Coverage, verbal customer implementation guidance and practice implementation details are documented.  This enables you to drill down into each practice and discover details on inheritance and prescriptive guidance for actions to be taken by the customer to meet practice requirements in the shared scope of responsibility for compliance with CMMC.

In addition to the default view, you may select and include products, features and suite SKUs to adjust how each cloud product is placed with CMMC.  For example, you may select the Microsoft 365 E5 SKU for maximum coverage of CMMC where 18 of the CMMC practices are Microsoft Coverage and 74 practices are Shared Coverage.  This is extraordinary as nearly 80% of the practices for CMMC Level 3 have coverage leveraging the spectrum of capabilities on the Microsoft cloud with the E5 SKU!

The Microsoft Product Placemat for CMMC is currently in public preview.  You may download a copy at:

              https://aka.ms/cmmc/productplacemat

Please share feedback at https://aka.ms/cmmc/productplacematfeedback.

Azure Sentinel: Cloud-Native SIEM

See and stop threats before they cause harm, with SIEM reinvented for a modern world. Azure Sentinel is your birds-eye view across the enterprise. Put the cloud and large-scale intelligence from decades of Microsoft security experience to work. Make your threat detection and response smarter and faster with artificial intelligence (AI). Eliminate security infrastructure setup and maintenance, and elastically scale to meet your security needs—while reducing IT costs.

• Collect data at cloud scale—across all users, devices, applications, and infrastructure, both on-premises and in multiple clouds


• Detect previously uncovered threats and minimize false positives using analytics and unparalleled threat intelligence from Microsoft


• Investigate threats with AI and hunt suspicious activities at scale, tapping into decades of cybersecurity work at Microsoft


• Respond to incidents rapidly with built-in orchestration and automation of common tasks

Invest in security, not infrastructure setup and maintenance with the first cloud-native SIEM from a major cloud provider. Never again let a storage limit or a query limit prevent you from protecting your enterprise. Start using Azure Sentinel immediately, automatically scale to meet your organizational needs, and only pay for the resources you need.

For more information, please see https://azure.microsoft.com/en-us/services/azure-sentinel

Collect data at cloud scale—across all users, devices, applications, and infrastructure, both on-premises and in multiple clouds

Azure Sentinel: CMMC Workbook

The Azure Sentinel CMMC Workbook provides a mechanism for viewing log queries aligned to CMMC controls across the Microsoft portfolio including Microsoft security offerings, Office 365, Teams, Intune, Windows Virtual Desktop and many more. This workbook enables Security Architects, Engineers, SecOps Analysts, Managers, and IT Pros to gain situational awareness visibility for the security posture of cloud workloads. There are also recommendations for selecting, designing, deploying, and configuring Microsoft offerings for alignment with respective CMMC requirements and practices.

Note:  The Azure Sentinel CMMC Workbook is currently in Private Preview and will release in a Public Preview in early February 2021.

Microsoft Compliance Manager with Assessment Templates

Compliance Manager

Microsoft Compliance Manager is a feature in the Microsoft 365 compliance center that helps you manage your organization’s compliance requirements with greater ease and convenience. Compliance Manager may help you throughout your compliance journey, from taking inventory of your apparent data protection risks to managing the complexities of implementing controls, staying current with regulations and certifications, and reporting to auditors.

Compliance Manager helps simplify compliance and reduces risk by providing:

• Pre-built assessments for common industry and regional standards and regulations, or custom assessments to meet your unique compliance needs. 
  
  
  
  • The Assessment Templates include NIST SP 800-171 and projected requirements for CMMC Levels 1-5.
  
  
  • The Assessment Templates that are available to your organization depend on your licensing agreement. Review the details.  HINT:  You will need an E5 SKU.
  
  
  
  


• Workflow capabilities to help you efficiently complete your risk assessments through a single tool.


• Detailed step-by-step guidance on suggested improvement actions to help you comply with known CMMC standards and regulations that are most relevant for your organization. For actions that are managed by Microsoft, you’ll see implementation details and audit results.


• A projected risk-based compliance score to help you understand your compliance posture by measuring your progress in completing improvement actions.

Your Compliance Manager dashboard shows your current projected CMMC compliance score, helps you see what needs attention, and guides you to key improvement actions. Below is an example of what your Compliance Manager dashboard will look like:

Please note,  the Compliance Manager dashboard is a projection of your organization’s CMMC compliance profile based on all available information to date—Microsoft is not an accrediting body under the CMMC, and thus cannot guarantee any outcome under the formal CMMC review process.

Understanding your compliance score

Compliance Manager awards you points for completing improvement actions taken to comply with a regulation, standard, or policy, and combines those points into an overall compliance score. Each action has a different impact on your score depending on the potential risks involved. Your compliance score helps you prioritize which actions to focus on to improve your overall compliance posture.

Compliance Manager gives you an initial score based on the Microsoft 365 data protection baseline. This baseline is a set of controls that includes key regulations and standards for data protection and general data governance.

Compliance Manager Availability in GCC and GCC High

The Compliance Manager is now available in all Microsoft 365 cloud offerings, including GCC and GCC High!

However, the Secure Score feature is still in preview within Commercial and GCC.  Secure Score will not release in GCC High until it becomes Generally Available.  As a result, automated testing does not work in GCC High.  GCC High customers will need to manually implement and test their improvement actions in the Compliance Manager.  For more information, please see Settings for automated testing and user history.

Azure Security Center with Azure Blueprints

Azure Security Center

Microsoft uses a wide variety of physical, infrastructure, and operational controls to help secure Azure, but there are additional actions you need to take to help safeguard your workloads. You may turn on the Azure Security Center to strengthen your cloud security posture:

• Assess and visualize the security state of your resources in Azure, on-premises, and in other clouds with Azure Secure Score;


• Simplify enterprise compliance and view your compliance against regulatory requirements such as NIST SP 800-171 and CMMC;


• Protect all your hybrid cloud workloads with Azure Defender, which is integrated with Security Center; and


• Use AI and automation to cut through false alarms, quickly identify threats, and streamline threat investigation.

You may assess the security state of all your cloud resources, including servers, storage, SQL, networks, applications, and workloads that are running in Azure, on-premises, and in other clouds. This includes the ability to visualize your security state and improve your security posture by using Azure Secure Score recommendations.  You may view your compliance against a wide variety of regulatory requirements or company security requirements by centrally managing security policies to perform ongoing assessment and get rich, actionable insights and reports to simplify compliance.

Note:  The Azure Security Center is available today in both Commercial and in Azure Government.

Azure Blueprints

Just as a blueprint allows an engineer or an architect to sketch a project’s design parameters, Azure Blueprints enables cloud architects and central information technology groups to define a repeatable set of Azure resources that implements and adheres to an organization’s standards, patterns, and requirements. Azure Blueprints makes it possible for development teams to rapidly build and stand up new environments with trust they’re building within organizational compliance with a set of built-in components, such as networking, to speed up development and delivery.

Blueprints are a declarative way to orchestrate the deployment of various resource templates and other artifacts such as:

• Role Assignments


• Policy Assignments


• Azure Resource Manager templates (ARM templates)


• Resource Groups

The Azure Blueprints service is designed to help with environment setup. This setup often consists of a set of resource groups, policies, role assignments, and ARM template deployments. A blueprint is a package to bring each of these artifact types together and allow you to compose and version that package, including through a continuous integration and continuous delivery (CI/CD) pipeline. Ultimately, each is assigned to a subscription in a single operation that can be audited and tracked.

With Azure Blueprints, the relationship between the blueprint definition (what should be deployed) and the blueprint assignment (what was deployed) is preserved. This connection supports improved tracking and auditing of deployments. Azure Blueprints can also upgrade several subscriptions at once that are governed by the same blueprint.

Azure Policy and Blueprint Sample for CMMC Level 3

An Azure Policy and Blueprint allows organizations to easily establish compliant environments. Azure Policy is implemented via a centrally managed policy initiative that helps ensure cloud compliance, avoid misconfigurations, and practice consistent resource governance. An Azure blueprint simplifies large scale Azure deployments by packaging key artifacts such as policy initiatives, Azure Resource Manager (ARM) templates, and role-based access controls.

A new Azure policy initiative and blueprint sample for CMMC Level 3 are currently in development. The CMMC policy initiative builds upon the existing NIST SP 800-171 policy initiative/blueprint sample with the addition of 110 new policies. Any relevant new policies will be back-ported into the NIST SP 800-171 sample after the CMMC sample is finalized.

The CMMC policy initiative and blueprint sample is currently in Private Preview. It will transition to Public Preview in February 2021 with availability in both Azure Commercial and Government clouds.

Compliance Manager and the Azure Security Center

You may observe there are two different compliance tools depending on the use of Microsoft 365 or Microsoft Azure.  While there are currently two different tools, they are not mutually exclusive in use.  Holistic compliance with CMMC requires the use of both the Compliance Manager and the Azure Security Center.  You deploy the Compliance Manager with the Assessment Template for CMMC for coverage of Microsoft 365 products and features, such as Office 365 and Enterprise Mobility & Security.  Generally speaking, this includes coverage for most SaaS offerings.  You will also want to deploy the Azure Security Center with the Azure Blueprint sample for CMMC (roadmap) for coverage of Azure IaaS and PaaS offerings.  We are working on integration between the two tools along with integration with Azure Sentinel in the future roadmap.  In the meantime, you will need to leverage both panes of glass for CMMC compliance.

Zero Trust Architecture with Azure Blueprints

Zero Trust Architecture

Today, many of our customers in regulated industries are adopting a Zero Trust architecture – moving to a security model that more effectively adapts to the complexity of the modern environment, embraces the mobile workforce, and protects people, devices, applications, and data wherever they’re located.

Regardless of where the request originates or what resource it accesses, Zero Trust teaches us to “never trust, always verify.” In a Zero Trust model, every access request is strongly authenticated, authorized within policy constraints, and inspected for anomalies before granting access. This approach aids the process of achieving compliance for industries that use NIST-based controls including the DIB and government.

A Zero Trust approach should extend throughout the entire digital estate and serve as an integrated security philosophy and end-to-end strategy, across three primary principles: (1) verify explicitly, (2) enforce least privilege access, and (3) assume breach.

Azure blueprint for the Azure Security Benchmark Foundation

We have developed a GitHub Repo for an Azure Blueprint sample enabling Configuration-as-Code for Azure subscriptions.  The Azure Blueprint for Azure Security Benchmark Foundation (formerly “Zero Trust”) enables application developers and security administrators to more easily create hardened environments for their application workloads. Essentially, the blueprint will help you implement Zero Trust controls across six foundational elements: identities, devices, applications, data, infrastructure, and networks.

Using the Azure Security Center and Azure Blueprints service, the blueprint sample will first configure your VNET to deny all network traffic by default, enabling you to extend it and/or set rules for selective traffic based on your business needs. In addition, the blueprint enforces and maintains Azure resource behaviors and configuration in compliance with specific NIST SP 800-53 security control requirements using Azure Policy.

The blueprint includes Azure Resource Manager templates to deploy and configure Azure resources such as Virtual Network, Network Security Groups, Azure Key Vault, Azure Monitor, Azure Security Center, and more. If you’re working with applications that need to comply with FedRAMP High or DoD Impact Level 4 requirements or just want to improve the security posture of your cloud deployment, the blueprint for Zero Trust is designed to help you get there faster.

The ASBF blueprint is currently in preview with limited support. To learn more and find instructions to deploy into Azure, see the ASBF repo. For more information, questions, and feedback, please contact us at ASBF feedback.

We are also working on updates in support of NIST SP 800-171 and CMMC for availability in the first half of calendar year 2021.

CMMC Documentation

CMMC Compliance Documentation

There are several artifacts we are working on for release this year 2021, to include:

• SSP: System Security Plan with customer scope of responsibility detailed


• CIS: Control Implementation Summary per environment (IaaS, PaaS and SaaS)


• SAR: Security Assessment Report from Microsoft’s C3PAO engagement


• Documented auditor observations based on pre-defined tenant configuration

Microsoft Cybersecurity Reference Architecture

The Microsoft Cybersecurity Reference Architecture (MCRA) describes Microsoft’s cybersecurity capabilities and how they integrate with existing security architectures. We have seen this document used for several purposes by our customers to include:

• Starting template for a security architecture – The most common use case we see is that organizations use the document to help define a target state for cybersecurity capabilities. Organizations find this architecture useful because it covers capabilities across the modern enterprise estate that now spans on-premises, mobile devices, many clouds, and IoT / Operational Technology.


• Comparison reference for security capabilities – We know of several organizations that have marked up a printed copy with what capabilities they already own from various Microsoft license suites (many customers don’t know they own quite a bit of this technology), which ones they already have in place (from Microsoft or partner/3rd party), and which ones are new and could fill a need.


• Learn about Microsoft capabilities – In presentation mode, each capability has a “ScreenTip” with a short description of each capability + a link to documentation on that capability to learn more.


• Learn about Microsoft’s integration investments – The architecture includes visuals of key integration points with partner capabilities (e.g. SIEM/Log integration, Security Appliances in Azure, DLP integration, and more) and within our own product capabilities among (e.g. Advanced Threat Protection, Conditional Access, and more).


• Learn about Cybersecurity – We have also heard reports of folks new to cybersecurity using this as a learning tool as they prepare for their first career or a career change.

The Microsoft Cybersecurity Reference Architecture is available here. Additional training resources are available here.

An update will be released early this year 2021 to include the branding updates announced at Ignite 2020.  Most notably, the use of the Microsoft Defender branding will be incorporated in the update to MCRA.

Microsoft Blog Posts on CMMC

• Accelerating CMMC compliance for Microsoft cloud (in depth review)


• CMMC Blog Series
  
  
  
  1. Access Control Maturity
  
  
  2. Audit & Accountability Maturity
  
  
  3. Asset & Configuration Management Maturity
  
  
  4. Identification & Authentication Maturity
  
  
  5. Incident Response Maturity
  
  
  6. Maintenance & Media Protection Maturity
  
  
  7. Recovery & Risk Management Maturity
  
  
  8. Security Assessment & Situational Awareness Maturity
  
  
  9. System & Communications Protection Maturity
  
  
  10. System & Information Integrity Maturity
  
  
  
  

Program Scaffolding for Managed Service Providers

Behind the scenes, we are actively working with our partner community, and in particular the Managed Service Providers (MSP), to deliver scaffolding in the construction of CMMC offerings.  The CMMC Acceleration Program is comprised of many different components as described above, and several that are yet unannounced.  The intent is to provide building blocks, or what we call “scaffolding”, to our partners in support of their CMMC offers.  Our partners will be enabled in our partner marketplace with advance specializations for CMMC and their concentration on the Defense Industrial Base.  In alignment with the commitments made in our original CMMC Announcement, our MSP partners will implement reference architectures and compliance solutions for CMMC.

Into the Future

Microsoft is actively engaged with customers, partners, the CMMC Accreditation Body, and multiple industry working groups to refine what resources we should develop and make available as part of the CMMC Acceleration Program.  We have many grand ideas, and welcome to feedback from the community at large.  Please fill out this short survey to join our CMMC feedback loop if you are interested in learning more about the program.

For general comments on the CMMC Acceleration Program: Contact Us

Appendix

Please follow me here and on LinkedIn. Here are my additional blog articles:

Using Azure DevOps to deploy an application on AKS Private Cluster in Azure US Government

by Contributed | Jan 8, 2021 | Technology

This article is contributed. See the original author and article here.

Overview

This article details building and deploying a container to an Azure Kubernetes Service(AKS) cluster in Azure Government cloud using Azure DevOps.

Private AKS Clusters has the API Server accessible only within the virtual network. This limits the deployments from Hosted Azure DevOps agents. To overcome this, a self-hosted agent within the same virtual network needs to be deployed.

Access to Azure Container Registry (ACR) can be restricted to the virtual network using Private Endpoints. This will limit ACR exposure to public internet. Since private ACR is available only within the vnet, self-hosted devops agents comes to the rescue.

Lastly, to ensure that Azure Pipelines can deploy to Azure Government Clouds, Azure Resource Manager Service Connection should be created with an Environment parameter.

Setup

The following steps replicates the above setup. The setup has 3 subnets with the following components

• Azure Container Registry Private Endpoint


• Azure DevOps self hosted agent


• Azure Kubernetes Service

Network setup

Create a Virtual Network and add 3 subnets.

Use the below values for reference:

Address Space: 10.0.0.0/16

az group create --name gov-devops --location usgovtexas

az network vnet create 
  --name gov-devops-vnet 
  --resource-group gov-devops 
  --subnet-name default
  
az network vnet subnet create 
  --address-prefixes 10.0.1.0/24
  --name acr-snt 
  --resource-group gov-devops 
  --vnet-name gov-devops-vnet
  
az network vnet subnet create 
  --address-prefixes 10.0.2.0/24
  --name devops-snt 
  --resource-group gov-devops 
  --vnet-name gov-devops-vnet
  
az network vnet subnet create 
  --address-prefixes 10.0.4.0/22
  --name aks-snt 
  --resource-group gov-devops 
  --vnet-name gov-devops-vnet

Create ACR

Create a Container Registry in the premium tier (required for private link)

az acr create --resource-group gov-devops 
  --name mygovacr --sku Premium

Create the registry’s private endpoint in the acr-snt subnet

az network vnet subnet update 
 --name acr-snt 
 --vnet-name gov-devops-vnet 
 --resource-group gov-devops 
 --disable-private-endpoint-network-policies
 
az network private-dns zone create 
  --resource-group gov-devops 
  --name "privatelink.azurecr.io"
  
az network private-dns link vnet create 
  --resource-group gov-devops 
  --zone-name "privatelink.azurecr.io" 
  --name govdns 
  --virtual-network gov-devops-vnet 
  --registration-enabled false
  
REGISTRY_ID=$(az acr show --name mygovacr 
  --query 'id' --output tsv)

az network private-endpoint create 
    --name myPrivateEndpoint 
    --resource-group gov-devops 
    --vnet-name gov-devops-vnet 
    --subnet acr-snt 
    --private-connection-resource-id $REGISTRY_ID 
    --group-id registry 
    --connection-name myConnection

NETWORK_INTERFACE_ID=$(az network private-endpoint show 
  --name myPrivateEndpoint 
  --resource-group gov-devops 
  --query 'networkInterfaces[0].id' 
  --output tsv)
  
PRIVATE_IP=$(az resource show 
  --ids $NETWORK_INTERFACE_ID 
  --api-version 2019-04-01 
  --query 'properties.ipConfigurations[1].properties.privateIPAddress' 
  --output tsv)

DATA_ENDPOINT_PRIVATE_IP=$(az resource show 
  --ids $NETWORK_INTERFACE_ID 
  --api-version 2019-04-01 
  --query 'properties.ipConfigurations[0].properties.privateIPAddress' 
  --output tsv)
  
az network private-dns record-set a create 
  --name mygovacr 
  --zone-name privatelink.azurecr.io 
  --resource-group gov-devops

# Specify registry region in data endpoint name
az network private-dns record-set a create 
  --name mygovacr.usgovtexas.data 
  --zone-name privatelink.azurecr.io 
  --resource-group gov-devops
  
az network private-dns record-set a add-record 
  --record-set-name mygovacr 
  --zone-name privatelink.azurecr.io 
  --resource-group gov-devops 
  --ipv4-address $PRIVATE_IP

# Specify registry region in data endpoint name
az network private-dns record-set a add-record 
  --record-set-name mygovacr.usgovtexas.data 
  --zone-name privatelink.azurecr.io 
  --resource-group gov-devops 
  --ipv4-address $DATA_ENDPOINT_PRIVATE_IP
  
az acr update --name mygovacr --public-network-enabled false

Choose one of the below authentication methods to perform docker login from the DevOps pipelines

• Admin Account


• Service Prinicpal

az acr update -n mygovacr --admin-enabled true

Note the admin username and password from the ACR Access Keys blade in the portal

Create AKS

Create a private AKS cluster in the aks-snt subnet

Integrate ACR with AKS or create a pull secret

kubectl create secret docker-registry regcred 
  --docker-server=<your-registry-server> 
  --docker-username=<your-name> 
  --docker-password=<your-pword> 
  --docker-email=<your-email>

Create a VM and deploy DevOps agent

Create a Linux VM in devops-snt subnet to host the DevOps agent.

az vm create 
  --resource-group gov-devops 
  --name devopsagent 
  --image UbuntuLTS 
  --admin-username azureuser 
  --generate-ssh-keys 
  --subnet devops-snt 
  --vnet-name gov-devops-vnet

Note the publicIpAddress from the output

Deploy the DevOps agent on the VM

• Generate a PAT token


• Create an Agent Pool
  
  
  
  • Click Add Pool
  
  
  • Select New
  
  
  • Select pool Type as Self-hosted
  
  
  • Enter a name as govpool
  
  
  • Select New Agent -> Linux
  
  
  
  


• Copy the Agent Download link


• Deploy the agent on the VM

ssh azureuser@publicIpAddress

curl -O <<url copied above>
mkdir myagent && cd myagent
tar zxvf ../{tar file name}

./config.sh
sudo ./svc.sh install
sudo ./svc.sh start

Install docker, az cli and kubectl

sudo apt -y update
sudo apt -y install apt-transport-https ca-certificates curl gnupg-agent software-properties-common
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
sudo apt update
sudo apt install docker-ce docker-ce-cli containerd.io
sudo usermod -aG docker $USER
newgrp docker

curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
sudo az aks install-cli

Create the pipeline

Create Service Connections

From Azure DevOps, create a Docker Registry Service Connection

• Navigate to Project Settings


• Click New Service Connection


• Select Docker Registry


• Select Registry Type as Others


• Provide the below details:
  
  
  
  • Docker Registry: { ACR url eg: https://mygovacr.azurecr.us }
  
  
  • Docker ID: { admin username or Service principal App ID }
  
  
  • Docker Password: { admin password or service principal secret }
  
  
  • Service Connection name: { Connection name }
  
  
  
  

To run kubectl task against the AKS cluster, Create Service Principal and grant contributor access to the resource group

From Azure DevOps, create an Azure Resource Manager Service Connection

• Navigate to Project Settings


• Click New Service Connection


• Select Azure Resource Manager


• Select Service Principal (manual)


• Provide the below details:
  
  
  
  • Environment: Azure US Government
  
  
  • Subscription Id: { Gov Subscription ID }
  
  
  • Subscription Name: { Gov Subscription Name }
  
  
  • Service Principal Id: { Create Service Principal using Portal or PowerShell }
  
  
  • Credential: Service Principal key: { Secret of the Service Principal }
  
  
  • Tenant Id: { Gov Tenant ID }
  
  
  • Service Connection name: { Connection name }
  
  
  
  

Create pipeline

• Fork the sample repo


• Copy the contents below to a deploy.yaml file in the repo (Remove imagePullSecrets if ACR integrated with AKS)

apiVersion: v1
kind: Pod
metadata:
  name: private-reg
spec:
  containers:
  - name: private-reg-container
    image: mygovacr.azurecr.us/nginx-echo-headers:latest
  imagePullSecrets:
  - name: regcred

• Navigate to the project in Azure DevOps


• Go to Pipelines, and then select New Pipeline


• Select GitHub as the location of your source code and select your repository


• Select Starter pipeline


• Replace the contents of the yaml in the Review tab

trigger:
- master

pool:
  name: 'govpool'

steps:
- task: Docker@2
  inputs:
    containerRegistry: '{Docker Registry Service Connection Name}'
    repository: 'nginx-echo-headers'
    command: 'buildAndPush'
    Dockerfile: 'Dockerfile'
    tags: 'latest'
- task: Kubernetes@1
  inputs:
    connectionType: 'Azure Resource Manager'
    azureSubscriptionEndpoint: '{Azure Resource Manager Service Connection Name}'
    azureResourceGroup: 'gov-devops'
    kubernetesCluster: '{aks cluster name}'
    command: 'apply'
    arguments: '-f deploy.yaml'

Summary

The setup facilitates secure deployments to private ACR/AKS on Azure Government Cloud using Pipelines.