This article is contributed. See the original author and article here.
We are excited to announce Microsoft Compliance Manager is generally available to Microsoft 365 Government GCC and GCC High environments and soon to be released in DoD environment (track status here). Microsoft Compliance Manager helps government customers prioritize and take risk-informed actions that can help manage compliance. Compliance Manager simplifies compliance and helps government agencies and contractors reduce risk by translating complex regulatory requirements into specific controls, actionable recommendations, and a quantifiable measure of compliance through compliance score.
Compliance Manager offers intuitive compliance management, a vast library of scalable assessments and built-in capabilities. To ensure GCC, GCC High and DoD customers get the most value from Compliance Manager, the Cybersecurity Maturity Model Certification (CMMC) assessment templates for Levels 1 through 5 are included with G5 licensing. In addition, we are excited to inform you of the availability of Microsoft Compliance Configuration Analyzer (MCCA) available in GCC and GCC High environments. MCCA provides additional reporting capabilities for your improvement actions.
The complexity of regulations makes it challenging for government organizations, contractors and IT administrators to know what specific actions they can take to meet their compliance requirements. Compliance Manager helps solve this problem, while providing easy guided onboarding and supporting twenty-four languages.
With simple design that works out of box, IT admins and compliance/audit officers can quickly collaborate to address compliance. With Compliance Manager, organizations can quickly identify and track the implementation of tenant-specific compliance actions against frameworks such as CMMC and NIST 800-53.
Frequently we’ve heard government agencies and contractors discuss the complexity of mapping all technical controls to a governance, risk and compliance (GRC) or homegrown compliance management tool. In many instances, an Excel spreadsheet is used to help track compliance—which can be dauting and still not provide clarity on recommended actions or next steps.
Compliance Manager offers a vast library of 325+ premium and included assessment templates, including those most important to your organization such as FedRAMP High, FedRAMP Moderate, DFARS, CJIS, and Cybersecurity Maturity Model Certification (CMMC) Levels 1-5. Through assessment templates, Compliance Manager recommends hundreds of improvement actions for your agency and/or contractors to implement (see Figure 1: Compliance Manager assessment templates).
Figure 1: Compliance Manager Assessment templates
With Compliance Manager you can readily track compliance of any new application. You can import data from Excel, for example, into Compliance Manager and not lose your compliance tracking status.
Translating regulatory requirements into specific actions and controls can be challenging and many government organizations sometimes lack the adequate resources to do this accurately. Point-in-time assessments (e.g., for quarterly/semi-annual/annual audits) also mean that organizations tend to have ‘blind spots’ between these assessment windows. To help you with these challenges, Compliance Manager comes with built-in capabilities such as:
Compliance score: With compliance score, you get a clear quantified assessment of compliance (Figure 2 below). You can also obtain your compliance score for a specific regulation or standard (e.g., NIST 800-53) or for a specific category (e.g., ‘Protect information’).
Figure 2: Compliance score in Compliance Manager provides a risk-based score
Control mapping: With more than 220 updates every day from 1,000 regulatory bodies around the world, it’s overwhelming for organizations to keep up to date with the evolving compliance landscape. Efficiency in achieving compliance and prioritizing actions to meet multiple regulations and standards is a must-have for organizations but is challenging. At Microsoft, we have a team of subject matter experts building and maintaining a common control framework to scale our compliance effort. We are sharing this knowledge by building it into Compliance Manager so you can scale your compliance program across global, industrial, and regional regulations and standards. With the built-in control mapping in Compliance Manager, when you implement one common control, the status and the evidence of the control will be automatically synchronized to the same control in other assessments, helping you reduce duplicative work.
Continuous regulatory updates: All Compliance Manager assessments are kept up to date per evolving regulations and standards. You will see updates to assessments that you are using and get control on when you accept these updates, helping your compliance program stay current.
Continuous assessments: Available now in GCC and in spring 2021 for GCC High, Compliance Manager scans through your environment and detects your system settings, automatically updating some of your technical control status. For example, if you configured a multi–factor authentication in the Azure Active Directory (AAD) portal, Compliance Manager can detect the setting and reflect that in the control details. Conversely, if you haven’t created multi–factor authentication, then Compliance Manager can flag that as a recommended action for you to take. We expect to extend this capability of automatic updates to additional controls in the future. With the ongoing control assessment, you can begin to proactively maintain compliance, instead of reactively fixing settings following an audit.
Extended capability with Microsoft Compliance Configuration Analyzer (MCCA) preview
The MCCA solution (in preview) is available in GCC as well as GCC High environments. MCCA can help you quickly see improvement actions from Microsoft Data Protection Baseline, a default assessment available in Compliance Manager, to apply to your current Microsoft 365 environment. MCCA is a PowerShell-based utility that will retrieve your organization’s current configurations, validate them against Microsoft 365 recommended best practices, and provide an overview report with compliance posture improvement actions that your organization can take in Compliance Manager.
MCCA offers three report types:
- Geolocation-based reporting to assess sensitive information types (SITs) that aligns with your country or region.
- Role-based reporting to show which roles within your organization may not be able to run the tool or provide insights into access limitation to certain information in the final report.
- Solutions summary (see Figure 3 below) provides color-coded improvement actions broken down into three status states:
- OK: the actions that meet recommended conditions and need no attention at this time
- Improvement: actions that need attention
- Recommendation: actions that don’t need attention, but for which we recommend best practices
Figure 3: MCCA report summary screen
Get started today
Compliance Manager is a powerful solution to help you simplify compliance and reduce risk.
After assigning the appropriate permissions in Azure AD, administrators and compliance professionals can start using Compliance Manager by visiting the Compliance Portal (GCC – https://compliance.microsoft.com; GCC High at https://compliance.microsoft.us). If you already have Microsoft 365 G5 or Office 365 G5 subscription you can get started on your data protection journey by leveraging the default Microsoft Data Protection Baseline assessment, which draws elements and set of controls for key regulations and standards for data protection and general data governance.
Included assessment templates such as NIST 800-53 and CMMC Levels 1-5 are available to Microsoft 365 G5, Microsoft 365 G5 Compliance and Office 365 G5 subscribers at no additional cost. Beyond the included templates, Compliance Manager also offers a vast library of premium assessment templates from which you can select other assessments as needed (additional licensing required).
- Watch this video to learn how to get started right away and watch these videos for further details.
- Learn more about how to work with Compliance Manager here.
- Visit the Virtual Hub to learn more about Microsoft Compliance and access technical training.
- Read the latest Compliance Manager blog here announcing new capabilities and assessment templates that will be available in GCC and GCC High environments in the coming months and will help government organizations and contractors increase regulation visibility, further enrich the user experience, and save valuable time.
We look forward to hearing your feedback and stay tuned for additional innovation in Compliance Manager.
As the advanced compliance specialist for Microsoft 365 compliance solutions, you can connect with me here. Check out other Microsoft 365 compliance resources for US government.
Microsoft CMMC Acceleration Program Update – January 2021
Using Advanced Audit for your forensic investigation capability
Advanced eDiscovery demo for Gov cloud (video)
Enhanced regulatory, legal and forensic investigation capabilities now in the Government Cloud
Microsoft 365 Public Roadmap link to check status on upcoming Microsoft 365 compliance solution features
Microsoft 365 Roadmap: Microsoft 365 compliance solutions
Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.