Today we’re going to share with you some new guidance for configuring Azure Active Directory (Azure AD) to meet the Cybersecurity Maturity Model Certification (CMMC) Level 1 and Level 2 requirements.
Identity continues to be the most common way bad actors get through cyber defenses. Therefore, identity controls are one of the most fundamental aspects of CMMC and this post is going to focus on Azure AD as a way of meeting CMMC’s identity requirements.
Azure AD is Microsoft’s cloud-based identity and access management service that helps your employees sign in and access resources in your organization. Azure AD also provides a range of security features that can help you protect your identity data and meet the CMMC requirements related to identity and access management.
We’re excited to share new our new guidance for configuring Azure AD to meet CMMC Level 1 and Level 2. This guidance is part of our larger series of identity focused compliance guidance we have created. Guidance may differ slightly in some areas based on the CMMC level of maturity required for your organization.
CMMC Level 1 requires organizations to perform basic cyber hygiene practices to protect Federal Contract Information (FCI), which is any information provided by or generated for the DoD that is not intended for public release.
In CMMC Level 1, there are 3 domains that have one or more practices related to identity:
- Access Control (AC)
- Identification and Authentication (IA)
- System and Information integrity (SI)
CMMC Level 2 is the intermediate level of cybersecurity that requires you to establish and document 72 practices across 13 domains. These practices are intended to protect Controlled Unclassified Information (CUI), which is any information that requires safeguarding or dissemination controls pursuant to federal law or regulation. The 13 domains that have one or more practices related to identity are:
- Access Control
- Audit & Accountability
- Configuration Management
- Identification & Authentication
- Incident Response
- Maintenance
- Media Protection
- Personnel Security
- Physical Protection
- Risk Assessment
- Security Assessment
- System and Communications Protection
- System and Information Integrity
Our CMMC identity guidance is designed to be consumed by both administrators and auditors, and to highlight how Azure AD features can be configured to meet CMMC requirements. A good starting point is our comprehensive Azure compliance documentation landing page that enables a deeper dive into multiple guidelines/regulations for configuring your Microsoft platform to demonstrate compliance. In combination with our Zero Trust Guidance Center, our comprehensive set of security guidance enables you to make the right decisions for your environment to both meet regulatory audit requirements while accelerating your Zero Trust journey.
In addition to the Cybersecurity Maturity Model Certification (CMMC) Levels 1 and 2 required by the Defense Industrial Base to compete for US government contracts, our set of Azure AD compliance documentation includes the following:
- National Institute of Standards and Technology (NIST) authenticator assurance levels (AALs) 1, 2, and 3
- In this guidance we map authentication methods in Azure AD to NIST terminology and describe why you may want to use even more secure methods than required by standard
- Federal Risk and Authorization Management Program (FedRAMP) High Impact level
- Required by cloud service providers that provide service to government customers, this guidance describes the identity requirements for using Azure AD, including what is Microsoft’s responsibility, what is shared, what is the customers responsibility.
- Executive Order on Improving the Nation’s Cybersecurity and diving into Memorandum 22-09 identity requirements.
We approach our guidance holistically, for each control and its applicability to identity. We developed prescriptive guidance to help you understand the Azure AD features and configurations needed to meet the requirement. We briefly describe what must be demonstrated and provide links to detailed guidance to make changes. For example, in the following guidance from our CMMC Level 1 Access Control guidance, we include CMMC AC.L1-3.1.1, provide the verbatim practice statement and objectives from CMMC, and then provide specific guidance and recommendations on using Azure AD to meet the requirements. Our guidance for each identity related CMMC practice is structured in this way.
Additionally, in case you missed it, we want to highlight new features released that increase your security posture, specifically:
- Conditional Access – Authentication Strength: Use built-in strengths or a custom authentication strength in your conditional access policies to restrict external access to the most sensitive applications and data in your organization
- Passwordless authentication: Increase security and reduce user complexity by enabling phishing resistant multi-factor authentication with passwordless forms of authentication
- Cross-tenant access settings: Azure AD organizations can use External Identities cross-tenant access settings to manage how they collaborate with other Azure AD organizations and other Microsoft Azure clouds through B2B collaboration and B2B direct connect. These settings let you trust multi-factor authentication (MFA) and device claims (compliant claims and hybrid Azure AD joined claims) from other Azure AD organizations.
- Microsoft Cloud Settings for B2B collaboration: When Azure AD organizations in separate Microsoft Azure clouds need to collaborate, they can use Microsoft cloud settings to enable Azure AD B2B collaboration.
We hope you find these features and guidance helpful in enabling you to comply with CMMC. We would love your feedback on this identity focused guidance as it relates to your need to comply with your compliance requirements. Please send your thoughts/feedback to IdentityCompliance@microsoft.com and let us know so that we can get better at helping you comply with guidelines/requirements with Azure AD.
