CMMC as a reference

[DeanGross]

[Enter feedback here] The US Government recent release the Cybersecurity Maturity Model Certification (CMMC), see https://www.acq.osd.mil/cmmc/docs/CMMC_ModelMain_V1.02_20200318.pdf. Are you envisioning any type of integration with that model?

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 13d0b11f-eb27-dc86-2441-66b92d1d820b
• Version Independent ID: 59a88ea9-f6c1-d719-e033-43b3ddd02c30
• Content: The Microsoft 365 Maturity Model - Introduction
• Content Source: Community/microsoft365-maturity-model--intro.md
• GitHub Login: @sympmarc

[sympmarc]

Interesting. That's not a certification I've run across, as I don't really do government work. @sadalit, have you run into this one?

There are many of these maturity models out there now. If there is a benefit to folding concepts here into what we are doing, we're certainly game. @DeanGross - Are there specific ideas you would like to write about?

[DeanGross]

@sympmarc I would like to write about security and compliance maturity, identity protection (AAD), information protection (sensitivity labels), and threat protection (all of the ATPs and how they work together)

[sympmarc]

That sounds great, @DeanGross. We're close to rolling out articles for some of the first competencies: Communication and Collaboration.

So far, the competencies are shaking out like this:

I think security and compliance fits into the Administration competency (the fact that I hesitate makes me wonder).

Check out @helloitsliam's recent article Basic Security Set Up for Microsoft 365, which could inform the 100-200 levels, at least, as well as @veronicageek's Managing SharePoint Online Security: A Team Effort.

Here's my suggestion: why don't you write up at least an outline of your thoughts and do a PR? I like that we are reaching some critical mass around security topics!

p.s. This isn't my area, so if I'm seeing overlaps where there aren't any, my apologies.

@sadalit

[helloitsliam]

Interesting topics to cover and relevant for Security and Compliance. Mapping it to something like the CMMC, would be much more complicated and honestly would be a smaller group that would get use from it, though I agree it would be interesting to write. Mapping the tooling such as Identity Protection, Information Protection and Threat Protection is needed. I think it should take the approach of why you would use them together, such as benefits of them together etc. not so much on the how, as there is already a ton of content about implementation. Though real-world approaches and discussions like that would work well. Look forward to seeing an outline of what you would like to write @DeanGross and then maybe we can work together, split up the topics are add more.

For me what is missing from most of the documentation is the why and the benefits for organizations to use the security features etc. Just my 2 cents :-)

[sympmarc]

@helloitsliam - There. You've given yourself another task: the WHY. :)

[veronicageek]

@sympmarc @helloitsliam - The WHY from a specific security add-on could be explained and benefits proven, because you need to spend more money. But hopefully, the WHY for general security like MFA, or locking down external sharing doesn't. Kind of a no brainer nowadays...

[helloitsliam]

Agreed @veronicageek. The basic things should by now be a given, especially with MSFT providing Security Defaults as On for all new tenants. The thought would be to almost come up with common use cases, and then map those to specific security capabilities, to explain how you would meet use case A, B or C. Def agreed, we don't need more documents on WHY you should use MFA etc.......even though a lot of conversations I still have is.....please please enable MFA :-)

[sympmarc]

<standing-back-and-enjoying-the-conversation/>

[helloitsliam]

Kind of questions I am thinking of @veronicageek and @sympmarc

How can we control when mobile devices can connect to Office 365 services? What controls can we use to restrict mobile devices from connecting outside of approved locations? Can I find and block sensitive information within my organization? Can I automatically apply classification and security policies to content during authoring? Can I disable external sharing of all content? How do I ensure the intended recipient only opens the content sent to them? Can I be notified of potential user malicious behavior such as mass file downloads? How can I ensure my end user accounts are safe and secure from attacks?

Just some examples of questions (use cases) that could be answered, with the actual tools to use along with the why. On the right thought path?

[sympmarc]

Definitely. I like to use what I call my "Mom test". Would my Mom understand those questions? (She is VERY non-techie and knows I do this.) Or use that client we have, @helloitsliam: she doesn't know what the questions are to ask, much less what to do about them. I like the list above. A little wordsmithing:

How can we protect our content in the cloud? How can we control when and which mobile devices can connect to Microsoft 365 services? What controls can we use to restrict mobile devices from connecting outside of approved locations? Can I find and block sensitive information such as credit card numbers or national ID numbers within my organization? Can I automatically apply classification and security policies to content during authoring? Can I disable external sharing of all content? (And what are the trade-offs?) How do I ensure only the intended recipient receives and opens the content sent to them? Can I be notified of potential malicious user behavior such as mass file downloads or deletes? How can I ensure my end user accounts are safe and secure from attacks? How can I best explain all of this to my end users so they understand why each is important?

[eemancini]

Hello @helloitsliam and @veronicageek, just checking in to see if you need any support on this article. Reading the questions you have outlined already have me excited to read it!

[helloitsliam]

Hello @helloitsliam and @veronicageek, just checking in to see if you need any support on this article. Reading the questions you have outlined already have me excited to read it!

No support needed yet. Maybe I should start actually drafting the article :-)

Maybe we use this "wordsmith-ed" questions as the start, and structure it out. If your excited about the question, I am too ;-)