Since announcing availability for commercial cloud in February 2018 and the introduction of additional regulations, including NIST 800-171, the Compliance Manager is now one of the easiest and sure ways to start your compliance journey. It’s also a resource baked into Office 365. [From Microsoft’s latest Press Release] According to the report, Cost of Compliance 2017 from Thomson Reuters, 32 percent of companies spend more than 4 hours per week creating and amending audit reports. It’s very time-consuming to collect evidence and demonstrate effective control implementation for auditing activities.
Compliance Manager Under the Hood
To begin, you must have an Office 365 tenant (Commercial or GCC – not available in GCC High currently). By default, the Compliance Manager is accessible to all users in the tenant unless you elect to close off access to this data (which may be advisable as to comply with Control Families 3.1 and 3.3 in accessing security-relevant and audit-related information). To access the Compliance Manager, use the following URL:
From there, you will see a dashboard similar to the following:
At first glance, there are several things to notice. Each compliance area (a corresponding environment and regulation) has information on when it was created by someone in your organization and when the last action was taken to meet a customer managed action – which can be assigned to individuals in your tenant. Being able to assign compliance related tasks to individuals within your tenant is a major advantage, especially if your company outsources some of your compliance efforts to a knowledgeable Managed Service Provider (MSP).
Speaking of Managed Actions, you will quickly realize all Microsoft Managed Actions are at 100% because they bake in certain compliant elements into the respective environments. This is their way of saying, “we’ve done our part – now you go do yours”. For this reason, it is important to know that simply acquiring a secure and FEDRAMP approved environment does not make you NIST 800-171/DFARS compliant. There’s work to be done.
The Compliance Score shown is, according to Microsoft, “… a risk-based score that is calculated on Assessment activity. It looks at whether each assessed control is Preventive, Detective, or Corrective and whether it is Mandatory or Discretionary, it considers the impact of control failure on the confidentiality, integrity, and availability of data, and it factors in the legal and regulatory risks arising from control failure.” Most lay-people will not be concerned with achieving a perfect score, but it can be done through taking action and actively updating each compliance area. Microsoft has compiled a relatively handy FAQ section that can answer most of your questions about scoring and other related topics.
Now let’s get to NIST 800-171. Click on the “+ Add Assessment” prompt on the dashboard, and begin the process of creating a NIST 800-171 Compliance Assessment.
Once created you will see a set of dropdowns, and the one of most import is a section listed as “Customer Managed Controls”. There are eight of the fourteen family controls addressed, and - of the eight included – only a select set of controls are included. More notably, Configuration Management and Physical Protection are not addressed. These omissions also extend into the control families. Within Incident Response, only 3.6.1 is addressed without mention of 3.6.2 and 3.6.3. Therefore, it is important to remember this tool is not a replacement for your Plans of Action & Milestones (POA&M) and System Security Plan (SSP) despite it being helpful.
Each of the included control families provides a list of controls along with associated Compliance Scores, Assigned Users, supporting documents, and dates for compliance milestones. By selecting the “Manage Documents” link, you can seamlessly drop policies and plans associated with the control, and update preexisting files much like you would in OneDrive (with some obvious caveats to be fair to OneDrive). For small businesses lacking a dedicated security/IT professional or compliance expert on staff, this tool is invaluable to keep individuals tasked and proper documentation in a secured yet simplified portal.
Above all, this is a management tool and a way to track progress. You will still need to understand Office 365 configuration, Microsoft security products, and all of the NIST Controls – which is the not-so-easy part.
Many consultants are popping up attempting to sell matrices and assessments that achieve much the same end as the Compliance Manager at a $99-$3000 clip. Thus, it only makes sense to stick with the native tool that is built for your environment. The two exceptions and most difficult challenges for organizations are the policies required and the Office 365/Azure configurations that match the policies. These policies also are rarely completed in tandem with the tenant configuration for whichever cloud environment an organization deploys in.
Many companies have tried to address policy first – which is not the end of the world. However, if your organization is trying to find competitive advantage in the wake of the regulatory compliance free-for-all, it is advantageous to write your policies and deploy into your cloud environment in very short succession. Unlike the aforementioned assessments that provide no helpful guidance about O365 configuration, licensing, and Microsoft Security Products – Summit 7 provides a NIST 800-171 Gap Analysis that has enabled companies to complete their POA&M in half the time of other contractors.
Don’t back track. Get compliant and stay compliant.
Announcing Compliance Manager general availability