Microsoft Compliance Manager Now Available for GCC & GCC High 1

Microsoft Compliance Manager Now Available for GCC & GCC High

By K.K. Tucker | March 29, 2021 |

Government organizations are subject to a number of regulations that can be complicated to keep track of. Those who work in and with government agencies often have difficulty navigating these requirements without good tools to do so. Microsoft Compliance Manager helps organizations monitor and stay on top of these compliance requisites. Now Compliance Manager is generally available for Microsoft 365 Government Community Cloud (GCC), the more stringently regulated GCC High, and soon for the Department of Defense (DoD) as well.

Assessment Templates

Tracking various regulation requirements becomes easier with over 325 scalable assessment templates that are included in Compliance Manager. Some of those commonly needed in government organizations include:

  • Defense Federal Acquisition Regulation Supplement (DFARS)
  • Criminal Justice Information Services (CJIS)
  • Federal Risk and Authorization Management Program (FedRAMP)
  • FedRAMP High

Especially notable are the Cybersecurity Maturity Model Certification (CMMC) assessment templates for Levels 1 through 5, which are included with G5 licensing now. These assessment templates provide recommendations for all kinds of improvement actions that the agency and/or its contractors can implement in order to meet compliance standards.

Microsoft Compliance Configuration Analyzer (MCCA)

New capabilities in Microsoft Compliance Configuration Analyzer (MCCA) are also available in preview for GCC and GCC High. Microsoft Data Protection Baseline is a default assessment in Compliance Manager, and MCCA helps administrators see improvement actions in it faster. Run by PowerShell, MCCA looks at the agency’s current configurations, compares them to Microsoft 365’s recommended best practices, and gives an overview report with actions to improve compliance posture. There are three different kinds of reports that MCCA provides:

  1. Geolocation-based: This type of report assesses sensitive information types (SITs) specific to a particular country or region that pertains to the organization.
  2. Role-based: This highlights limited roles within the agency, such as inability to run the tool or get access to certain information in the final report.
  3. Solutions Summary: This provides color-coded improvement actions that are separated into three status states: OK (green), Improvement (yellow), and Recommendation (gray). The simple breakdown allows for quick assessment of the compliance status and tells you what to do if change is necessary.
Screenshot of Solutions Summary in Compliance Manager shows color-coded status markers for different indicators.

Other Features of Compliance Manager

What are some more features that make Compliance Manager helpful for government organizations? Here are a few other beneficial capabilities it provides.

Continuous Assessments and Regulatory Updates

When assessments are done only at specific intervals, such as quarterly or annually, organizations can easily fall out of compliance in between these times. Compliance Manager can continuously scan the environment and even automatically update certain technical controls. This feature is available now for GCC and will be sometime this quarter for GCC High. The automatic update capability will also expand to more controls in the future.

Similarly, Compliance Manager is constantly re-updated with changing regulations, giving administrators the opportunity to view and accept these changes as they come up.

Control Mapping

Built-in control mapping is another feature that helps monitor multiple regulation standards, scaling across regional, industrial, and global frameworks. If the organization implements a common control, the status and evidence of meeting it can be synchronized in other assessments. This cuts down redundant work and simplifies management for the organization.

Compliance Score

For additional clarity, you can get a compliance score which quantifies how well you’re meeting standards. This can be an overall score or it can pinpoint a specific regulation or category. Here’s more on how to interpret and work with the compliance score.

Chart shows aspects of compliance score: preventative, detective, and corrective, as well as mandatory and discretionary.

Making Use of Compliance Manager in GCC and GCC High

If you already have a Microsoft 365 G5, Microsoft 365 G5 Compliance and Office 365 G5 subscription, the CMMC Levels 1-5 and other assessment templates like NIST 800-53 are included at no extra cost. You can also purchase additional licensing for other templates that you select. To access Compliance Manager, set permissions to designated administrators in Azure AD and visit the Compliance Portal. Learn more and provide team training with these videos on compliance practices.

More of our articles on compliance:

Posted in Secure Intelligent Workplace and tagged

Leave a Comment