Our last article examined the Gap Assessment that is necessary in order to achieve full CMMC compliance.  In this one, we look at yet another different process, and that is how to implement everything with the Microsoft security stack.

What Is All About

As it was described previously, the purpose of the Gap Analysis is to discover, or unearth any gaps or weaknesses that may be present in the existing controls that already have in place. This may require a small amount of remediation, or it could be a larger amount, a lot depends upon the level of certification that you are trying to achieve.

All of this is actually addressed in what is known as the “Plan of Action and Milestones”.  This is the actual plan that you will create to remediate the weaknesses and vulnerabilities that were found in the Gap Analysis, so that you can move further along in the process.  It also details the resources that are needed to achieve this goal, and these specifically include the following:

  • The personnel that will be needed. For example, will your own staff suffice, or will you need to get perhaps outside contractors that have more experience to correct the flaws that were discovered?
  • The technology that will be needed. What kind of software or hardware applications will you need to get the job done?  Do you have these available internally, or will you have to procure them from an outside source? Microsoft supplies a full security stack for you which will make implementation and integration much easier for you.
  • How much funding will be required? Obviously, bringing your controls up to speed will require some costs that you will need to budget for.

It is important to note that each and every vulnerability that has been discovered so far must be fixed to the satisfaction of the DoD that is awarding the certification that you are trying to achieve.  If not, the remediated actions that you have taken will not be accepted under any circumstances.

The Microsoft Placemat

The Microsoft Product Placemat for CMMC is an interactive view that represents how Microsoft cloud products and services satisfy the requirements for CMMC practices.

The user interface resembles a periodic table of CMMC practice families. For each practice covered, customer implementation guidance and details are documented, This enables you to drill down into each practice and discover details to ensure you will be compliant with CMMC.


Depending on how much remediation is needed, this could be the longest part of the process for you.  If you need one, contact us today!