0

I work for a very small company (12 people maybe) that is sub on a small fed contract and is currently strapped for cash after the ending of another contract about 6 months back. Despite having no experience with this, my company has assigned me to develop the System Security Plan (SSP) and implement a system that is NIST 800-171 compliant for handling CUI. While we don't need to handle ITAR or need CMMC cert, that may be helpful to open doors in the future and I thought the solution provided here in very limited detail seemed ideal since it leaves out personal equipment: https://www.ktlsolutions.com/cloud-based-solutions-for-meeting-cmmc-requirements/ . Unfortunately, we cannot afford the consulting fee for help with this, and, additionally, if I know what I'm doing, I imagine this just takes a few clicks and config settings in Azure Government to implement. I have an Azure Government trial account. My question is two fold: for one, is there any reason to think that me with some Azure Commercial experience won't be able to set this up myself and, 2, where do I begin? Are there any guides available? I have done ten thousand Google searches of various things in the past week and it feels like the only way I can find answers is to pay a huge consulting fee. Any help would be greatly appreciated.

Tamer Rifai
  • 169
  • 2
  • 14

1 Answers1

1

You'll want to look at Azure Blueprints. Azure Blueprints provides a set of Azure Policies that will ensure that your subscription meets the NIST 800-171 guidance. See this article for more info on the NIST 800-171 blueprint: https://learn.microsoft.com/en-us/azure/governance/blueprints/samples/nist-sp-800-171-r2

Mike
  • 346
  • 1
  • 6
  • Awesome. Thank you so much. Couldn't find this in all my searches. Going to try it out today and let you know if I have issues or questions. I really appreciate it. – Tamer Rifai Feb 14 '22 at 15:18
  • I went through all the steps in the link. I'm probably going to sound like an idiot at this point but what did that accomplish? It just created some policies? Do the policies apply to everything in the subscription (VMs, apps, etc)? I am still trying to set up the architecture in the link I provided all configured to at least meet the NIST standards for CUI. – Tamer Rifai Feb 14 '22 at 22:34