CMMC Compliance on Microsoft 365
Defense contractor guide to CMMC 2.0 certification: Level 1-3 requirements, GCC High migration, NIST 800-171 control mapping, CUI protection, and C3PAO assessment preparation.
CMMC 2.0 Compliance Guide for Defense Contractors
How do defense contractors achieve CMMC compliance on Microsoft 365? Migrate to a Microsoft 365 GCC High tenant for CUI handling. Implement all 110 NIST SP 800-171 controls mapped to Microsoft 365 features: Conditional Access for access control, Microsoft Purview sensitivity labels for CUI classification, DLP policies for data loss prevention, Advanced Audit for accountability, and Microsoft Defender for threat protection. Document everything in a System Security Plan (SSP). Remediate gaps in a Plan of Action and Milestones (POA&M). Pass a C3PAO third-party assessment. EPC Group has achieved a 95%+ first-attempt pass rate for defense contractor CMMC assessments.
The Cybersecurity Maturity Model Certification (CMMC) 2.0 is now the required cybersecurity standard for all Department of Defense contractors. If your organization handles Federal Contract Information (FCI) or Controlled Unclassified Information (CUI), you must achieve the appropriate CMMC certification level to bid on, win, and maintain DoD contracts.
Microsoft 365 — specifically the GCC High environment — is the most widely adopted platform for CMMC compliance because it provides native controls for 80-85 of the 110 NIST 800-171 requirements. But the platform alone does not make you compliant. Every control must be configured correctly, documented in your SSP, and validated by a Certified Third-Party Assessment Organization (C3PAO).
EPC Group specializes in Microsoft 365 compliance implementations for defense contractors across the Defense Industrial Base (DIB). This guide covers everything you need to know — from choosing the right tenant to passing your assessment.
CMMC 2.0 Certification Levels
CMMC 2.0 streamlined the original 5 levels into 3 tiers. Your required level depends on the type of information you handle for DoD contracts.
Level 1: Foundational
17 practices
Assessment: Annual self-assessment
Scope: Federal Contract Information (FCI)
M365 Tenant: Commercial or GCC
Key Requirements:
- Basic access control (unique user accounts, password requirements)
- Limit system access to authorized users
- Verify and control connections to external systems
- Control information posted publicly
- Identify and authenticate users before granting access
- Sanitize or destroy media containing FCI before disposal
- Limit physical access to systems
- Escort visitors and monitor physical access
- Maintain audit logs of physical access
- Protect communications at system boundaries
Level 2: Advanced
110 practices (NIST 800-171)
Assessment: Triennial C3PAO assessment
Scope: Controlled Unclassified Information (CUI)
M365 Tenant: GCC High required
Key Requirements:
- All 110 NIST SP 800-171 Rev 2 controls
- Multi-factor authentication for all users
- Encryption of CUI at rest and in transit
- Advanced audit logging with tamper-proof retention
- Incident response planning and testing
- Vulnerability scanning and remediation
- Security awareness training for all personnel
- Controlled access to CUI based on need-to-know
- System Security Plan (SSP) documenting all controls
- Plan of Action and Milestones (POA&M) for gaps
Level 3: Expert
110 + additional from NIST 800-172
Assessment: Government-led assessment
Scope: CUI in highest-priority programs
M365 Tenant: GCC High with enhanced controls
Key Requirements:
- All Level 2 controls plus enhanced requirements
- Advanced threat hunting and analysis capabilities
- Dual authorization for critical operations
- System component isolation and segmentation
- Penetration testing (red team exercises)
- Specialized asset monitoring and threat intelligence
- Cross-domain solution controls
- Security operations center (SOC) requirements
- Enhanced incident response with automated containment
- Supply chain risk management controls
GCC vs GCC High: Choosing the Right Microsoft Tenant
This is the most critical infrastructure decision for CMMC compliance. The wrong tenant choice means starting over — you cannot upgrade a commercial or GCC tenant to GCC High. It requires a full migration.
| Feature | Commercial | GCC | GCC High |
|---|---|---|---|
| Data Center | Global commercial | US-only (logically isolated) | US-only (physically separate government cloud) |
| Personnel | Global staff | US-screened staff | US citizens, background-checked, NDA |
| Authorization | SOC 2, ISO 27001 | FedRAMP Moderate | FedRAMP High, DoD IL4/IL5 |
| CMMC Support | Level 1 only (FCI) | Level 1 (FCI), limited Level 2 | Level 1, 2, and 3 (CUI + enhanced) |
| ITAR/EAR Compliance | Not supported | Not supported | Fully supported |
| Pricing (E5) | $57/user/month | $57/user/month | $70-85/user/month |
| Feature Parity | All features day-1 | 95% parity, slight delay | 85-90% parity, 3-6 month feature lag |
| Copilot Availability | Full availability | Available (GCC) | Limited/rolling availability |
Critical Decision: If you handle CUI in any form — technical data, engineering drawings, specifications, test results, or any information marked CUI by the government — you need GCC High. There is no workaround. Commercial and standard GCC tenants do not meet the data residency, personnel screening, and FedRAMP High requirements that CMMC Level 2 demands for CUI. EPC Group has migrated 50+ organizations from commercial to GCC High — the migration typically takes 6-8 weeks and requires careful DNS, data, and application planning.
NIST 800-171 Control Mapping to Microsoft 365
CMMC Level 2 requires all 110 controls from NIST SP 800-171 Rev 2. Microsoft 365 GCC High can address approximately 80 controls through platform configuration. The remaining controls require organizational policies and procedures.
| NIST Domain | Controls | M365 GCC High Implementation | Coverage |
|---|---|---|---|
| Access Control (AC) | 22 | Conditional Access, RBAC, Entra ID PIM, Information Barriers, SharePoint permissions, Teams access policies | 16/22 |
| Awareness & Training (AT) | 3 | Attack Simulation Training, compliance training via Viva Learning, security awareness campaigns | 2/3 |
| Audit & Accountability (AU) | 9 | Unified Audit Log, Advanced Audit (E5), Microsoft Sentinel SIEM, audit log retention (1-year with E5) | 9/9 |
| Configuration Management (CM) | 9 | Intune device configuration, security baselines, Azure Policy, Microsoft Defender for Endpoint | 7/9 |
| Identification & Authentication (IA) | 12 | Entra ID MFA, passwordless auth (FIDO2, Windows Hello), Conditional Access, password protection | 10/12 |
| Incident Response (IR) | 3 | Microsoft Sentinel playbooks, Defender automated response, incident management workflows | 2/3 |
| Maintenance (MA) | 6 | Intune remote management, Windows Update for Business, Azure Arc for hybrid servers | 4/6 |
| Media Protection (MP) | 9 | BitLocker encryption, sensitivity labels, DLP policies, Intune device wipe, Azure Information Protection | 6/9 |
| Personnel Security (PS) | 2 | Entra ID lifecycle management, automated offboarding, access reviews | 1/2 |
| Physical Protection (PE) | 6 | N/A — organizational responsibility (Microsoft covers data center physical security) | 0/6 |
| Risk Assessment (RA) | 3 | Microsoft Secure Score, Compliance Manager, Defender vulnerability management | 2/3 |
| Security Assessment (CA) | 4 | Compliance Manager assessments, Secure Score, third-party integration via Graph API | 2/4 |
| System & Comm Protection (SC) | 16 | TLS 1.2+ encryption, DLP, information barriers, Azure Private Link, network segmentation | 12/16 |
| System & Info Integrity (SI) | 7 | Microsoft Defender suite, Sentinel threat detection, anti-malware, patch management via Intune | 6/7 |
CUI Handling on Microsoft 365 GCC High
Controlled Unclassified Information (CUI) is the core data type that CMMC Level 2 protects. Proper CUI handling in Microsoft 365 requires a layered approach: identification, classification, protection, monitoring, and evidence collection.
CUI Identification
Deploy Microsoft Purview sensitive information types (SITs) to automatically detect CUI patterns in documents, emails, and Teams messages. Create custom SITs for organization-specific CUI formats (contract numbers, project codes, technical drawing identifiers). Configure trainable classifiers for document types that contain CUI but do not match pattern-based detection.
CUI Classification
Create Microsoft Purview sensitivity labels: "CUI" (standard), "CUI//SP-CTI" (Controlled Technical Information), "CUI//SP-EXPT" (Export Controlled). Configure auto-labeling policies that apply CUI labels when sensitive information types are detected. Require manual label selection for all new documents created in CUI-scoped SharePoint sites. Encrypt labeled documents with Azure Information Protection.
CUI Protection
DLP policies block CUI-labeled content from: external email recipients, personal OneDrive sync, USB drives (via Defender for Endpoint), unapproved cloud services, and guest-accessible SharePoint sites. Conditional Access policies restrict CUI access to compliant devices on the corporate network or approved VPN. Session controls via Microsoft Defender for Cloud Apps monitor and restrict real-time CUI document access.
CUI Monitoring & Evidence
Advanced Audit captures every CUI document access, modification, download, and sharing event with 1-year retention. Microsoft Sentinel correlates CUI access patterns to detect anomalous behavior (bulk downloads, after-hours access, access from new locations). Monthly CUI access reports feed into your SSP evidence package. Automated alerts notify your security team of potential CUI spillage events.
C3PAO Assessment Preparation Timeline
EPC Group CMMC assessment preparation follows a structured 12-16 week timeline. We do not allow clients to schedule their C3PAO assessment until every control is verified — resulting in a 95%+ first-attempt pass rate.
Gap Assessment
Weeks 1-3
Audit current Microsoft 365 configuration against all 110 NIST 800-171 controls. Identify gaps, document existing controls, assess GCC High readiness. Score current compliance posture.
Deliverable: Gap analysis report with prioritized remediation plan
SSP Development
Weeks 4-7
Write the System Security Plan documenting how every control is implemented. Map each control to specific Microsoft 365 configurations, organizational policies, and responsible personnel.
Deliverable: Complete SSP with control implementation statements
Control Implementation
Weeks 8-13
Configure all Microsoft 365 controls: Conditional Access, DLP, sensitivity labels, audit logging, Defender, Sentinel. Implement organizational procedures for controls M365 cannot address. GCC High migration if required.
Deliverable: Fully configured GCC High environment with all controls active
Readiness Review
Weeks 14-16
Simulate the C3PAO assessment. Verify every control with evidence screenshots, configuration exports, and policy documentation. Remediate any remaining gaps. Prepare evidence binders and schedule C3PAO assessment.
Deliverable: Assessment-ready evidence package and C3PAO scheduling
Frequently Asked Questions
How do defense contractors achieve CMMC compliance on Microsoft 365?
Defense contractors achieve CMMC compliance on Microsoft 365 through: 1) Migrating to a GCC High tenant (required for CUI handling at CMMC Level 2+), 2) Implementing all 110 NIST 800-171 controls mapped to Microsoft 365 features (Conditional Access, DLP, sensitivity labels, audit logging, encryption), 3) Configuring CUI identification and protection using Microsoft Purview sensitivity labels and DLP policies, 4) Enabling advanced audit logging with 1-year retention for compliance evidence, 5) Deploying Microsoft Defender for comprehensive threat protection, 6) Establishing incident response procedures documented in the System Security Plan (SSP). EPC Group has guided 50+ defense contractors through CMMC preparation on Microsoft 365, achieving assessment readiness in 90-120 days.
What is the difference between GCC, GCC High, and DoD in Microsoft 365?
GCC (Government Community Cloud) is for state/local government and contractors handling non-CUI government data — commercial data centers with logical isolation and US-based staff. GCC High is for defense contractors handling CUI (Controlled Unclassified Information) — dedicated government data centers, background-checked personnel, ITAR/EAR compliance, required for CMMC Level 2+. DoD is for Department of Defense agencies only — highest security controls, IL5 authorization, not available to contractors. For CMMC compliance: Level 1 contractors can use commercial or GCC. Level 2 contractors handling CUI MUST use GCC High. Level 3 contractors require GCC High with additional controls. EPC Group recommends GCC High for all defense contractors pursuing CMMC Level 2 certification.
How many NIST 800-171 controls can Microsoft 365 satisfy?
Microsoft 365 GCC High can address approximately 80-85 of the 110 NIST 800-171 controls through platform configuration. Key coverage areas: Access Control (AC) — 16/22 controls via Conditional Access, MFA, RBAC, and Entra ID. Audit & Accountability (AU) — 9/9 controls via Unified Audit Log, Advanced Audit, and Microsoft Sentinel. Identification & Authentication (IA) — 10/12 controls via Entra ID, MFA, passwordless authentication. Media Protection (MP) — 6/9 controls via BitLocker, sensitivity labels, DLP. System & Communications Protection (SC) — 12/16 controls via TLS encryption, DLP, information barriers. The remaining 25-30 controls require organizational policies, physical security measures, and personnel procedures that technology alone cannot satisfy. EPC Group maps every control to specific Microsoft configurations and organizational procedures.
What is CUI and how do you protect it in Microsoft 365?
CUI (Controlled Unclassified Information) is government-created or government-furnished information that requires safeguarding per NIST 800-171. CUI categories include: technical drawings, specifications, source code, test data, financial records, export-controlled data (ITAR/EAR), and For Official Use Only (FOUO) information. Protection in Microsoft 365 GCC High: 1) Sensitivity labels marked "CUI" applied automatically via Microsoft Purview to documents matching CUI patterns, 2) DLP policies preventing CUI from leaving the organization via email, Teams, or SharePoint sharing, 3) Encryption-at-rest and in-transit for all CUI data, 4) Conditional Access policies restricting CUI access to compliant devices from approved locations, 5) Information barriers preventing CUI access by non-authorized personnel, 6) Audit logging of all CUI access for compliance evidence.
How long does CMMC certification take for a defense contractor?
CMMC certification timeline depends on current maturity: Organizations with existing NIST 800-171 implementation: 3-6 months from gap assessment to C3PAO assessment. Organizations starting from scratch: 9-18 months for full implementation and assessment readiness. Breakdown: Gap assessment (2-4 weeks), SSP development (4-6 weeks), GCC High migration if needed (6-8 weeks), control implementation (8-16 weeks), POA&M remediation (4-8 weeks), pre-assessment readiness review (2-4 weeks), C3PAO assessment (2-4 weeks). EPC Group accelerates this timeline by using pre-built CMMC configuration templates for Microsoft 365 GCC High, reducing implementation time by 40-60% compared to building controls from scratch.
What is the cost of CMMC compliance on Microsoft 365?
CMMC compliance costs for Microsoft 365 include: GCC High licensing: $35-$57/user/month (compared to $12-$36 for commercial M365). This premium covers dedicated government infrastructure, background-checked personnel, and FedRAMP High authorization. Migration to GCC High: $50,000-$200,000 depending on user count, data volume, and complexity (data migration, DNS cutover, application reconfiguration). CMMC implementation consulting: $75,000-$250,000 for gap assessment, SSP development, control implementation, and assessment preparation. C3PAO assessment: $50,000-$150,000 for the official third-party assessment. Ongoing compliance: $25,000-$75,000/year for continuous monitoring, annual reviews, and POA&M management. Total first-year cost for a 200-user organization: approximately $350,000-$750,000. EPC Group fixed-fee CMMC accelerators start at $75,000.
What happens if a defense contractor fails the CMMC assessment?
Failing a CMMC assessment means: 1) The contractor cannot bid on or maintain DoD contracts requiring CMMC certification at the assessed level, 2) The C3PAO identifies specific controls that failed — documented in a findings report, 3) The contractor has a remediation period to fix deficiencies and schedule a reassessment, 4) Reassessment costs additional fees ($25,000-$75,000). Prevention is critical: EPC Group conducts pre-assessment readiness reviews that simulate the C3PAO assessment process, identifying and remediating gaps before the official assessment. Our clients have a 95%+ first-attempt pass rate because we do not allow organizations to schedule their C3PAO assessment until every control is verified and documented.
Do subcontractors need CMMC compliance too?
Yes — CMMC flows down to all subcontractors who handle CUI. If a prime contractor shares CUI with a subcontractor, that subcontractor must achieve the same CMMC level. This is enforced through: DFARS 252.204-7012 (current), DFARS 252.204-7021 (CMMC rule), and contract flow-down requirements. Subcontractor scenarios: If the subcontractor only receives Federal Contract Information (FCI) — CMMC Level 1 self-assessment is sufficient. If the subcontractor receives CUI — CMMC Level 2 with C3PAO assessment is required. Prime contractors are responsible for verifying subcontractor compliance before sharing CUI. EPC Group helps prime contractors establish subcontractor compliance verification programs and assists subcontractors with achieving their required CMMC level.
Related Resources
Microsoft 365 Consulting Services
Enterprise Microsoft 365 deployment, migration, compliance, and managed services from EPC Group.
Read moreRegulated Industry Compliance Guide
Industry-specific compliance controls for healthcare, financial services, government, and education on Microsoft platforms.
Read moreMicrosoft Purview AI Governance
How to govern AI and Copilot outputs using Microsoft Purview sensitivity labels, DLP, and compliance policies.
Read moreGet CMMC Assessment-Ready on Microsoft 365
Schedule a free CMMC gap assessment with EPC Group. We will evaluate your current Microsoft 365 environment against CMMC Level 2 requirements and deliver a remediation roadmap with timeline and cost estimates. 95%+ first-attempt C3PAO pass rate.