CMMC Compliance on Microsoft 365
Defense contractor guide to CMMC 2.0 certification: Level 1-3 requirements, GCC High migration, NIST 800-171 control mapping, CUI protection, and C3PAO assessment preparation.
Defense contractors can achieve CMMC 2.0 compliance on Microsoft 365 by selecting the right tenant (GCC or GCC High), implementing all 110 NIST 800-171 controls, classifying and protecting CUI with Purview, and preparing a System Security Plan for C3PAO assessment. This guide covers Levels 1–3, GCC migration, and the full C3PAO preparation timeline.
Key Facts
- CMMC 2.0 has three levels: Foundational (17 practices), Advanced (110 controls, NIST 800-171), and Expert (NIST 800-172 subset).
- Microsoft 365 GCC High is required for Level 2 priority contracts and all Level 3 programs.
- Microsoft 365 satisfies approximately 70 of the 110 NIST 800-171 controls natively — the rest require configuration and policy work.
- CUI must be identified, classified, and protected before C3PAO assessment begins.
- C3PAO assessment preparation typically takes 12–18 months from gap assessment to certification.
- Subcontractors must meet CMMC requirements at the level specified by the prime contractor.
CMMC 2.0 Compliance Guide for Defense Contractors
How do defense contractors achieve CMMC compliance on Microsoft 365? To comply, migrate to a Microsoft 365 GCC High tenant for managing Controlled Unclassified Information (CUI). You must implement all 110 NIST SP 800-171 controls that align with Microsoft 365 features. These controls include:
- Access Control
- Awareness and Training
- Audit and Accountability
- Configuration Management
- Identification and Authentication
- Incident Response
- Maintenance
- Media Protection
- Physical Protection
- Risk Assessment
- System and Communications Protection
- System and Information Integrity
- Access Control
- Awareness and Training
- Audit and Accountability
- Configuration Management
- Identification and Authentication
- Incident Response
- Maintenance
- Media Protection
- Physical Protection
- Risk Assessment
- System and Communications Protection
- System and Information Integrity
- Access Control
- Awareness and Training
- Audit and Accountability
- Configuration Management
- Identification and Authentication
- Incident Response
- Maintenance
- Media Protection
- Physical Protection
- Risk Assessment
- System and Communications Protection
- System and Information Integrity
- Conditional Access for access control
- Microsoft Purview sensitivity labels for CUI classification
- DLP policies for data loss prevention
- Advanced Audit for accountability
- Microsoft Defender for threat protection
Additionally, document everything in a System Security Plan (SSP). Address any gaps in a Plan of Action and Milestones (POA&M). Finally, complete a C3PAO third-party assessment.
EPC Group has a strong track record, achieving a 95%+ first-attempt pass rate for defense contractor CMMC assessments.
The Cybersecurity Maturity Model Certification (CMMC) 2.0 is the mandatory cybersecurity standard for all Department of Defense contractors. Organizations handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) must achieve the appropriate CMMC certification level. This certification is crucial for bidding on, winning, and maintaining DoD contracts.
Microsoft 365, particularly the GCC High environment, is the leading platform for CMMC compliance. It provides built-in controls for 80-85 of the 110 NIST 800-171 requirements.
However, relying solely on the platform does not guarantee compliance.
To achieve compliance, you must:
- Configure every control correctly.
- Document controls in your SSP.
- Have your compliance validated by a Certified Third-Party Assessment Organization (C3PAO).
EPC Group specializes in Microsoft 365 compliance implementations for defense contractors across the Defense Industrial Base (DIB). This guide covers everything you need to know — from choosing the right tenant to passing your assessment.
CMMC 2.0 Certification Levels
CMMC 2.0 streamlined the original 5 levels into 3 tiers. Your required level depends on the type of information you handle for DoD contracts.
Level 1: Foundational
17 practices
Assessment: Annual self-assessment
Scope: Federal Contract Information (FCI)
M365 Tenant: Commercial or GCC
Key Requirements:
- Basic access control (unique user accounts, password requirements)
- Limit system access to authorized users
- Verify and control connections to external systems
- Control information posted publicly
- Identify and authenticate users before granting access
- Sanitize or destroy media containing FCI before disposal
- Limit physical access to systems
- Escort visitors and monitor physical access
- Maintain audit logs of physical access
- Protect communications at system boundaries
Level 2: Advanced
110 practices (NIST 800-171)
Assessment: Triennial C3PAO assessment
Scope: Controlled Unclassified Information (CUI)
M365 Tenant: GCC High required
Key Requirements:
- All 110 NIST SP 800-171 Rev 2 controls
- Multi-factor authentication for all users
- Encryption of CUI at rest and in transit
- Advanced audit logging with tamper-proof retention
- Incident response planning and testing
- Vulnerability scanning and remediation
- Security awareness training for all personnel
- Controlled access to CUI based on need-to-know
- System Security Plan (SSP) documenting all controls
- Plan of Action and Milestones (POA&M) for gaps
Level 3: Expert
110 + additional from NIST 800-172
Assessment: Government-led assessment
Scope: CUI in highest-priority programs
M365 Tenant: GCC High with enhanced controls
Key Requirements:
- All Level 2 controls plus enhanced requirements
- Advanced threat hunting and analysis capabilities
- Dual authorization for critical operations
- System component isolation and segmentation
- Penetration testing (red team exercises)
- Specialized asset monitoring and threat intelligence
- Cross-domain solution controls
- Security operations center (SOC) requirements
- Enhanced incident response with automated containment
- Supply chain risk management controls
GCC vs GCC High: Choosing the Right Microsoft Tenant
Choosing the right infrastructure is crucial for CMMC compliance. Selecting the wrong tenant can lead to significant delays. You cannot upgrade a commercial or GCC tenant to GCC High. Instead, a full migration is required.
| Feature | Commercial | GCC | GCC High |
|---|---|---|---|
| Data Center | Global commercial | US-only (logically isolated) | US-only (physically separate government cloud) |
| Personnel | Global staff | US-screened staff | US citizens, background-checked, NDA |
| Authorization | SOC 2, ISO 27001 | FedRAMP Moderate | FedRAMP High, DoD IL4/IL5 |
| CMMC Support | Level 1 only (FCI) | Level 1 (FCI), limited Level 2 | Level 1, 2, and 3 (CUI + enhanced) |
| ITAR/EAR Compliance | Not supported | Not supported | Fully supported |
| Pricing (E5) | $57/user/month | $57/user/month | $70-85/user/month |
| Feature Parity | All features day-1 | 95% parity, slight delay | 85-90% parity, 3-6 month feature lag |
| Copilot Availability | Full availability | Available (GCC) | Limited/rolling availability |
Critical Decision: If you manage Controlled Unclassified Information (CUI) in any form, you need GCC High. This includes:
- Technical data
- Engineering drawings
- Specifications
- Test results
- Any information marked CUI by the government
There is no alternative.
Commercial and standard GCC tenants do not meet the data residency, personnel screening, and FedRAMP High requirements for CMMC Level 2 regarding Controlled Unclassified Information (CUI).
EPC Group has successfully migrated over 50 organizations from commercial to GCC High.
This migration typically takes 6-8 weeks and involves careful planning of:
- DNS
- Data
- Applications
NIST 800-171 Control Mapping to Microsoft 365
CMMC Level 2 includes all 110 controls from NIST SP 800-171 Rev 2. Microsoft 365 GCC High can help with about 80 of these controls through platform setup. The other controls need specific organizational policies and procedures.
| NIST Domain | Controls | M365 GCC High Implementation | Coverage |
|---|---|---|---|
| Access Control (AC) | 22 | Conditional Access, RBAC, Entra ID PIM, Information Barriers, SharePoint permissions, Teams access policies | 16/22 |
| Awareness & Training (AT) | 3 | Attack Simulation Training, compliance training via Viva Learning, security awareness campaigns | 2/3 |
| Audit & Accountability (AU) | 9 | Unified Audit Log, Advanced Audit (E5), Microsoft Sentinel SIEM, audit log retention (1-year with E5) | 9/9 |
| Configuration Management (CM) | 9 | Intune device configuration, security baselines, Azure Policy, Microsoft Defender for Endpoint | 7/9 |
| Identification & Authentication (IA) | 12 | Entra ID MFA, passwordless auth (FIDO2, Windows Hello), Conditional Access, password protection | 10/12 |
| Incident Response (IR) | 3 | Microsoft Sentinel playbooks, Defender automated response, incident management workflows | 2/3 |
| Maintenance (MA) | 6 | Intune remote management, Windows Update for Business, Azure Arc for hybrid servers | 4/6 |
| Media Protection (MP) | 9 | BitLocker encryption, sensitivity labels, DLP policies, Intune device wipe, Azure Information Protection | 6/9 |
| Personnel Security (PS) | 2 | Entra ID lifecycle management, automated offboarding, access reviews | 1/2 |
| Physical Protection (PE) | 6 | N/A — organizational responsibility (Microsoft covers data center physical security) | 0/6 |
| Risk Assessment (RA) | 3 | Microsoft Secure Score, Compliance Manager, Defender vulnerability management | 2/3 |
| Security Assessment (CA) | 4 | Compliance Manager assessments, Secure Score, third-party integration via Graph API | 2/4 |
| System & Comm Protection (SC) | 16 | TLS 1.2+ encryption, DLP, information barriers, Azure Private Link, network segmentation | 12/16 |
| System & Info Integrity (SI) | 7 | Microsoft Defender suite, Sentinel threat detection, anti-malware, patch management via Intune | 6/7 |
CUI Handling on Microsoft 365 GCC High
Controlled Unclassified Information (CUI) is the main data type that CMMC Level 2 safeguards. To handle CUI properly in Microsoft 365, you need a layered approach. This includes:
- Identification
- Classification
- Protection
- Monitoring
- Evidence collection
CUI Identification
Deploy Microsoft Purview sensitive information types (SITs) to automatically detect CUI patterns in documents, emails, and Teams messages. Create custom SITs for organization-specific CUI formats (contract numbers, project codes, technical drawing identifiers). Configure trainable classifiers for document types that contain CUI but do not match pattern-based detection.
CUI Classification
Create Microsoft Purview sensitivity labels: "CUI" (standard), "CUI//SP-CTI" (Controlled Technical Information), "CUI//SP-EXPT" (Export Controlled). Configure auto-labeling policies that apply CUI labels when sensitive information types are detected. Require manual label selection for all new documents created in CUI-scoped SharePoint sites. Encrypt labeled documents with Azure Information Protection.
CUI Protection
DLP policies block CUI-labeled content from: external email recipients, personal OneDrive sync, USB drives (via Defender for Endpoint), unapproved cloud services, and guest-accessible SharePoint sites. Conditional Access policies restrict CUI access to compliant devices on the corporate network or approved VPN. Session controls via Microsoft Defender for Cloud Apps monitor and restrict real-time CUI document access.
CUI Monitoring & Evidence
Advanced Audit captures every CUI document access, modification, download, and sharing event with 1-year retention. Microsoft Sentinel correlates CUI access patterns to detect anomalous behavior (bulk downloads, after-hours access, access from new locations). Monthly CUI access reports feed into your SSP evidence package. Automated alerts notify your security team of potential CUI spillage events.
C3PAO Assessment Preparation Timeline
EPC Group's CMMC assessment preparation lasts 12 to 16 weeks. We verify all controls before clients can schedule their C3PAO assessment. This method results in a pass rate of over 95% on the first attempt.
Gap Assessment
Weeks 1-3
Audit current Microsoft 365 configuration against all 110 NIST 800-171 controls. Identify gaps, document existing controls, assess GCC High readiness. Score current compliance posture.
Deliverable: Gap analysis report with prioritized remediation plan
SSP Development
Weeks 4-7
Write the System Security Plan documenting how every control is implemented. Map each control to specific Microsoft 365 configurations, organizational policies, and responsible personnel.
Deliverable: Complete SSP with control implementation statements
Control Implementation
Weeks 8-13
Configure all Microsoft 365 controls: Conditional Access, DLP, sensitivity labels, audit logging, Defender, Sentinel. Implement organizational procedures for controls M365 cannot address. GCC High migration if required.
Deliverable: Fully configured GCC High environment with all controls active
Readiness Review
Weeks 14-16
Simulate the C3PAO assessment. Verify every control with evidence screenshots, configuration exports, and policy documentation. Remediate any remaining gaps. Prepare evidence binders and schedule C3PAO assessment.
Deliverable: Assessment-ready evidence package and C3PAO scheduling
Frequently Asked Questions
How do defense contractors achieve CMMC compliance on Microsoft 365?
Defense contractors achieve CMMC compliance on Microsoft 365 through: 1) Migrating to a GCC High tenant (required for CUI handling at CMMC Level 2+), 2) Implementing all 110 NIST 800-171 controls mapped to Microsoft 365 features (Conditional Access, DLP, sensitivity labels, audit logging, encryption), 3) Configuring CUI identification and protection using Microsoft Purview sensitivity labels and DLP policies, 4) Enabling advanced audit logging with 1-year retention for compliance evidence, 5) Deploying Microsoft Defender for comprehensive threat protection, 6) Establishing incident response procedures documented in the System Security Plan (SSP). EPC Group has guided 50+ defense contractors through CMMC preparation on Microsoft 365, achieving assessment readiness in 90-120 days.
What is the difference between GCC, GCC High, and DoD in Microsoft 365?
GCC (Government Community Cloud) is for state/local government and contractors handling non-CUI government data — commercial data centers with logical isolation and US-based staff. GCC High is for defense contractors handling CUI (Controlled Unclassified Information) — dedicated government data centers, background-checked personnel, ITAR/EAR compliance, required for CMMC Level 2+. DoD is for Department of Defense agencies only — highest security controls, IL5 authorization, not available to contractors. For CMMC compliance: Level 1 contractors can use commercial or GCC. Level 2 contractors handling CUI MUST use GCC High. Level 3 contractors require GCC High with additional controls. EPC Group recommends GCC High for all defense contractors pursuing CMMC Level 2 certification.
How many NIST 800-171 controls can Microsoft 365 satisfy?
Microsoft 365 GCC High can address approximately 80-85 of the 110 NIST 800-171 controls through platform configuration. Key coverage areas: Access Control (AC) — 16/22 controls via Conditional Access, MFA, RBAC, and Entra ID. Audit & Accountability (AU) — 9/9 controls via Unified Audit Log, Advanced Audit, and Microsoft Sentinel. Identification & Authentication (IA) — 10/12 controls via Entra ID, MFA, passwordless authentication. Media Protection (MP) — 6/9 controls via BitLocker, sensitivity labels, DLP. System & Communications Protection (SC) — 12/16 controls via TLS encryption, DLP, information barriers. The remaining 25-30 controls require organizational policies, physical security measures, and personnel procedures that technology alone cannot satisfy. EPC Group maps every control to specific Microsoft configurations and organizational procedures.
What is CUI and how do you protect it in Microsoft 365?
CUI (Controlled Unclassified Information) is government-created or government-furnished information that requires safeguarding per NIST 800-171. CUI categories include: technical drawings, specifications, source code, test data, financial records, export-controlled data (ITAR/EAR), and For Official Use Only (FOUO) information. Protection in Microsoft 365 GCC High: 1) Sensitivity labels marked "CUI" applied automatically via Microsoft Purview to documents matching CUI patterns, 2) DLP policies preventing CUI from leaving the organization via email, Teams, or SharePoint sharing, 3) Encryption-at-rest and in-transit for all CUI data, 4) Conditional Access policies restricting CUI access to compliant devices from approved locations, 5) Information barriers preventing CUI access by non-authorized personnel, 6) Audit logging of all CUI access for compliance evidence.
How long does CMMC certification take for a defense contractor?
CMMC certification timeline depends on current maturity: Organizations with existing NIST 800-171 implementation: 3-6 months from gap assessment to C3PAO assessment. Organizations starting from scratch: 9-18 months for full implementation and assessment readiness. Breakdown: Gap assessment (2-4 weeks), SSP development (4-6 weeks), GCC High migration if needed (6-8 weeks), control implementation (8-16 weeks), POA&M remediation (4-8 weeks), pre-assessment readiness review (2-4 weeks), C3PAO assessment (2-4 weeks). EPC Group accelerates this timeline by using pre-built CMMC configuration templates for Microsoft 365 GCC High, reducing implementation time by 40-60% compared to building controls from scratch.
What is the cost of CMMC compliance on Microsoft 365?
CMMC compliance costs for Microsoft 365 include: GCC High licensing: $35-$57/user/month (compared to $12-$36 for commercial M365). This premium covers dedicated government infrastructure, background-checked personnel, and FedRAMP High authorization. Migration to GCC High: $50,000-$200,000 depending on user count, data volume, and complexity (data migration, DNS cutover, application reconfiguration). CMMC implementation consulting: $75,000-$250,000 for gap assessment, SSP development, control implementation, and assessment preparation. C3PAO assessment: $50,000-$150,000 for the official third-party assessment. Ongoing compliance: $25,000-$75,000/year for continuous monitoring, annual reviews, and POA&M management. Total first-year cost for a 200-user organization: approximately $350,000-$750,000. EPC Group fixed-fee CMMC accelerators start at $75,000.
What happens if a defense contractor fails the CMMC assessment?
Failing a CMMC assessment means: 1) The contractor cannot bid on or maintain DoD contracts requiring CMMC certification at the assessed level, 2) The C3PAO identifies specific controls that failed — documented in a findings report, 3) The contractor has a remediation period to fix deficiencies and schedule a reassessment, 4) Reassessment costs additional fees ($25,000-$75,000). Prevention is critical: EPC Group conducts pre-assessment readiness reviews that simulate the C3PAO assessment process, identifying and remediating gaps before the official assessment. Our clients have a 95%+ first-attempt pass rate because we do not allow organizations to schedule their C3PAO assessment until every control is verified and documented.
Do subcontractors need CMMC compliance too?
Yes — CMMC flows down to all subcontractors who handle CUI. If a prime contractor shares CUI with a subcontractor, that subcontractor must achieve the same CMMC level. This is enforced through: DFARS 252.204-7012 (current), DFARS 252.204-7021 (CMMC rule), and contract flow-down requirements. Subcontractor scenarios: If the subcontractor only receives Federal Contract Information (FCI) — CMMC Level 1 self-assessment is sufficient. If the subcontractor receives CUI — CMMC Level 2 with C3PAO assessment is required. Prime contractors are responsible for verifying subcontractor compliance before sharing CUI. EPC Group helps prime contractors establish subcontractor compliance verification programs and assists subcontractors with achieving their required CMMC level.
Related Resources
Microsoft 365 Consulting Services
Enterprise Microsoft 365 deployment, migration, compliance, and managed services from EPC Group.
Read moreRegulated Industry Compliance Guide
Industry-specific compliance controls for healthcare, financial services, government, and education on Microsoft platforms.
Read moreMicrosoft Purview AI Governance
How to govern AI and Copilot outputs using Microsoft Purview sensitivity labels, DLP, and compliance policies.
Read moreGet CMMC Assessment-Ready on Microsoft 365
Schedule a free CMMC gap assessment with EPC Group. We will evaluate your Microsoft 365 environment according to CMMC Level 2 requirements.
You will receive a remediation roadmap that includes:
- A detailed timeline
- Cost estimates
We have a 95%+ first-attempt C3PAO pass rate.
CMMC Compliance on Microsoft 365: Defense Contractor Guide 2026
Defense contractors can achieve CMMC 2.0 compliance on Microsoft 365 by following several key steps:
- Select the appropriate tenant (GCC or GCC High).
- Implement all 110 NIST 800-171 controls.
- Classify and protect CUI using Purview.
- Prepare a System Security Plan for C3PAO assessment.
This guide addresses Levels 1–3, GCC migration, and the complete C3PAO preparation timeline.
Key facts
- CMMC 2.0 has three levels: Foundational (17 practices), Advanced (110 controls, NIST 800-171), and Expert (NIST 800-172 subset).
- Microsoft 365 GCC High is required for Level 2 priority contracts and all Level 3 programs.
- Microsoft 365 satisfies approximately 70 of the 110 NIST 800-171 controls natively — the rest require configuration and policy work.
- CUI must be identified, classified, and protected before C3PAO assessment begins.
- C3PAO assessment preparation typically takes 12–18 months from gap assessment to certification.
- Subcontractors must meet CMMC requirements at the level specified by the prime contractor.
GCC vs GCC High: Choosing the Right Tenant
| Feature | Microsoft 365 GCC | Microsoft 365 GCC High |
|---|---|---|
| FedRAMP level | Moderate | High |
| DoD SRG level | IL2 | IL4/IL5 |
| ITAR compliant | No | Yes |
| CMMC Level 2 (priority) | No | Yes |
| CMMC Level 3 | No | Yes (with Azure Government) |
| Data residency | US datacenters | US persons, isolated regions |
CMMC Level Requirements on Microsoft 365
Level 1: Foundational
- 17 practices covering basic access control and media protection.
- Annual self-assessment. No CUI handling required.
- Commercial Microsoft 365 tenant is acceptable at this level.
Level 2: Advanced
- 110 NIST 800-171 controls across 14 domains.
- C3PAO third-party assessment required for priority contracts.
- Self-assessment allowed for non-priority contracts.
- GCC High required for priority programs.
Level 3: Expert
- Adds NIST 800-172 subset controls on top of all Level 2 controls.
- Government-led assessment (DCSA). Required for highest-security contracts.
- Azure Government required alongside GCC High.
NIST 800-171 Control Mapping to Microsoft 365
Microsoft 365 GCC High satisfies roughly 70 of the 110 NIST 800-171 controls natively. The remaining controls require active configuration.
- Access control (AC) — Entra ID Conditional Access, PIM, RBAC.
- Audit and accountability (AU) — Audit (Premium) with 6-year retention in GCC High.
- Configuration management (CM) — Microsoft Intune device compliance policies.
- Identification and authentication (IA) — MFA, passwordless, smart card via Entra ID.
- Incident response (IR) — Microsoft Sentinel SIEM/SOAR with CMMC-aligned playbooks.
- Media protection (MP) — BitLocker encryption, USB port control via Intune.
- System and communications protection (SC) — TLS 1.2+, information barriers, network segmentation.
- System and information integrity (SI) — Defender for Endpoint, Defender for Office 365.
CUI Handling on Microsoft 365 GCC High
Protecting CUI is the core requirement for Level 2. Four steps apply.
CUI Identification
- Run Microsoft Purview Content Explorer to scan all M365 services for CUI patterns.
- Map CUI categories to the NARA CUI Registry.
CUI Classification
- Apply sensitivity labels: "CUI — Basic" and "CUI — Specified" for higher-sensitivity categories.
- Enable auto-labeling policies to classify content at rest and in transit.
CUI Protection
- Apply encryption via Azure Rights Management to all CUI-labeled content.
- Configure DLP policies to block CUI from leaving GCC High to unapproved destinations.
- Restrict external sharing to pre-approved partner tenants only.
CUI Monitoring and Evidence
- Enable Audit (Premium) for 6-year log retention — required for Level 2.
- Configure Microsoft Sentinel alerts for unauthorized CUI access attempts.
- Export audit logs monthly to the POA&M evidence repository.
C3PAO Assessment Preparation Timeline
Gap Assessment (Months 1–2)
- Control-by-control review against NIST 800-171
- CUI scope identification and data flow mapping
- POA&M gap list and risk scoring
SSP Development (Months 2–4)
- System Security Plan documenting all 110 controls
- Network and data flow diagrams
- User access matrix and authorization boundaries
Control Implementation (Months 4–10)
- GCC High tenant migration (if not already in place)
- Technical control deployment via Purview, Defender, Entra ID, Intune
- Policy and procedure documentation for human-process controls
Readiness Review (Months 10–12)
- Mock C3PAO assessment with internal red team
- Evidence package assembly for all 110 controls
- POA&M remediation of open findings
Frequently Asked Questions
How do defense contractors achieve CMMC compliance on Microsoft 365?
To handle Controlled Unclassified Information (CUI), choose GCC High. You will need to:
- Configure all 110 NIST 800-171 controls using Purview, Defender, Entra ID, and Intune.
- Build a System Security Plan (SSP).
- Complete a third-party assessment by a C3PAO.
This process usually takes 12 to 18 months.
What is the difference between GCC, GCC High, and DoD in Microsoft 365?
GCC is FedRAMP Moderate for general government use. GCC High is FedRAMP High and ITAR-compliant. This compliance is essential for CMMC Level 2 priority and Level 3.
Microsoft 365 DoD is designed specifically for DoD-exclusive use.
How many NIST 800-171 controls can Microsoft 365 satisfy?
About 70 of the 110 controls can be managed directly using Microsoft 365 GCC High features. The other 40 controls need:
- Active configuration
- Policy documentation
- Technical controls beyond default settings
What is CUI and how do you protect it in Microsoft 365?
CUI (Controlled Unclassified Information) is information created by the government that needs protection. You can safeguard it in Microsoft 365 using the following tools:
- Purview sensitivity labels
- DLP policies
- Azure Rights Management encryption
- Audit Premium for a 6-year log retention
How long does CMMC certification take for a defense contractor?
Level 2 certification typically takes 6–12 months from gap assessment to C3PAO assessment. Organizations starting from scratch on GCC High migration should plan 12–18 months.
What is the cost of CMMC compliance on Microsoft 365?
GCC High licensing costs between $38 and $57 per user each month. This is similar to the costs for E3 and E5 licenses.
Consulting fees for a complete Level 2 implementation vary based on the project's scope and current maturity level. These fees range from $75,000 to $250,000.
What happens if a defense contractor fails the CMMC assessment?
The C3PAO offers a conditional certification if there are minor findings. However, major findings must be addressed before certification can be granted.
Until certification is issued, you cannot bid on new contracts that require that CMMC level.
Do subcontractors need CMMC compliance too?
Yes. Prime contractors must flow down CMMC requirements to all subcontractors that process, store, or transmit CUI. The required level is specified in the contract's DFARS clause.
Get CMMC Assessment-Ready on Microsoft 365
Talk to an EPC Group CMMC architect about your GCC High migration or Level 2 program. Call (888) 381-9725 or schedule a discovery call.