If you’re chasing DoD work in 2026, you’ve probably heard some version of this: “Just move to Microsoft 365 and you’ll be CMMC compliant.” I wish it worked that way. Microsoft 365 CMMC alignment can absolutely cover a lot of ground, but it’s not a magic button.
What matters is three decisions I make up front: what data I handle (FCI vs CUI), how I scope my assessed enclave (the “bubble” that touches CUI), and which Microsoft 365 cloud I choose (Commercial, GCC, or GCC High). Those choices drive cost, effort, and audit stress.
CMMC 2.0’s rollout began on Nov 10, 2025, and it’s already influencing awards and renewals. If I wait until an RFP forces the issue, I’m late. Planning now gives me time to set the tenant up right, build evidence, and avoid a rushed migration.
Start with CMMC 2.0 basics, scope, and the CUI enclave
CMMC 2.0 is simpler than the older model, but it still trips teams up because the hardest part is not tech. It’s scope.
Level 1 is for FCI (Federal Contract Information). Think of everyday contract data that is not meant for the public, like a purchase order, delivery schedule, or contract line items. Level 1 aligns to the basic safeguards in FAR 52.204-21, and it’s typically an annual self-assessment reported in SPRS (the DoD even provides a CMMC Level 1 self-assessment guide that helps you understand the intent).
Level 2 is for CUI (Controlled Unclassified Information). This is where most small defense contractors get surprised. CUI can show up as a drawing with controlled markings, a test report, engineering specs, security requirements, or technical data sent by a prime. Level 2 aligns to all 110 requirements in NIST SP 800-171, and assessments are typically every three years by a C3PAO (with limited cases allowing self-assessment, depending on the contract and risk).
Here’s the part I treat as non-negotiable: if I touch any CUI, I scope that environment to Level 2. “We only have a little CUI” is like saying, “We only have a little gasoline near the pilot light.”
Scoping is simple in theory: if a system processes, stores, or transmits FCI or CUI, it’s in scope. In real life, email forwarding, Teams chats, OneDrive sync, and unmanaged laptops quietly expand the boundary.
That’s why I like the assessed enclave approach. I build a defined “bubble” of people, devices, identities, and systems that handle CUI, then I keep the rest of the business out of that bubble. Done correctly, a smaller enclave cuts licensing, reduces audit evidence, and limits daily friction. If you want a good plain-language explanation of the concept, this overview of what a CUI enclave is is worth a few minutes.
A quick way I decide if I am Level 1 or Level 2
- FCI only, no controlled markings, no technical data: I plan for Level 1.
- Any CUI from a prime or the DoD: I treat it as Level 2 scope.
- Specs, drawings, test data, or controlled work instructions: I assume CUI until proven otherwise.
- My team uses personal email/text for work: scope is already expanding.
- CUI lives in “normal” SharePoint/OneDrive: I’m likely scoping the whole tenant, and that gets expensive fast.
What “in scope” really means for Microsoft 365, endpoints, and vendors
If I store or send FCI or CUI in Exchange, SharePoint, OneDrive, or Teams, those services are in scope. So are the identities (Microsoft Entra ID accounts), the devices that access the data, and the security logs that prove controls are working.
Vendors matter too. If an MSP, helpdesk tool, backup provider, or third-party app can access CUI, that relationship can pull more systems into scope. I document access, lock down permissions, and keep a clean record of who can touch what.
Choosing the right Microsoft 365 cloud for DoD work, Commercial vs GCC vs GCC High
Tenant choice is not a “later” decision. It shapes your controls, your evidence, and whether your prime will accept your environment for CUI.
Here’s the practical view I use:
- Commercial can often work for Level 1 FCI if it’s configured well (strong identity controls, device controls, and logging).
- GCC is a government-focused environment, but it’s not always the best landing spot for true DoD CUI unless the contract and prime explicitly accept it.
- GCC High is the safer default when I handle real CUI and need to line up with the expectations that often come with DFARS-style flowdowns and stricter government cloud requirements.
This is also where FedRAMP expectations show up in plain terms. When CUI is involved, I want the cloud environment, support model, and compliance posture to match the risk. I can’t “settings my way out” of being in the wrong cloud. If you want Microsoft’s positioning on this, their Microsoft Cloud for CMMC page gives a helpful high-level overview.
My rule of thumb for picking Commercial, GCC, or GCC High
- FCI-only (Level 1): Commercial is usually fine when locked down.
- CUI (Level 2): GCC High is usually my default choice.
- ITAR or export-controlled work: I plan for GCC High unless legal and contract language says otherwise.
One more practical option: I can keep my main business in Commercial and put only CUI users in GCC High, as long as my workflows keep data from crossing the line.
Microsoft 365 CMMC alignment, what it covers, what I must configure, and what it cannot replace
When people ask me if Microsoft 365 can “do CMMC,” I answer like this: Microsoft 365 gives me strong building blocks, but CMMC is proved with configuration, evidence, and repeatable process.
For cloud selection differences and why many DoD contractors choose GCC High for CUI, this comparison of GCC High vs GCC for protecting CUI with CMMC is a solid reference.
Table, CMMC and NIST 800-171 families mapped to Microsoft 365 features
| Family | What auditors look for (plain words) | Microsoft 365 tools that help | What is still on me |
|---|---|---|---|
| AC | Only approved users get access | Entra ID, Conditional Access, Intune | Access rules, reviews, proof |
| AU | Logs exist and can be reviewed | Purview Audit, Defender, Sentinel (optional) | Retention, daily/weekly review |
| IA | Strong sign-in controls | MFA, Conditional Access, Entra ID | Account process, break-glass plan |
| SC | Data protected in transit/rest | M365 encryption, TLS, Purview | Approved methods, configs documented |
| SI | Malware protection and patching | Defender for Endpoint, Intune | Patch cadence, exception handling |
| IR | Respond to incidents consistently | Defender alerts, Sentinel (optional) | IR plan, roles, exercises |
| CM | Secure settings stay secure | Intune policies, baselines | Change control, approvals, evidence |
| MP | Media and data handling rules | Purview labels/DLP | Handling policy, user training |
| PE | Physical access controlled | (Limited in M365) | Doors, badges, visitor logs |
| AT | Users trained on rules | Training platform, phishing sims (if used) | Training records, enforcement |
| RA | Risks identified and tracked | Defender posture signals | Risk register, remediation plan |
| CA | Assessments and plans exist | Compliance Manager (if used) | SSP, POA&M, internal reviews |
My must-do Microsoft 365 configurations for CMMC Level 1 and Level 2
- Enforce MFA for all users with Conditional Access.
- Create break-glass accounts, protect them, test them.
- Block legacy authentication across the tenant.
- Use least privilege admin roles, no daily global admins.
- Require Intune enrollment and compliant devices for access.
- Turn on disk encryption (BitLocker) and escrow recovery keys.
- Roll out Defender for Endpoint and verify onboarding reports.
- Configure Defender for Office 365 (Safe Links, Safe Attachments).
- Use Purview sensitivity labels for CUI, add DLP for email and files.
- Restrict external sharing in SharePoint, OneDrive, and Teams.
- Enable unified audit logging, set clear retention targets.
- Set alerting ownership, define triage steps and time goals.
- Run an incident response tabletop and keep notes and action items.
- Build an evidence plan (screenshots, exports, tickets) per control.
What Microsoft 365 can’t replace is the “paper and people” part: your SSP, your policies, vendor management, backup strategy, vulnerability management, and proof that you actually do the work each month. Licensing also matters. Features vary by tenant type and plan level, so I confirm what’s included before I design the control set.
Conclusion
Microsoft 365 can help me meet many CMMC requirements, but only when I treat it like a system, not a subscription. The honest path is clear: I identify whether I handle FCI or CUI, I scope a tight enclave, I pick the right cloud (Commercial, GCC, or GCC High), and I configure security features with real evidence behind them. That’s what makes Microsoft 365 CMMC alignment believable to a prime and defensible to an assessor.
If you want help, I can map your FCI/CUI scope, recommend a tenant strategy, and turn your current setup into an assessment-ready plan (SSP, evidence list, and a prioritized checklist). No promises of “guaranteed certification,” just a clear plan you can execute and defend.
Discover more from Guide to Technology
Subscribe to get the latest posts sent to your email.