M365 Licenses for CMMC Level 2: Cloud, Stack, and Configuration Guide

I keep seeing the same painful pattern: a defense contractor buys “the right Microsoft 365,” then still fails a CMMC Level 2 readiness review because the tenant, licenses, and settings don’t match how CUI is actually handled.

For Microsoft 365 CMMC planning, I start with one rule: cloud choice comes first, then licensing, then configuration and evidence. If CUI is living in the wrong place, no license upgrade fixes that.

As of January 2026, timelines are getting real. CMMC requirements can already show up in contracts (Phase 1 started November 10, 2025), and certified Level 2 assessments become broadly required starting November 10, 2026. If you wait until the contract requires it, you’re already late.

My goal here is simple: help you pick a Microsoft 365 licensing stack that supports CMMC Level 2 (aligned to NIST SP 800-171), without wasting money.

Quick picks, the Microsoft 365 CMMC license stack that fits your scenario

Here are the “fast answers” I give most owners and IT managers. These are licensing starting points, not a compliance guarantee. Settings and proof (policies, logs, screenshots, procedures) are what pass an assessment.

• Minimum viable (small team, cost-sensitive): Microsoft 365 Business Premium in GCC, plus targeted add-ons where your gaps are obvious (audit retention, email security, admin hardening).
• Best balance (most serious CUI programs): Microsoft 365 Business Premium (or G3/E3-equivalent) in GCC High, then add Advanced Audit and stronger Defender coverage as needed.
• “I want fewer gaps” (larger org or higher risk): G5/E5-equivalent in GCC High, then confirm whether Advanced Audit is included for your specific SKU. Don’t assume.

If you’re unsure what’s available in government tenants, Microsoft keeps a current comparison of Microsoft 365 Government plans and pricing. I use it as a quick reality check before I scope anything.

Small defense contractor (1 to 50 users) handling CUI

For most small contractors, I like Microsoft 365 Business Premium in GCC as a practical baseline when you’re handling CUI and you’re not being forced into GCC High yet. It gives you strong identity and device management fundamentals when configured correctly.

Common add-ons I plan for:

• Microsoft Purview Advanced Audit (often sold as Audit (Premium)) when audit retention and event depth are too thin for investigations and assessor evidence.
• Microsoft Defender for Office 365 Plan 2 if phishing and malicious links are a real business risk (for most teams, they are).
• Microsoft Entra ID P2 for admin accounts when I need tighter control over privileged access (PIM, risk-based signals).

The top reasons this group fails: MFA that’s not enforced everywhere, unmanaged endpoints (no enrollment, no compliance gates), or audit logs that roll off before anyone can prove what happened.

Mixed commercial and DoD work, separate tenant or enclave approach

When a company does both normal commercial work and DoD work, I usually separate CUI one of two ways:

Separate tenants: Commercial tenant for non-CUI, and GCC or GCC High for CUI.

CUI enclave: Keep the CUI workload limited to a smaller group of users, devices, and SharePoint sites. Fewer moving parts makes evidence easier.

This is also where I get strict about cross-tenant and guest risks. Guest sharing, cross-tenant sync, and “quick exceptions” can quietly turn into uncontrolled CUI sprawl. I keep CUI identities and CUI devices tightly controlled, even if it feels inconvenient at first.

Commercial vs GCC vs GCC High vs DoD, picking the right Microsoft cloud before I buy licenses

If you handle CUI and you’re working toward CMMC Level 2 expectations, Commercial Microsoft 365 is not the right home. In practice, I steer CUI into GCC or GCC High, then I build licensing and controls on top.

To understand the boundary between the government clouds, Microsoft’s own service description for GCC High and DoD is the clearest baseline.

Here’s the decision checklist I use:

• Do you store or share CUI in email, Teams, SharePoint, or OneDrive? If yes, start with GCC or GCC High.
• Does your customer require GCC High (or references ITAR/export controls, or “specified CUI” handling)? If yes, go GCC High.
• Are you a DoD component or DoD-only environment requirement? DoD cloud is usually for DoD orgs, not general contractors.
• Can you keep CUI contained to a subset of people and devices? If yes, an enclave can control cost.

When GCC is enough for Level 2, and why most small contractors start here

GCC is where many small contractors start because it’s achievable and familiar, and it aligns better to buyer expectations for CUI handling than Commercial.

It also forces the conversation you need for audit readiness: “Where is CUI, who can touch it, and how do we prove it?” Just plan for feature differences and availability compared to Commercial so you don’t get surprised mid-project.

When I choose GCC High or DoD, and what it changes for licensing and operations

I move to GCC High when sensitivity and customer flow-downs demand it. That can mean stricter handling requirements, tighter isolation, and often more cost and admin effort.

Operations change too. Some features arrive later or behave differently, and integrations that were easy in Commercial can take longer. I plan for that early so the compliance push doesn’t break day-to-day work.

Licenses and add-ons I use to cover Level 2 capabilities, plus a simple CMMC family mapping

This is the part that matters: what the license enables, why Level 2 cares, and the upgrade path I use when an assessor will expect stronger proof.

Identity and access (Entra ID P1 vs P2), MFA, Conditional Access, and admin controls

For Level 2, Entra ID P1 (or the equivalent included in your bundle) is my practical baseline because it supports Conditional Access and strong MFA enforcement. Without Conditional Access, it’s hard to prove you’re controlling access by device state, location, and risk.

Entra ID P2 is my step-up when admin control needs to be tighter. P2 adds tools like Privileged Identity Management (PIM) and risk-based identity protections that help reduce “permanent admin” exposure.

A common pitfall: MFA is “on,” but not enforced for every app and sign-in path. I follow Microsoft’s CMMC guidance for Entra, including their CMMC configuration resources, and I validate sign-ins in logs, not just checkbox settings.

Devices, endpoint security, and email protection (Intune, Defender for Endpoint, Defender for Office 365)

Managed devices are non-negotiable for Level 2 because they let me gate access using compliance. Intune gives me device enrollment, baseline policies, encryption requirements, patch posture checks, and compliance-driven access rules.

For endpoints, I use Microsoft Defender for Endpoint (or Defender for Business in smaller bundles) to cover EDR, alerts, and response workflows.

For email, Defender for Office 365 Plan 1/2 reduces phishing and malicious attachments. Plan 2 is usually where I land when the business can support it because it improves investigation and response depth.

Two avoidable traps I see often: BYOD access without enrollment, and shared accounts or shared mailboxes that wreck accountability.

Protecting CUI and proving it (Purview labels, DLP, encryption, Audit, retention, and eDiscovery)

If CUI is the crown jewels, Microsoft Purview is the safe and the camera system.

• Sensitivity labels and encryption help me mark and protect CUI in files and email.
• DLP policies help stop risky sharing (like external forwarding or uploading to unsanctioned locations).
• Audit logging and retention is where many tenants fall short. Default audit retention can be too short for investigations and for showing evidence during an assessment, which is why Advanced Audit becomes a common add-on.

For legal hold and investigations, eDiscovery features matter. Many small firms do fine with standard eDiscovery if processes are clean, but larger orgs and higher-risk cases often need the premium options.

Minimum bundles and a simple mapping from CMMC Level 2 families to Microsoft 365 features

Plain-language bundle guidance:

• Business Premium (Gov): strong baseline for small orgs, often needs add-ons (Advanced Audit, Defender for Office 365 P2, Entra P2 for admins).
• E3/G3-equivalent: good foundation, but I typically add Defender and Advanced Audit to make evidence stronger.
• E5/G5-equivalent: most built-in coverage, still verify Audit (Premium) needs and tenant feature availability.

Compact CMMC family mapping (examples, not exhaustive):

• AC / IA: Conditional Access, MFA, privileged role control (Entra ID P1, Entra ID P2 for PIM).
• AU: Unified audit logging, longer retention, richer events (Purview Audit, Advanced Audit add-on).
• SC / SI: device compliance access gates, EDR, email threat protection (Intune, Defender for Endpoint, Defender for Office 365).
• IR: alerting, investigation, response evidence (Defender portals plus Audit and eDiscovery).
• CM / CA / MA: configuration baselines and enforcement, documented settings, patch and device posture reports (Intune plus documented procedures).

Conclusion

If you take one thing from this, it’s the decision order I use every time: pick the right cloud for CUI (usually GCC or GCC High), pick the base bundle that fits your size, then add what closes your gaps (often Advanced Audit, stronger email protection, and Entra ID P2 for admins).

Licensing names and what’s included can change, and the final word is always Microsoft’s licensing terms for your tenant and SKU.

If you want a faster, cleaner path, I offer a quick Microsoft 365 tenant and license gap review. I can also help you plan a CUI enclave or a tenant split so CUI stays contained and assessable, instead of scattered across “good enough” settings.