CMMC Level 2 Backup Plan For Microsoft 365 That Auditors Accept

If you handle CUI in Microsoft 365, a ransomware hit or an admin mistake can turn into a contract problem fast. I’ve learned that auditors don’t just want to hear “we back it up.” They want proof, repeatable restores, and tight access controls.

In this post, I’m laying out a CMMC Level 2 backup approach for Microsoft 365 that’s practical for MSPs and SMB security leads. It’s written for the real world: limited staff, busy systems, and no time for guesswork.

Most importantly, I’ll show what to document and how to test, because evidence is what gets accepted.

What a CMMC Level 2 backup has to prove (not just promise)

A backup plan fails an assessment when it’s vague. For CMMC Level 2, your backup story must map cleanly to NIST SP 800-171 expectations and hold up during interviews and evidence review. I keep the CMMC assessor mindset front and center, using the DoD’s wording and structure from the CMMC Level 2 Assessment Guide (PDF) to shape deliverables and interview prep.

Here’s the reality that trips teams up: Microsoft 365 provides service availability and data retention features, but that’s not the same as a backup program you control. Native capabilities may help you recover some content in some scenarios, yet they often fall short on independent restore assurance, tamper-resistance, and configuration recoverability. In other words, Microsoft may keep the lights on, but you still need your own fire escape.

Auditors also look for confidentiality of backed-up CUI at the storage location. That aligns well with requirements like protecting backup CUI with crypto controls, which is explained clearly in guidance like RE.2.138 backup confidentiality expectations. My takeaway is simple: if your backups can be read by the wrong admin, they’re a liability, not a control.

When I’m building this for Small Business IT environments, I define measurable targets up front, then document how the tools meet them:

• RPO (how much you can lose): target under 4 hours for core M365 workloads.
• RTO (how fast you can restore): target under 24 hours for priority datasets.
• Retention: set by policy, with legal and contract inputs, not by default settings.
• Evidence: logs, restore reports, approvals, and access reviews, retained long enough to show a consistent pattern.

That sets the stage for an auditor-friendly design.

An auditor-accepted Microsoft 365 backup architecture (with hardening)

I think about a CMMC Level 2 backup like a two-key safe. Microsoft 365 is the office where people work, while the backup system must be separate enough that a compromised admin account can’t erase the escape route.

Separation, least privilege, and admin hygiene

I design the backup admin model so it can survive a tenant compromise:

• Separate backup admin accounts that do not receive email and are excluded from daily browsing.
• Least privilege roles for backup operations (avoid permanent Global Admin). Use just enough permissions to read and restore Exchange, SharePoint, OneDrive, and Teams data.
• MFA and Conditional Access enforced for all backup admins, with location and device compliance requirements.
• Access reviews at least quarterly, with evidence of approvals and removals.

This is where my Cybersecurity Services, Endpoint Security, and Device Hardening practices connect directly to compliance. If backup admins sign in from unmanaged endpoints, you’ve created a quiet bypass around every other control.

Storage hardening that stands up in an interview

Auditors like clear boundaries. So I make storage controls easy to explain:

• Immutability/WORM on the backup repository, with a defined lock period.
• Encryption at rest and in transit, with documented key management (who can access keys, how rotation works, where escrow lives).
• Separate account or separate tenant for backup storage when feasible, so one credential set can’t wipe both production and backup.
• Replicated copy to another region or account for disaster recovery.
• Optional offline or air-gapped copy for high-risk environments.

This approach fits well whether you’re modernizing Cloud Infrastructure or tying backups into Data Center Technology and Infrastructure Optimization work. It also supports the reality of Office 365 Migration projects, where data volume and permission sprawl can surprise you unless you set guardrails early.

If your backup system trusts the same identities as Microsoft 365, assume an attacker will delete both. Separation is not a luxury, it’s part of the control.

The deliverables auditors accept: policy headings, restore tests, and evidence

Tools don’t pass assessments, documentation and repeatable operations do. When I act as a Business Technology Partner, I package backup as part of Business Continuity & Security, with artifacts an assessor can review quickly.

Sample backup policy headings (copy and adapt)

I keep policies short, signed, and mapped to how we actually operate:

• Purpose and scope (systems in scope, CUI locations, Microsoft 365 services covered)
• Roles and responsibilities (backup owner, approver, restore operator, reviewer)
• Backup frequency and schedules (by workload, with RPO targets)
• Retention and disposal (retention tiers, legal holds, secure deletion)
• Security controls (MFA, Conditional Access, least privilege, encryption, immutability)
• Key management (ownership, rotation, escrow, access logging)
• Restore procedures (who can request, approval steps, chain-of-custody)
• Testing cadence (quarterly restore tests, annual tabletop exercise)
• Logging and evidence retention (what we keep, where, and for how long)
• Exceptions process (documented risk acceptance and expiration)

Restore-test report template (table you can hand to an auditor)

I run restore tests quarterly, and I treat them like mini-incidents. This table format has worked well because it’s clear and easy to verify.

Test Date	Dataset	Restore Method	Results	Evidence (Screenshots/Logs)	Approver
2026-02-15	Exchange Online mailbox (CUI sample set)	Point-in-time restore to isolated location	Success	Screenshot link, job log export, ticket ID	Security Lead
2026-02-15	SharePoint Online site (project library)	File-level restore and permission validation	Success	Before/after screenshots, access test notes	IT Manager
2026-02-15	OneDrive folder (engineering)	Granular restore, hash spot-check	Partial (1 file failed)	Error log, re-run evidence, remediation note	CISO/VCISO

I also attach a short “Restore Test Narrative” page with: scope, timing, who performed the work, what changed, and what got better.

Evidence checklist (what I gather before the assessor asks)

I keep one folder per quarter and name artifacts consistently. For Managed IT for Small Business clients, that saves hours later.

• Backup job history exports (showing frequency and success rates)
• Immutable storage settings screenshots and lock policy details
• Encryption and key management evidence (KMS settings, access logs)
• Conditional Access and MFA enforcement screenshots for backup admins
• Backup admin roster and quarterly access review sign-off
• Restore test reports (table above), plus tickets and approvals
• Incident response tie-in (how restores support containment and recovery)
• Annual tabletop notes (scenario, attendees, decisions, action items)

This is where Technology Consulting, Tailored Technology Services, and IT Strategy for SMBs stop being slogans. A restaurant group, for example, may rely on Microsoft 365 for vendor contracts while also needing Restaurant POS Support and Kitchen Technology Solutions running daily. A documented restore plan keeps both the front office and the floor moving during an outage.

Conclusion

A CMMC Level 2 backup plan for Microsoft 365 only works if it’s measurable, hardened, and proven by restores you can repeat. I focus on separation of duties, immutability, and evidence that shows the control operates all year, not just before an audit. If you want a fast next step, set RPO/RTO targets, lock down backup admin access, then schedule your first quarterly restore test. The goal is simple: make recovery boring, predictable, and auditor-accepted.