Secure Score can pull a team into point chasing when what it needs is proof. I’ve seen Microsoft 365 admins raise the number, feel better for a week, and still leave major CMMC Level 2 gaps open.
When I build a CMMC secure score roadmap, I use the score as a guide, not a finish line. The real job is to connect Microsoft 365 actions to NIST SP 800-171 requirements, documented processes, and evidence an assessor can follow.
Secure Score helps, but it doesn’t prove CMMC Level 2
As of May 2026, CMMC Level 2 aligns to the 110 security requirements in NIST SP 800-171 Rev. 2 for companies that handle Controlled Unclassified Information, or CUI. The assessment model checks whether those requirements are in place and operating, not whether a dashboard number went up.
That distinction matters. Microsoft’s Secure Score measures security posture inside Microsoft 365 and related services. It can show where identity, device, mail, and data settings are weak. It can also help me rank work by likely risk reduction. Still, it is not a direct measure of compliance, and it does not guarantee certification.
Microsoft says CMMC Level 2 maps to the NIST SP 800-171 requirement set in its CMMC overview for Azure and Microsoft cloud services. I treat that as context, not as a shortcut. The contract, the system boundary, and the actual handling of CUI still drive the assessment.
A higher Secure Score can support a stronger story, but it can’t replace policy, process, or evidence.
I break the work into three lanes. First, there are technical controls, such as Conditional Access, MFA, audit logging, endpoint protection, and data loss prevention. Second, there are policy and process requirements, such as account management procedures, incident response steps, media handling rules, and security training. Third, there is evidence collection, which proves the first two are real and operating.
Secure Score mainly helps with the first lane. It has only partial value in the second lane, and almost none in the third unless I capture its outputs as supporting records. A tenant can score well while still missing approved policies, review records, training logs, or proof that admins follow procedure.
That is why I never ask, “How do I get my score above X?” I ask, “Which Secure Score actions reduce risk in scope, map to required practices, and create evidence I can defend?”
Start with scope, licensing, and your real baseline
The roadmap starts before I touch an improvement action. I first define scope, because CMMC pain usually starts with blurry boundaries. Which users handle CUI? Which endpoints access it? Which SharePoint sites, Teams, mailboxes, and third-party apps sit in scope? Which admins can touch the environment, even if they don’t work with CUI every day?
Next, I check tenant architecture and licensing. Commercial Microsoft 365, GCC, and GCC High do not give you the same fit for every defense use case. I don’t assume the current tenant is right. I confirm what data lives where, which features are licensed, and where native controls stop. That step keeps the roadmap honest.
Then I capture a baseline. I export current Secure Score actions, review Secure Score history, and compare the top recommendations against the actual CMMC boundary. I also compare Microsoft 365 capabilities to the control families in this NIST 800-171 and CMMC guide for M365. I am not looking for a perfect one-to-one map. I am looking for priorities, dependencies, and obvious gaps.
In MSP-backed firms, I almost never see CMMC work by itself. It sits next to Small Business IT needs, Cloud Infrastructure upgrades, Office 365 Migration cleanup, and old Data Center Technology choices that still affect identity and file flow. The same provider may already deliver Cybersecurity Services, Cloud Management, Technology Consulting, and Infrastructure Optimization across the business. If that provider is a real Business Technology Partner, it ties the roadmap to IT Strategy for SMBs, Secure Cloud Architecture, Managed IT for Small Business, and Business Continuity & Security. Digital Transformation still moves forward, but Endpoint Security and Device Hardening move to the front of the line. Some MSPs also handle Restaurant POS Support and Kitchen Technology Solutions for other clients, so they need Tailored Technology Services and Innovative IT Solutions that fit regulated and non-regulated work without mixing them.
A clean baseline turns Secure Score into something useful. It becomes a triage board, not a trophy.
A phased Microsoft 365 roadmap that I can defend
I get the best results when I phase the work. That keeps the team from deploying random controls without scope, ownership, or evidence.
| Phase | Primary goal | Microsoft 365 focus | Main output |
|---|---|---|---|
| Baseline | Define scope and gaps | Tenant review, licensing, score export, control mapping | Gap register |
| Quick wins | Cut obvious risk fast | MFA, legacy auth, forwarding, admin hygiene, audit settings | Early risk reduction |
| Foundational controls | Build consistent control coverage | Conditional Access, Intune, Defender, sharing controls, labels | Stable operating baseline |
| Advanced hardening | Reduce bypass paths and abuse | PIM, access reviews, ASR, stronger segmentation, app governance | Higher maturity |
| Validation and evidence | Prove controls work | Evidence packs, procedures, reviews, POA&M updates | Assessment-ready record set |
The phases overlap, but the order matters. Quick wins buy time. Foundational controls create consistency. Advanced hardening closes the back doors that attackers and assessors both find.
Phase 1, quick wins that lower risk fast
I start with actions that remove common attack paths and lift the score for good reasons. MFA for every user is first, and stronger MFA for admins is close behind. If legacy authentication is still enabled, I move to block it after confirming no business system still depends on it. Old protocols can keep a tenant exposed even after MFA rollout.
Admin hygiene comes next. I separate daily user accounts from admin accounts, reduce standing Global Administrator access, and review break-glass accounts. Then I shut off external auto-forwarding unless there is a documented business case. That closes a common exfiltration path and often improves mail security posture at the same time.
Mail protections are another quick return area. Defender for Office 365 policies, anti-phishing settings, Safe Links, and Safe Attachments all help, if the licenses are there. I also review mailbox auditing, unified audit log coverage, and alert policies. If logging is weak, the team may miss both attacks and evidence.
These changes often raise Secure Score quickly. I still don’t treat that rise as compliance progress by itself. I tie each action to the relevant control family, record who approved it, and save proof of the change. When I can say, “We blocked legacy auth in scope, documented the decision, and kept the policy export,” the point increase becomes meaningful.
Phase 2, foundational controls in identity, devices, and data
Quick wins cut noise, but foundational controls create repeatable protection. This is where I turn a loose Microsoft 365 tenant into a controlled environment.
On the identity side, I build Conditional Access policies around role, device state, location risk, and session risk where licensing supports it. That usually means requiring MFA, blocking unsupported platforms, and restricting admin access to managed devices. I also review guest access, external collaboration, and consent to third-party apps. A low-friction tenant is easy to use, but it is also easy to abuse.
On endpoints, Intune becomes central. I use compliance policies, configuration profiles, and security baselines to enforce disk encryption, screen lock, local admin controls, and patch posture. Defender for Endpoint adds EDR visibility, vulnerability signals, and attack surface settings. This is where Device Hardening becomes real, because the rules land on the machines that touch CUI.
Data controls need the same discipline. I review SharePoint, OneDrive, and Teams sharing settings first. Then I apply Purview sensitivity labels and, where practical, DLP policies for CUI-related handling. I keep the rollout grounded in business process. If labels break collaboration or DLP floods the help desk, users route around it.
This phase often exposes a hard truth. Microsoft 365 can cover a large part of the technical ground, but not every Level 2 requirement is a native toggle. Formal policy approval, personnel practices, physical safeguards, and some monitoring or recovery needs may still call for outside tools or managed support.
Phase 3, advanced hardening for the places attackers look for shortcuts
Advanced hardening closes the gaps left by broad policy deployment. I focus on abuse paths that stay quiet until an incident or an assessment.
Privileged Identity Management is high on that list. If the tenant supports it, I move admins to just-in-time elevation, approval flows, and role activation logging. Access reviews also matter, because stale access is common in firms that grew fast or changed contracts. When reviewers actually complete those reviews on schedule, I gain both control value and evidence.
Defender for Endpoint hardening can go deeper as well. Attack surface reduction rules, tamper protection, web content controls, and vulnerability-based remediation all help, but I stage them carefully. Some ASR rules break line-of-business apps, so I use pilot groups and documented exceptions rather than broad guesswork.
I also harden the app layer. That includes admin consent workflows, review of OAuth grants, tighter control over unmanaged devices, and session restrictions for browser access where the risk justifies it. If CUI can spill through unmanaged endpoints or risky apps, the score may still look decent while exposure remains high.
At this stage, I also decide where Microsoft 365 stops. Some teams need stronger log retention, SIEM correlation, third-party backup, managed detection, or tighter network separation around CUI workloads. A mature roadmap admits those gaps early. It doesn’t pretend the platform solves every control by itself.
Turn Secure Score into POA&M and executive reporting
Most teams look at Secure Score as a moment-in-time gauge. I get more value from trend lines and action-level analysis. A single score can hide drift, false comfort, or work that raised the number but did little for the CMMC boundary.
I map Secure Score actions into a POA&M, or Plan of Action and Milestones, with a simple set of fields: related control family, risk level, effort, dependency, owner, due date, and evidence status. Then I sort by business impact, not by Microsoft’s point value alone. A 10-point action that touches all admins may beat a 25-point action that only changes a low-risk setting.
For example, disabling legacy auth, reducing standing admin rights, and enforcing managed-device access often deserve earlier dates than cosmetic improvements. By contrast, a score action with limited scope, weak evidence value, or poor fit for the tenant may stay deferred with a documented reason. That is still disciplined risk management.
Secure Score history also helps me spot stalls. If the trend flatlines for two months, I know one of three things is happening. Either the easy items are done and the team hit licensing or design limits, the owners are stuck waiting for policy approval, or the score is rising outside the actual CUI scope. Each case needs a different decision.
For executive reporting, I keep the view short and tied to risk. I usually show the score trend, the number of high-impact actions completed, the count of open POA&M items by control family, and the top blocked decisions. That last category matters because many delays are not technical. They come from budget, staffing, tenant strategy, or an unresolved call on GCC versus another path.
Secure Score is most useful when it answers, “What should we do next, and what risk drops when we do it?”
This approach works well for compliance managers and owners who do not live in the tenant every day. They can see progress, blockers, and residual risk without mistaking one Microsoft metric for readiness. It also helps MSPs prove they are moving more than tickets. They are moving risk down and building an audit trail at the same time.
Build evidence an assessor can follow
Evidence is where many Microsoft 365 projects fall apart. The controls may be active, yet nobody saved policy exports, approval records, or review logs. When that happens, the team ends up rebuilding history under pressure.
I organize evidence by control objective, not by product. A Conditional Access export, an Intune compliance policy, a screenshot of Defender posture, and a written access control policy may all support the same requirement. When those pieces live together, the assessor can follow the story.
I usually collect evidence in four groups:
- Configuration proof, such as policy exports, reports, and dated screenshots.
- Process records, such as access reviews, onboarding and offboarding tickets, and exception approvals.
- Governance documents, such as approved policies, standards, and procedures.
- Operational records, such as incident tickets, training logs, vulnerability remediation notes, and test results.
I also separate “implemented” from “operating.” A DLP policy that exists is not the same as a DLP policy that has been tuned, reviewed, and acted on. The same goes for alerting, retention, and endpoint policies. If nobody reviews the output, the control story is weak.
Secure Score artifacts can support the package, but they are supporting evidence. I may save the score history, improvement actions, and screenshots of completed recommendations. I do not use those items as the package itself. Compliance Manager can help with task assignment and narrative mapping, but it is still a workspace, not a substitute for operating records.
Finally, I match the evidence set to the assessment path. Some contracts allow a self-assessment for Level 2, while others require a C3PAO assessment. Either way, the standard stays high. Clear scope, consistent control operation, and clean evidence make the difference between a tense review and a manageable one.
Conclusion
A Microsoft 365 score can point me toward better security, but it can’t stand in for evidence. The teams that do well with CMMC Level 2 are the ones that treat Secure Score as a prioritization tool, then back every major control with policy, process, and records.
I start with scope, knock out quick wins, build foundational controls, harden the bypass paths, and track the whole effort through a living POA&M. When that work is visible in both the tenant and the evidence set, the roadmap stops being a dashboard exercise and starts looking like real readiness.
Discover more from Guide to Technology
Subscribe to get the latest posts sent to your email.