Email is still the easiest door into a contractor’s environment. One good phish can turn into stolen credentials, mailbox rules, and quiet data theft that nobody spots for weeks.
When I build a CMMC Level 2 O365 baseline, I start with Microsoft Defender for Office 365 because it gives me strong, auditable controls for phishing, malware, and user reporting. It also creates evidence that a C3PAO can review without guesswork.
I’m writing this for MSPs and IT admins supporting defense contractors going for CMMC Level 2 (aligned to NIST SP 800-171’s 110 requirements). In March 2026, the timeline pressure is real, with Level 2 requirements phasing into contracts and a major milestone in late 2026. That means “we turned it on” is not enough, you need repeatable settings and clean proof.
Scope first: what “CMMC Level 2 O365” means for Defender for Office 365
Before I touch policies, I scope what mailboxes, domains, and workflows handle CUI. If CUI is in email, then Exchange Online, Teams, OneDrive, and SharePoint can all end up in scope. That scope decision drives licensing, logging, and your evidence plan.
From there, I align three things:
- Controls and intent (CMMC Level 2 mapped to NIST SP 800-171).
- Tenant design (commercial, GCC, or GCC High depends on your contract flowdown and where CUI is stored and processed).
- Operational reality (small IT team, limited time, and high audit pressure).
For the broader CMMC picture and the “110 requirements” framing, I often point stakeholders to summaries like key CMMC Level 2 control families, then I translate that into Microsoft-native configuration and evidence.
Here’s how my defaults differ by tenant size. This helps avoid a “perfect on paper” build that collapses under alert noise.
| Baseline area | Small tenant default (under ~300 seats) | Mid-size tenant default (300 to 2,500 seats) |
|---|---|---|
| Policy deployment | Start with Microsoft preset policies, then small exceptions | Preset policies plus segmented policies by department/risk |
| Alert routing | One queue, one on-call rotation | Tiered routing (help desk, security, escalation) |
| AIR (auto investigation) | Enabled, with approvals required | Enabled, more automation after tuning period |
| Allow lists | Keep near-zero, time-box exceptions | Central change control, documented business owner approvals |
If you need a Microsoft reference to support the compliance conversation (especially access control dependencies like MFA and conditional access), Microsoft’s own guidance on CMMC Level 2 access control in Entra is a solid anchor.
I treat this as part of my broader service stack too. Clients usually bring me in for Small Business IT, Cloud Infrastructure, Office 365 Migration, and Cloud Management, but CMMC pushes everything closer together, from Endpoint Security and Device Hardening to Business Continuity & Security. Even shops that call for Restaurant POS Support and Kitchen Technology Solutions still need secure mail when they bid or subcontract in the defense supply chain.
Baseline Recommendation: Defender for Office 365 policies I set on day one
I do almost all configuration in the Microsoft Defender portal at security.microsoft.com. Microsoft renames menus often, so if you do not see a node, I use the portal search for the feature name (for example, “Safe Links” or “Anti-phishing”), then open the matching policy blade.
Baseline Recommendation (practical defaults that audit well):
- Enable preset security policies (Defender for Office 365)
I start with the built-in presets because they reduce missed settings. Choose Standard for piloting, then move to Strict for high-risk groups once the business is ready. Microsoft’s baseline guidance in Configure security baselines is a helpful reference when someone asks why presets matter. - Anti-phishing policy with impersonation protection
I turn on user impersonation and domain impersonation protection for all in-scope users. I also protect high-value targets (executives, finance, IT admins). Most tenants fail CMMC-adjacent reviews here because they protect “everyone” but forget the special handling for VIPs. - Safe Links for email and Teams, with real-time scanning
I enable Safe Links rewriting and click-time checks. I also block user click-through on high confidence phish, unless a documented exception exists. If users can bypass, auditors will ask why. - Safe Attachments with dynamic delivery
I enable Safe Attachments for Exchange Online, then expand to SharePoint, OneDrive, and Teams as scope requires. Dynamic delivery keeps mail flowing while detonation runs, which reduces help desk pain. - Anti-malware, anti-spam, and outbound spam controls
I set aggressive inbound filtering, but I spend equal time on outbound. Outbound controls catch compromised accounts and stop your domain from getting burned. - User reporting and quarantine workflow
I enable user-reported messages, set who can release from quarantine, and document the escalation path. This is where policy meets behavior, which matters for training and incident response evidence.
Gotcha I see all the time: techs add “temporary” allow lists to stop complaints, then forget them. I time-box exceptions and require a ticket number in the policy notes.
When I package this for a customer, I position it as part of a Business Technology Partner approach, not a one-off security project. Done right, it supports Innovative IT Solutions, Tailored Technology Services, and an IT Strategy for SMBs that stands up to contract pressure instead of breaking during the next phishing wave.
Evidence capture for auditors, plus the weekly and monthly cadence I stick to
A baseline only helps if you can prove it stayed in place. For CMMC Level 2, I plan evidence like I plan backups. If it’s not repeatable, it will fail at the worst time.
My evidence bundle usually includes:
- Policy screenshots showing scope, key toggles, and effective dates.
- Configuration exports where the portal supports download (many policy pages have an export or report view, and Threat Explorer supports exporting results).
- Quarantine and incident samples that show detection, triage notes, and outcome.
- Role and access proof showing who can change security policies.
For hardening references, I like aligning with the federal baseline mindset in CISA’s Microsoft Defender Secure Cloud Business Applications baseline. I don’t copy it blindly, but it’s useful when an auditor asks, “Why did you choose this setting?”
Then I run the cadence that keeps the tenant stable:
- Weekly (30 minutes): Review incidents and email threat trends, check Tenant Allow/Block entries, confirm no surprise policy edits, and spot-test quarantine releases.
- Monthly (60 to 90 minutes): Tune impersonation and spoof intelligence, review AIR actions, rotate admin access where needed, and pull evidence exports into the audit folder.
- Quarterly: Tabletop one phishing-driven incident, confirm contacts, and validate your customer’s escalation steps.
On incident response touchpoints, I tie Defender for Office 365 to the rest of the stack. If a phish leads to credential theft, I want identity controls and Endpoint Security ready to contain the user device. That combination supports Secure Cloud Architecture and Infrastructure Optimization across the tenant. It also reduces the blast radius when you are juggling Digital Transformation projects, legacy Data Center Technology, and day-to-day Technology Consulting requests.
If I can’t show “alert, triage, containment, and lessons learned” with timestamps, I assume it won’t pass a serious CMMC review.
Conclusion
CMMC Level 2 pressure in 2026 is forcing better habits, and email security is one of the fastest wins I can deliver. When I set a CMMC Level 2 O365 baseline in Microsoft Defender for Office 365, I focus on strong defaults, tight exceptions, and evidence that’s easy to defend. If you want a second set of eyes, I’m happy to help you turn these settings into a repeatable runbook that fits Managed IT for Small Business without adding chaos.
Discover more from Guide to Technology
Subscribe to get the latest posts sent to your email.