Secure File Sharing for CMMC Using SharePoint & OneDrive (2026 Practical Guide)

If you’re an IT or security admin at a small-to-mid defense contractor, you already know the stress point: you need people to collaborate fast, but you can’t let CUI drift into the wrong inbox, laptop, or guest account. CMMC file sharing usually fails for one reason, defaults. SharePoint and OneDrive can be safe for CUI, but only after you set the guardrails and keep evidence.

In January 2026, CMMC 2.0 Level 2 is no longer “future planning” for most of the defense supply chain. Level 2 aligns to all 110 requirements in NIST SP 800-171, and file sharing touches a lot of them. (This post isn’t legal advice. Confirm contract language, DFARS flow-downs, and prime expectations with your C3PAO/RPO. Also, tenant choice (Commercial vs GCC vs GCC High) can make or break the plan, especially for ITAR.)

CMMC 2.0 file sharing basics, and how SharePoint and OneDrive map to NIST SP 800-171

When I talk about CMMC file sharing, I’m not talking about “can I upload a file.” I’m talking about the full chain of actions: invite a user, generate a link, open in browser, download, sync to a device, reshare, and then prove what happened later.

CMMC 2.0 Level 2 is based on implementing all 110 NIST SP 800-171 requirements. Microsoft publishes a helpful starting point for how their platform maps to that framework in their NIST SP 800-171 documentation. Your job is to configure SharePoint and OneDrive so your policies aren’t just words.

What “secure file sharing” means for CUI in Microsoft 365

For CUI, “secure” has a simple feel: it should be hard to share accidentally, hard to access from sketchy devices, and easy to audit.

In plain terms, I want:

• Least privilege permissions (people only get what they need, for as long as they need it).
• No anonymous links (no “Anyone with the link”).
• Strong identity (MFA and sane Conditional Access).
• Controlled devices (managed endpoints for download and sync).
• Labels and DLP (so CUI stays protected even if it moves).
• Logs I can prove (audit trails for access, sharing, and admin changes).

Where does CUI leak most often? “Anyone” links, over-shared Team sites, unmanaged devices syncing OneDrive, and guest accounts that never get reviewed or removed.

Quick mapping: CMMC Level 2 goals to SharePoint and OneDrive settings (AC, AU, CM, IA, MP)

Here’s the quick mental map I use when I’m building controls for SharePoint and OneDrive.

CMMC / NIST intent	What I configure in Microsoft 365	What it prevents
IA (Identification & Authentication)	Microsoft Entra MFA, Conditional Access, block legacy auth	Stolen passwords turning into file access
AC (Access Control)	SharePoint permissions, tight site membership, “Specific people” links	Over-sharing and link sprawl
AU (Audit & Accountability)	Unified Audit Log, SharePoint/OneDrive activity logging	“We don’t know who downloaded it”
CM (Configuration Management)	Tenant baselines, change control, documented exceptions	Settings drift and surprise risk
MP (Media Protection)	Purview labels, encryption, retention policies	CUI copied out without control

For GCC High specifics, I also cross-check Microsoft’s GCC High and DoD service description so I don’t assume a feature exists where it doesn’t.

Choose the right Microsoft 365 environment for CUI: Commercial vs GCC vs GCC High (and when you need an enclave)

I can lock down SharePoint and OneDrive perfectly and still fail the plan if the tenant choice doesn’t match the contract. In 2026, many defense contractors treat GCC or GCC High as the safer default for CUI and DFARS-driven work. ITAR and strict prime requirements often push to GCC High, or to a separated enclave model for CUI.

If you’re weighing options, this kind of “full migration vs enclave” discussion is common in the market, and it’s worth reading a neutral overview like Microsoft GCC as CMMC solution: full migration or enclave? to frame your internal decision.

Tenant prerequisites before I share a single CUI file

Before any CUI hits SharePoint or OneDrive, I set these foundations:

• Licensing that supports Microsoft Purview sensitivity labels and DLP.
• Microsoft Entra ID P1/P2, depending on whether I need Conditional Access depth and PIM.
• A device plan (Intune or equivalent) tied to Endpoint Security and Device Hardening.
• Named admins only, break-glass accounts, and least-privileged role assignment.
• A dedicated SharePoint “compliance evidence” site with restricted membership.
• A documented baseline (tenant type, key settings, and change approval), captured in the SSP.

I treat this as part of Cloud Infrastructure hygiene, not optional paperwork.

When GCC is enough, when GCC High is the safer call

GCC can be enough for many CUI scenarios, but I switch to GCC High when ITAR-controlled data is in scope, when US-only expectations are explicit, or when the prime or flow-downs require it. Some orgs keep a Commercial tenant for non-CUI work and run a separate enclave for CUI. That can work, but only with clear boundaries, tight identity controls, and user training that doesn’t leave room for “I forgot which OneDrive to use.”

For a practical comparison, I often point teams to a guide to Microsoft GCC and GCC High for DoD contractors, then we validate against the contract and assessor expectations.

My secure SharePoint and OneDrive configuration checklist for CMMC file sharing (internal, external, evidence-ready)

This is the core of how I make CMMC file sharing predictable. I focus on settings admins actually touch, then I save evidence while I’m doing it.

Lock down sharing defaults in SharePoint and OneDrive (tenant-level and site-level)

My starting rules for CUI locations are strict:

• Turn off Anyone links.
• Set default link type to Specific people (or “People in your org” for non-CUI).
• Set default permission to View.
• Require expiration for external links (when external sharing is allowed at all).
• Use Block download for browser-only viewing when a contract calls for it.
• Restrict sharing to approved domains if that matches how partners work.

I also separate CUI sites from general collaboration. Tenant-wide settings are your floor, but site-level overrides are where most mistakes happen. I keep CUI sites tighter than the tenant baseline and I document why.

External sharing do and don’t (for CUI)

Do	Don’t
Use named guests with sign-in required	Use anonymous “Anyone” links
Prefer view-only for partner reviews	Allow broad edit rights by default
Set link expiration and review cadence	Create links that never expire
Limit sharing to approved domains when possible	Allow new domains with no review
Keep CUI in a contract-specific SharePoint site	Share from personal OneDrive with no guardrails

Identity and access controls that stop risky sharing (Entra MFA, Conditional Access, PIM, RBAC)

If I had to pick one place where SharePoint security becomes real, it’s Conditional Access:

• Require MFA for all CUI users, no exceptions.
• Block legacy authentication.
• Require compliant or hybrid-joined devices for SharePoint/OneDrive download and sync.
• Add location limits only when justified, and documented.
• Use RBAC with least-privileged admin roles.
• Enable PIM for just-in-time admin access.
• Run guest access reviews so external accounts don’t live forever.

The outcome is simple: fewer stolen sessions, fewer “everyone is an owner” sites, faster offboarding, and cleaner audits.

Protect the data itself with Microsoft Purview (labels, encryption, DLP, retention, records)

I like controls that travel with the file. Purview is how I get there:

• Label CUI sites and documents with sensitivity labels.
• Use label settings that enforce encryption and restrict sharing when required.
• Set DLP policies for SharePoint/OneDrive (and Teams, if used) to block external sharing of labeled CUI, or force justification with logging.
• Apply retention labels/policies based on the contract and your records rules.
• Use information barriers when internal separation is needed between projects.

For evidence, I capture screenshots of label settings, the DLP rule logic, and at least one test file showing the label applied.

Monitoring and evidence to save for a C3PAO (audit logs, alerts, reports)

CMMC file sharing isn’t just controls, it’s proof. I enable the Unified Audit Log and confirm SharePoint/OneDrive activity events are present. I also keep Entra sign-in logs and admin activity available, and I set alerting for unusual sharing or mass download (Defender for Cloud Apps where available).

Evidence to save (keep it in a restricted SharePoint site):

• Sharing settings at tenant and key CUI sites (screenshots).
• Conditional Access policies and MFA requirements (screenshots).
• PIM role settings and activation history (screenshots or exports).
• Purview sensitivity labels and DLP policies (screenshots).
• Sample audit log searches for file download, sharing, permission change (screenshots).
• Exports of incidents and investigation notes tied to your incident process.

Common CMMC file sharing mistakes I see, and how I prevent them

I see the same failures repeat:

• Using a Commercial tenant for CUI without written approval, fix by validating tenant choice early.
• Leaving “Anyone” links on, fix by disabling anonymous links and setting safer defaults.
• Sharing CUI from personal OneDrive, fix by using contract SharePoint sites and DLP.
• Granting Full Control to broad groups, fix by narrowing Owners and using least privilege.
• Never reviewing guests, fix by access reviews and expiration.
• Buying security licenses but not turning features on, fix by a baseline checklist with sign-off.
• No logs or screenshots, fix by building evidence collection into the change process.

Conclusion

When I need SharePoint and OneDrive to support CMMC file sharing, I focus on three moves: pick the right tenant (often GCC or GCC High), lock down sharing defaults, and prove it with logs and saved evidence. Use the checklist above as a starting point for an Office 365 Migration or a hardening project, then map it into your SSP and procedures. (Not legal advice. Confirm requirements with your C3PAO/RPO and your contract language and DFARS flow-downs.)

As a Business Technology Partner, I support Small Business IT with Cybersecurity Services, Endpoint Security, Device Hardening, and Secure Cloud Architecture, plus Cloud Infrastructure, Cloud Management, Infrastructure Optimization, and Business Continuity & Security. My Tailored Technology Services cover Technology Consulting, IT Strategy for SMBs, Innovative IT Solutions, and Digital Transformation, and I can also support Restaurant POS Support and Kitchen Technology Solutions when needed.