Why CUI in Microsoft 365 Demands a Disciplined Compliance Approach
Microsoft 365 is the productivity platform of choice for thousands of defense contractors. It is also one of the most common sources of Controlled Unclassified Information (CUI) spillage, unauthorized access, and audit failures. The platform is powerful, but power without proper configuration creates serious compliance exposure under DFARS 252.204-7012, NIST SP 800-171, and the Cybersecurity Maturity Model Certification (CMMC) program.
If your organization handles CUI and operates on Microsoft 365, this checklist is your starting point. These 20 controls address the technical, administrative, and configuration requirements that assessors, contracting officers, and DCSA auditors will look for in your environment. Not every control requires the same level of effort, but every one of them matters.
For a deeper foundation on what CUI actually is before diving into the technical controls, see our post on What is Controlled Unclassified Information (CUI).
Tenant Selection and Environment Controls
1. Operate in the Correct Microsoft 365 Tenant
Commercial Microsoft 365 is not designed for CUI. Defense contractors handling CUI are expected to operate in Microsoft 365 GCC or GCC High, depending on their regulatory obligations. ITAR-sensitive programs and CMMC Level 2 or higher typically require GCC High. Verify your tenant type before configuring any other control. For clarity on which environment fits your obligations, review our post on CUI in Microsoft 365: Which Tenant Type Is Required and Why It Matters for CMMC.
2. Define and Document Your CUI Boundary
Before you can protect CUI, you must know exactly where it lives. Your System Security Plan (SSP) must document the boundary of systems that store, process, or transmit CUI. In Microsoft 365, this includes SharePoint libraries, Teams channels, Exchange mailboxes, OneDrive folders, and any connected applications. An undefined boundary is one of the most common findings during CMMC assessments.
3. Implement Conditional Access Policies
Conditional Access is the enforcement layer for identity-based access control in Microsoft 365. Policies must require multi-factor authentication for all users, restrict access from non-compliant devices, block legacy authentication protocols, and limit access by geographic location where operationally appropriate. Every user with potential access to CUI environments must be covered.
Identity and Access Management Controls
4. Enforce Multi-Factor Authentication Without Exception
NIST SP 800-171 control 3.5.3 requires multi-factor authentication for local and network access to privileged accounts and for network access to non-privileged accounts. In Microsoft 365, this means enforcing MFA through Azure Active Directory for every account with access to the CUI environment. Security defaults are not sufficient for most defense contractor environments. Use Conditional Access policies for granular enforcement.
5. Apply the Principle of Least Privilege
Every user account in your Microsoft 365 tenant should have only the permissions necessary to perform their role. Audit role assignments in Azure AD, SharePoint, and Exchange regularly. Privileged Identity Management (PIM) should be used to govern elevated access with time-bound, approval-based workflows. Persistent Global Administrator assignments are a red flag in any compliance review.
6. Separate Privileged and Standard User Accounts
Administrators who manage your Microsoft 365 environment should not use their privileged accounts for day-to-day work such as reading email or accessing Teams. Maintain separate admin accounts used exclusively for administrative tasks. This separation limits the blast radius of credential compromise and is a direct requirement under NIST SP 800-171.
7. Control External Sharing and Guest Access
By default, Microsoft 365 allows external sharing across SharePoint, OneDrive, and Teams. For CUI environments, external sharing must be restricted or disabled. If your mission requires collaboration with external partners, implement guest access policies with strict controls, require MFA for guests, and ensure CUI is never accessible to unauthenticated or unvetted external users.
Data Protection and Labeling Controls
8. Deploy Microsoft Purview Sensitivity Labels for CUI
Sensitivity labels in Microsoft Purview are the technical mechanism for marking and protecting CUI in Microsoft 365 documents, emails, and Teams messages. Labels should map to CUI categories defined in the National Archives CUI Registry. When a label is applied, it can enforce encryption, restrict forwarding, and apply watermarks. Labeling policy must cover all users who create or access CUI. For configuration guidance, see our post on How to Configure Microsoft Purview for Compliance in a Defense Contractor Environment.
9. Configure Data Loss Prevention Policies
Microsoft Purview DLP policies detect and prevent unauthorized sharing of CUI across email, SharePoint, OneDrive, Teams, and endpoint devices. Policies should be tuned to identify CUI indicators such as contract numbers, classification markings, export control language, and technical data patterns. Start in audit mode to understand your data landscape before moving to enforcement. Our post on Understanding Data Loss Prevention (DLP) provides a solid operational foundation.
10. Enable Endpoint DLP for Devices Handling CUI
Standard DLP operates at the cloud service level. Endpoint DLP extends protection to the Windows devices themselves, blocking actions such as copying CUI to USB drives, printing to non-approved printers, or uploading to unauthorized cloud services. This is a critical control for organizations where users work with downloaded CUI files on managed endpoints.
11. Encrypt CUI at Rest and in Transit
Microsoft 365 provides service-side encryption by default, but defense contractors must verify that sensitivity labels enforcing encryption are applied to CUI content. Email containing CUI should be encrypted using Information Rights Management or label-based encryption. Ensure TLS is enforced for all connector configurations and that data is not routed through unencrypted channels.
Device and Endpoint Controls
12. Enforce Device Compliance with Microsoft Intune
All devices accessing the CUI environment must meet defined compliance standards before access is granted. Microsoft Intune allows you to configure compliance policies that require disk encryption, current operating system versions, active antivirus, and screen lock settings. Non-compliant devices should be blocked from accessing Microsoft 365 resources through Conditional Access integration.
13. Block Personal and Unmanaged Devices from CUI Access
Bring-your-own-device access to environments containing CUI is a significant compliance risk. Intune and Conditional Access can be configured to require device management enrollment before granting access. At minimum, require Azure AD Hybrid Join or Intune enrollment for any device accessing SharePoint libraries, Teams channels, or email containing CUI.
Audit, Monitoring, and Incident Response Controls
14. Enable Unified Audit Logging
Microsoft 365 Unified Audit Logging captures user and admin activity across Exchange, SharePoint, OneDrive, Teams, and Azure AD. This logging is required to satisfy NIST SP 800-171 audit and accountability controls. Confirm that audit logging is enabled at the tenant level and that logs are retained for a minimum of 90 days in the platform, with longer retention maintained in a SIEM or archival solution.
15. Integrate Logs with a SIEM for Continuous Monitoring
Audit logs sitting in the Microsoft 365 Compliance Center are not a substitute for active monitoring. Export logs to a Security Information and Event Management system to enable real-time alerting, anomaly detection, and correlation with other data sources. This satisfies NIST SP 800-171 requirements for system monitoring and supports your incident response capability.
16. Configure Alerts for High-Risk CUI Events
Microsoft Purview and Microsoft Defender for Office 365 can generate alerts for events such as mass downloads of labeled files, forwarding of CUI emails to external addresses, DLP policy matches, and privileged account changes. Build an alert policy that maps to your highest-risk scenarios and ensure alerts are routed to personnel who can respond within your defined incident response timeframes.
Administrative and Documentation Controls
17. Maintain a System Security Plan That Reflects Your Microsoft 365 Environment
Your SSP must accurately describe how Microsoft 365 is configured to protect CUI, including the tenant type, data flows, access controls, encryption methods, and monitoring capabilities. An SSP that does not reflect your actual environment is worse than no SSP at all during a DCSA or CMMC assessment. Update the SSP whenever significant configuration changes occur.
18. Train All Users Who Access CUI in Microsoft 365
Technical controls fail when users do not understand their obligations. Every employee who creates, accesses, or shares CUI in Microsoft 365 must receive role-appropriate training covering CUI identification, labeling requirements, sharing restrictions, and incident reporting procedures. Training must be documented and repeated at defined intervals. Our CMMC, CUI and DFARS Compliance service includes training program development as part of a complete compliance engagement.
19. Conduct Regular Configuration Reviews and Self-Assessments
Microsoft 365 tenant configurations drift over time as new features are released, administrators make changes, and licensing evolves. Schedule quarterly reviews of your Conditional Access policies, DLP rules, label configurations, sharing settings, and audit logging status. Self-assessments against the NIST SP 800-171 control set should be conducted at least annually and scored in the Supplier Performance Risk System (SPRS).
20. Establish and Test an Incident Response Plan Covering Microsoft 365
When a CUI incident occurs in Microsoft 365, you have 72 hours to report it to the DoD under DFARS 252.204-7012. Your incident response plan must specify how your team detects, contains, investigates, and reports incidents involving CUI in Microsoft 365. Test the plan with tabletop exercises at least annually and ensure your Microsoft 365 audit data is accessible to your response team when needed.
Build on This Checklist with Expert Guidance
These 20 controls provide a strong compliance foundation, but implementation depth, documentation quality, and assessor interpretation all determine whether your environment will pass a formal review. If your organization is preparing for a CMMC assessment, a DCSA inspection, or simply wants to close gaps before they become findings, Cleared Systems can help. Our team has guided defense contractors through every stage of CUI protection in Microsoft 365 environments, from initial tenant selection through SSP development and assessment readiness. We also support organizations through our Regulatory vCISO Services for ongoing compliance leadership. Explore our engagement models to find the right fit for your organization, or request a quote to start a conversation about your specific compliance posture.