Why Microsoft Defender Configuration Matters for CMMC Level 2
If your organization handles Controlled Unclassified Information and is pursuing CMMC Level 2 certification, your endpoint security tooling is not just an IT decision — it is a compliance decision. Microsoft Defender, particularly when deployed across Microsoft 365 GCC or GCC High environments, provides a capable foundation for meeting many of the 110 NIST SP 800-171 controls that underpin CMMC Level 2. But out-of-the-box is never enough. Default configurations will leave you exposed during a C3PAO audit.
This post walks compliance managers and IT leaders through the specific Microsoft Defender components that matter most for CMMC Level 2, which settings need to be hardened, and where organizations consistently fall short. This is not a marketing overview of Microsoft's feature set. This is a practitioner's guide to getting your configuration defensible before an assessor walks in the door.
Understanding the CMMC Level 2 Controls Most Relevant to Microsoft Defender
CMMC Level 2 maps directly to NIST SP 800-171 Rev 2, and several domains are addressed — at least partially — by a properly configured Microsoft Defender deployment. The most directly relevant domains include:
- System and Communications Protection (SC): Boundary protection, session management, and network traffic monitoring
- Incident Response (IR): Detection capabilities, alerting, and event correlation
- Audit and Accountability (AU): Log generation, retention, and review
- Configuration Management (CM): Baseline configurations and unauthorized software prevention
- Risk Assessment (RA): Vulnerability scanning and threat identification
- System and Information Integrity (SI): Malicious code protection, security alerts, and flaw remediation
No single tool satisfies every control, and Microsoft Defender is no exception. But its native integration with Microsoft 365 Defender, Microsoft Intune, and Microsoft Sentinel means it can address a meaningful portion of your compliance requirements — provided the configuration is deliberate and documented. If you need a fuller picture of how the 110 controls are distributed, our post on NIST 800-171 compliance organized by priority is a useful starting reference.
Microsoft Defender for Endpoint: Critical Configuration Requirements
Microsoft Defender for Endpoint (MDE) is the centerpiece of your endpoint security posture for CMMC purposes. The following configuration areas carry the most compliance weight.
Enable and Validate Tamper Protection
Tamper protection prevents unauthorized changes to Defender security settings, including disabling real-time protection or altering threat detection thresholds. For CMMC purposes, this directly supports SI.1.210 (malicious code protection) and CM controls requiring that security tools remain in a known-good state. Tamper protection must be enabled via Microsoft Intune or Group Policy — not left at default — and its status must be verifiable in your System Security Plan.
Configure Attack Surface Reduction Rules
Attack Surface Reduction (ASR) rules are among the most underutilized Defender capabilities in defense contractor environments. These rules block specific behaviors commonly exploited by malware, including executable content from email attachments, Office macros launching child processes, and credential theft from the Windows Local Security Authority. For CMMC Level 2, ASR rules contribute to SI and CM domain requirements. Start with audit mode to assess impact, then move to enforcement mode before your assessment. Document every rule, its mode, and the business justification for any exceptions.
Enable Cloud-Delivered Protection and Automatic Sample Submission
Cloud-delivered protection accelerates detection of novel threats. For organizations in GCC High environments handling ITAR-sensitive or CUI data, verify that your tenant configuration routes telemetry appropriately and that sample submission settings align with your data handling obligations. This is an area where many contractors configure Defender in a commercial tenant and assume it carries over — it does not. Verify settings at the tenant level before claiming compliance.
Harden Threat and Vulnerability Management Settings
Defender's Threat and Vulnerability Management (TVM) module supports the RA domain requirements under NIST 800-171, specifically the requirement to periodically scan for vulnerabilities and remediate flaws. Configure TVM to generate a continuous asset inventory, prioritize vulnerabilities by CVSS score and exposure, and feed findings into your Plan of Action and Milestones. If your POA&M is not connected to live vulnerability data, your assessor will notice.
Microsoft Defender for Identity: Protecting Privileged Accounts
CMMC Level 2 places significant emphasis on protecting privileged user accounts, limiting access, and detecting credential-based attacks. Microsoft Defender for Identity (MDI) monitors Active Directory for lateral movement, pass-the-hash, and Kerberoasting attacks — threat patterns that standard endpoint antivirus will never catch.
For compliance, MDI supports IA (Identification and Authentication) and AC (Access Control) domain requirements. Specifically, configure MDI to alert on accounts with unusual privilege escalation, unusual authentication patterns, and dormant account activity. Ensure these alerts feed into your Security Information and Event Management platform so that incident response procedures can be triggered and documented. Our post on endpoint security fundamentals provides useful context for how these layers fit together.
Microsoft Defender for Cloud Apps: Monitoring and DLP Integration
Many CMMC Level 2 failures we encounter during assessments involve uncontrolled data flows — CUI leaving the environment through unsanctioned cloud applications. Microsoft Defender for Cloud Apps (MDCA) provides visibility into shadow IT and enables policy enforcement against unauthorized application usage.
For compliance, integrate MDCA with your Data Loss Prevention policies in Microsoft Purview. This creates an enforcement layer that spans both cloud applications and endpoint behavior, directly supporting the MP (Media Protection) and AC domain controls. If you have not yet implemented a formal DLP strategy, our overview of Data Loss Prevention for defense contractors is a practical starting point before you configure Defender for Cloud Apps.
Audit Logging and Retention: The Area Most Often Cited in Findings
Across every CMMC Level 2 assessment we support at Cleared Systems, audit logging is consistently among the top cited deficiencies. Microsoft Defender generates significant telemetry, but that data is only useful for compliance if it is retained, reviewed, and tied to documented procedures.
Specifically, you must address the following:
- Retention period: NIST SP 800-171 requires audit records to be retained for a period sufficient to support after-the-fact investigation. Ninety days of hot storage and twelve months of cold storage is the practical standard most assessors expect.
- Log review: Automated alerting is not a substitute for documented log review procedures. Your SSP must describe who reviews logs, how frequently, and what constitutes an actionable finding.
- Integration with SIEM: Defender alerts should stream into a centralized SIEM — Microsoft Sentinel is the most natural integration — where correlation rules can identify multi-stage attacks that individual alerts would miss.
If your logging and audit posture needs foundational work before you address Defender-specific settings, our post on SSP and POA&M as core compliance components explains how audit requirements connect to your broader documentation obligations.
Common Configuration Gaps That Cause CMMC Assessment Failures
Based on our work supporting CMMC, CUI, and DFARS compliance engagements across the defense industrial base, these are the Microsoft Defender configuration gaps we see most frequently cited during assessments:
- ASR rules left in audit mode rather than enforcement mode at assessment time
- Defender telemetry not flowing to a centralized SIEM, creating blind spots in incident detection
- Tamper protection enabled on workstations but not on servers
- Vulnerability findings in TVM not reflected in the current POA&M
- Cloud-delivered protection disabled due to bandwidth concerns without a documented exception
- Defender for Identity not deployed against on-premises Active Directory, leaving credential attacks undetected
- Log retention policies set at the default 30 days, falling short of assessor expectations
Each of these gaps has a remediation path, but the time to identify them is during a readiness assessment — not when your C3PAO is on site. If you want to understand what assessors specifically examine, our post on the 10 most commonly failed CMMC Level 2 controls gives you a direct view into where organizations consistently underperform.
Documentation Requirements: Configuration Is Not Enough
A correctly configured Microsoft Defender environment that is not documented in your System Security Plan will not satisfy a CMMC assessor. Every configuration decision — ASR rules, retention periods, tamper protection scope, MDI deployment coverage — must be reflected in your SSP with sufficient specificity that an assessor can verify the control is implemented as described.
Additionally, your incident response procedures must reference Defender-specific workflows: how alerts are triaged, who is notified, how findings are escalated, and how incidents are documented and closed. If you are building these procedures from the ground up, our compliance program development services can accelerate the process significantly.
How Cleared Systems Can Help
Aligning Microsoft Defender with CMMC Level 2 is a configuration problem, a documentation problem, and a process problem — and most organizations underestimate the scope until they are weeks away from an assessment. At Cleared Systems, we work with defense contractors to assess current Defender configurations against CMMC requirements, identify gaps, develop remediation plans, and update SSP documentation to reflect the actual security posture. If you are preparing for a C3PAO audit or simply want to understand where your current Microsoft Defender deployment stands against CMMC Level 2 requirements, request a quote or explore our engagement models to find the right level of support for your organization.