Why Your Microsoft 365 Environment Is a Primary CMMC Audit Target
If your organization handles Controlled Unclassified Information and relies on Microsoft 365 as your collaboration and productivity platform, your M365 tenant configuration will be one of the first places a C3PAO assessor looks. Email, Teams, SharePoint, OneDrive, and Entra ID are all potential vectors for CUI exposure — and misconfigured settings in any one of them can result in failed controls, delayed certification, and lost contracts.
A structured Microsoft 365 security assessment conducted before your CMMC audit gives your compliance and IT teams a clear picture of where your environment stands against the 110 practices in NIST SP 800-171. More importantly, it gives you time to remediate findings before an assessor documents them in your official record.
This guide walks through the essential steps of a pre-audit M365 security assessment — what to examine, how to document your findings, and where defense contractors most commonly fall short.
Step 1: Define Your Assessment Scope and System Boundary
Before you evaluate a single setting, you need clarity on what is inside your assessment boundary. Your Microsoft 365 security assessment should cover every workload that touches CUI — but only those workloads. Scope creep wastes time; an under-scoped assessment creates audit exposure.
Start by answering these questions:
- Which M365 services does your organization actively use — Exchange Online, Teams, SharePoint Online, OneDrive, Defender, Purview, Intune?
- Which users and groups have access to CUI, and through which applications?
- Are you operating on a commercial M365 tenant, GCC, or GCC High? The answer matters significantly for CMMC compliance.
- Do any third-party integrations or connectors touch your CUI environment?
If you are still on commercial M365 and handling CUI that falls under DFARS 252.204-7012, you likely need to evaluate whether GCC High is the appropriate tenant for your environment. Many contractors underestimate this requirement and discover it mid-assessment.
Document your system boundary in your System Security Plan before the assessment begins. Assessors will compare your SSP boundary against what they actually find during evaluation. Discrepancies are a significant red flag.
Step 2: Audit Identity and Access Management Controls
Access control failures account for a disproportionate share of CMMC findings in Microsoft 365 environments. The assessment should cover every layer of identity management in your tenant.
Multi-Factor Authentication
MFA must be enforced for all users who access CUI systems — not just administrators. Review your Conditional Access policies in Microsoft Entra ID (formerly Azure AD) and confirm that MFA is not simply available but actively required. Legacy authentication protocols that bypass MFA must be blocked. Assessors will test this.
Privileged Access
Review your Global Administrator assignments. Most organizations have far more privileged accounts than necessary. Document all accounts with elevated permissions, confirm each assignment is justified, and verify that privileged roles are not used for day-to-day work. Privileged Identity Management (PIM) should be configured for just-in-time access where licensing allows.
Account Lifecycle Management
Pull a report of all active accounts and compare against your current employee and contractor roster. Stale accounts — particularly from former employees — are a recurring finding in pre-audit assessments and a direct hit against NIST SP 800-171 3.1.1 and 3.1.2. Confirm that offboarding procedures disable accounts within defined timeframes and that those procedures are documented.
Step 3: Review Data Protection and CUI Labeling Configuration
Microsoft Purview — formerly Microsoft Information Protection — is the primary tool for classifying and protecting CUI in M365 environments. If it is not configured correctly, your data protection controls will fail to meet CMMC requirements regardless of how well other settings are tuned.
Your assessment should verify:
- Sensitivity labels aligned to CUI categories are published and applied to content across Exchange, SharePoint, and Teams
- Auto-labeling policies are configured to identify and label CUI-containing content at rest and in transit
- Data Loss Prevention policies prevent CUI from being shared externally through email, Teams chat, or SharePoint links
- Encryption is applied to labeled content and follows through when content leaves the organization
For a deeper look at how to structure DLP policies in a defense contractor environment, review our guidance on understanding Data Loss Prevention in regulated environments. Misconfigured DLP is one of the most common findings we document during pre-audit assessments.
Step 4: Evaluate Audit Logging and Monitoring Configuration
CMMC Level 2 requires that you audit events across your information systems, protect audit logs, and review them for anomalies. Microsoft 365 provides robust logging capabilities through the Unified Audit Log, Microsoft Defender for Cloud Apps, and Microsoft Sentinel — but the default configuration is rarely sufficient for CMMC compliance.
During your assessment, verify the following:
- Unified Audit Log is enabled across your tenant and has been continuously active — gaps in audit log coverage are a compliance problem, not just a security one
- Log retention meets the minimum required period; CMMC and NIST SP 800-171 require audit records be retained for a defined period consistent with your SSP
- Alerting rules are configured to detect and notify on high-risk events including impossible travel, mass downloads, privilege escalation, and external sharing of sensitive content
- Logs are protected from unauthorized modification or deletion — read-only access for audit log stores should be enforced
If your organization does not have a formal process for reviewing audit logs, that is a gap that needs to be addressed in your POA&M before the C3PAO arrives.
Step 5: Assess Endpoint Security and Device Compliance
Microsoft Intune device compliance policies must enforce minimum security baselines on all devices accessing your CUI environment. An M365 security assessment that stops at the cloud boundary and ignores endpoint configuration is incomplete.
Review your Intune compliance policies and confirm that devices are required to meet baseline requirements before accessing M365 resources — including disk encryption, OS patch levels, screen lock enforcement, and the absence of known malware. Conditional Access should deny access to non-compliant devices, not simply flag them.
Microsoft Defender for Endpoint should be deployed across your managed device fleet with threat and vulnerability management enabled. Review your current alert queue and document any unresolved findings. Assessors will ask whether identified vulnerabilities have been remediated or formally accepted and tracked in your POA&M.
Step 6: Review Configuration Against the CMMC Practice Domains
Map your assessment findings to the specific CMMC Level 2 practice domains. Microsoft 365 touches controls across multiple domains — not just access control. A complete mapping exercise will identify which practices are fully implemented, partially implemented, or not implemented, and will form the basis of your remediation plan.
Key domains with significant M365 dependencies include:
- Access Control (AC) — Entra ID, Conditional Access, MFA, least privilege
- Audit and Accountability (AU) — Unified Audit Log, Sentinel, alert policies
- Configuration Management (CM) — Intune baselines, Secure Score benchmarks
- Identification and Authentication (IA) — Entra ID, password policies, MFA enforcement
- Media Protection (MP) — DLP policies, sensitivity labels, external sharing controls
- System and Communications Protection (SC) — Encryption in transit and at rest, Teams meeting controls
- System and Information Integrity (SI) — Defender for Endpoint, anti-malware, patch management
This mapping work is also the foundation of an accurate SPRS score submission. If your current score does not reflect the actual state of your M365 environment, you face False Claims Act exposure in addition to audit risk. Our team has detailed guidance on how to prepare for your CMMC audit that complements this M365-specific assessment process.
Step 7: Document Findings and Build a Remediation Plan
Every gap identified in your assessment must be documented — not just the ones you plan to fix before the audit. Assessors expect to see a mature POA&M that reflects an honest accounting of your security posture. Findings that are not in your POA&M but are visible in your environment create credibility problems during the assessment.
For each finding, document:
- The specific CMMC practice affected
- The current state of the control
- The planned remediation action
- The responsible owner and target completion date
- Any interim compensating controls in place
Findings that cannot be remediated before the assessment date are not automatically disqualifying at Level 2, but they must be documented and actively managed. Undisclosed gaps are far more damaging to your certification outcome than disclosed ones with credible remediation plans.
Common M365 Gaps We Find at Defense Contractors
Based on our work with federal defense contractors across the DIB, these are the Microsoft 365 security assessment findings that appear most frequently:
- Legacy authentication protocols enabled, bypassing MFA
- External sharing enabled broadly in SharePoint or OneDrive without CUI-aware exceptions
- Sensitivity labels deployed but not enforced through auto-labeling or DLP
- Unified Audit Log disabled or improperly retained
- Stale privileged accounts not reviewed or removed
- Intune device compliance policies in "report only" mode rather than enforcement mode
- Microsoft Secure Score improvements identified but never prioritized
If your organization needs a roadmap for addressing these findings systematically, our CMMC, CUI, and DFARS compliance services include M365 configuration reviews as part of a full pre-audit readiness engagement.
When to Bring in Expert Support
A self-conducted assessment is a valuable starting point, but it has inherent limitations. Your internal team may lack familiarity with every relevant CMMC control, may not know how assessors interpret specific configurations, or may not have the capacity to conduct a thorough review while maintaining day-to-day operations.
Organizations that engage external support for their M365 security assessment consistently identify more findings — and remediate them before the formal audit — than those who rely solely on internal resources. Our Regulatory vCISO services can provide ongoing compliance oversight across your M365 environment, bridging the gap between your IT team and your compliance obligations.
If you are preparing for a CMMC Level 2 assessment and want to ensure your Microsoft 365 environment is fully evaluated before your C3PAO arrives, request a quote from Cleared Systems today. Our team of compliance professionals and Microsoft-experienced engineers will conduct a structured pre-audit assessment, map findings to the CMMC practice framework, and deliver a prioritized remediation roadmap so you walk into your assessment with confidence.