Why Microsoft Configuration Documentation Is Make-or-Break for CMMC
When a C3PAO assessor walks into your CMMC assessment, the first thing they want to see is not a verbal explanation of how your environment works. They want documentation. Specifically, they want evidence that your Microsoft 365 or GCC High environment is configured to protect Controlled Unclassified Information in a way that satisfies NIST SP 800-171 and the corresponding CMMC practices.
A properly configured tenant with no documentation is nearly as problematic as a misconfigured one. Assessors cannot take your word for it. Your Microsoft compliance configuration must be captured in writing, mapped to specific controls, and presented in a format that survives scrutiny. This post walks you through exactly how to do that.
Understand What Assessors Are Looking For
Before you start assembling screenshots and configuration exports, you need to understand the assessor's lens. CMMC Level 2 assessors evaluate three things: policies, practices, and evidence. Your Microsoft environment sits squarely in the practices and evidence categories. For each relevant control domain — access control, audit and accountability, configuration management, identification and authentication, system and communications protection — assessors expect to see that your technical controls are both implemented and documented.
If you are running Microsoft 365 GCC High, you have a strong foundation. If you are still on commercial Microsoft 365, your documentation burden increases because you must also demonstrate that your tenant configuration satisfies the FedRAMP Moderate equivalency requirements the DoD expects. Either way, the documentation approach is the same: configuration by configuration, control by control.
For a broader view of how GCC High fits into CMMC compliance, our post on Microsoft Office 365 GCC High features enabling CMMC compliance provides useful context before you begin documenting.
Build Your Configuration Documentation Framework
Do not approach this as a one-time evidence dump. Build a living documentation framework that you can update as your configuration changes and present confidently during assessment. The framework should include four primary components:
- System Security Plan (SSP) references: Your SSP should describe how Microsoft 365 satisfies each applicable NIST SP 800-171 control. Every configuration setting you document should trace back to a specific SSP statement.
- Configuration baselines: A written baseline describing the intended state of your tenant, including Conditional Access policies, Defender settings, Intune compliance policies, and Purview configurations.
- Evidence artifacts: Screenshots, exported policy settings, audit log samples, and reports that prove your baseline is actually in place.
- Change documentation: Records showing that your configuration has been reviewed, that changes go through a formal process, and that deviations are tracked in your Plan of Action and Milestones.
The Eight Configuration Areas You Must Document
1. Identity and Access Management
Document your Azure Active Directory configuration in detail. This includes multi-factor authentication enforcement, Conditional Access policies, privileged identity management settings, and guest access restrictions. Export your Conditional Access policy list and capture screenshots showing MFA is enforced for all users, particularly those with access to CUI. Document your named locations, sign-in risk policies, and any exceptions with a written justification for each exception.
2. Device Compliance Policies in Intune
Assessors will want to see that only compliant, managed devices can access your CUI environment. Export your Intune compliance policies and document what constitutes a compliant device in your environment — OS version requirements, encryption enforcement, screen lock settings, and antivirus status. Our detailed post on enforcing device compliance policies in Microsoft Intune for CMMC and DFARS covers the specific settings that matter most.
3. Microsoft Defender Configuration
Document your Defender for Endpoint policies, including attack surface reduction rules, tamper protection settings, and endpoint detection response configurations. Export the policy settings from the Microsoft 365 Defender portal and annotate which settings satisfy which CMMC practices. Do not assume the assessor will make the connection — make it explicit in your documentation.
4. Data Loss Prevention Policies
Your DLP policies must be documented end to end: what sensitive information types are covered, which workloads are in scope (Exchange, SharePoint, Teams, OneDrive), what actions are triggered when a policy match occurs, and who receives alerts. Understanding Data Loss Prevention from our blog provides foundational context that can help you structure your DLP documentation narrative for assessors.
5. Microsoft Purview Sensitivity Labels
If you are using sensitivity labels to mark and protect CUI, document your label taxonomy, the protection settings applied to each label, and the policies that govern automatic and recommended labeling. Capture screenshots of the label configurations in the Purview compliance portal and include examples of labeled documents. Reference how this maps to the CUI marking requirements your organization is subject to.
6. Audit Logging and Monitoring
Assessors expect to see that audit logging is enabled, that logs are retained appropriately, and that someone is actually reviewing them. Document your audit log retention settings, confirm that unified audit logging is enabled in your tenant, and provide samples of audit log exports. If you use a SIEM, document the connection between Microsoft and your SIEM and show that alerts are being generated and reviewed.
7. Email Security Configuration
Document your Exchange Online Protection and Defender for Office 365 settings. This includes anti-phishing policies, anti-malware settings, safe attachments, safe links, and spoofing protection. Export the policy configurations and annotate them against the relevant CMMC access control and system and communications protection practices.
8. Tenant-Level Security Settings
Document your Microsoft Secure Score baseline, your baseline security policies or security defaults configuration, external sharing settings in SharePoint and OneDrive, and Teams guest access settings. These tenant-level settings often represent the boundary between your CUI environment and the outside world, and assessors pay close attention to them.
How to Present Your Documentation to an Assessor
Organizing evidence is as important as collecting it. Structure your documentation package so that an assessor can navigate it by control domain rather than by Microsoft product. Create a master index that maps each CMMC practice to the relevant configuration documentation. Within each section, lead with your SSP narrative, follow with the configuration baseline description, and then attach the supporting evidence artifacts.
For more guidance on how to organize your overall documentation package, see our post on how to organize your CMMC documentation so assessors can navigate it easily.
Avoid burying your assessor in raw screenshots without context. Every exhibit should have a label, a date, and a brief annotation explaining what it shows and why it matters. Configuration exports without annotation are almost as unhelpful as no documentation at all.
Common Documentation Gaps That Derail Microsoft Configuration Reviews
After supporting dozens of CMMC assessments, our team at Cleared Systems consistently sees the same gaps surface during the Microsoft configuration review:
- Conditional Access policies exist in the tenant but are not fully described in the SSP
- MFA is enabled but exceptions are not documented or justified
- DLP policies are active but not mapped to specific CUI categories
- Audit logging is enabled but retention periods are not confirmed and documented
- Sensitivity labels are deployed but the label taxonomy and policy assignments are not in writing
- Intune compliance policies exist but the connection between device compliance and Conditional Access enforcement is not explained
- Configuration changes have occurred since the last SSP update, creating a gap between what the SSP says and what the tenant actually does
This last point deserves emphasis. Your documentation must reflect your current state, not your intended state or your state at the time you wrote the SSP. Configuration drift without documentation updates is one of the fastest paths to a failed assessment finding.
Keeping Your Configuration Documentation Current
CMMC compliance is not a point-in-time project. Your Microsoft configuration documentation should be treated as a living record. Establish a quarterly review cadence at minimum. Every change to your tenant configuration — a new Conditional Access policy, a modified DLP rule, a change to guest access settings — should trigger a documentation update. Your configuration management policy should require this explicitly.
If your organization lacks the internal bandwidth to maintain this level of documentation rigor, our Regulatory vCISO services can provide the ongoing oversight your compliance program needs. A vCISO embedded in your program will ensure that your documentation stays current and that your Microsoft configuration continues to satisfy your contractual obligations as they evolve.
Aligning Configuration Documentation with Your Broader CMMC Program
Microsoft configuration documentation does not exist in isolation. It is one component of a comprehensive compliance program that includes policies, procedures, training records, risk assessments, and incident response plans. Your CMMC, CUI, and DFARS compliance program should treat your Microsoft environment as a critical control system that requires the same documentation discipline as any other security control.
Organizations pursuing CMMC Level 2 certification should also ensure that their Microsoft configuration documentation is consistent with their SSP boundary definition. If a system or service is inside your assessment boundary, it must be documented. If it is outside, you need to be able to explain why and show that CUI does not traverse it.
For additional perspective on the relationship between your SSP and your Plan of Action and Milestones, our post on SSP and POA&M as critical components of a strong security program is worth reviewing before you finalize your documentation package.
Take the Next Step
Documenting your Microsoft compliance configuration for a CMMC assessment is detailed, time-consuming work — but it is work that directly determines whether your assessment succeeds or fails. If you are unsure whether your current documentation would hold up under a C3PAO review, Cleared Systems can help. Request a quote today to speak with our team about a Microsoft configuration review, documentation support, or full CMMC assessment preparation. We have guided defense contractors through this process at every stage, and we know exactly what assessors are looking for.