How to Properly Handle CUI in Microsoft 365: Labeling, Access Controls, and Audit Requirements

Why CUI in Microsoft 365 Demands More Than Default Settings

Microsoft 365 is the productivity platform of choice for thousands of defense contractors, federal agencies, and regulated organizations. But using a commercially available cloud platform to store, process, or transmit Controlled Unclassified Information does not automatically make you compliant. The platform provides the tools. Your organization is responsible for configuring and using them correctly.

If your organization handles CUI under DFARS clause 252.204-7012, NIST SP 800-171, or is working toward CMMC certification, your Microsoft 365 environment must be configured to meet specific labeling, access control, and audit logging requirements. Out-of-the-box settings will not get you there. This post walks through what proper CUI handling in Microsoft 365 actually looks like in practice.

Step One: Determine Whether You Need Commercial M365, GCC, or GCC High

Before configuring anything, you need to confirm you are operating in the right Microsoft environment. Not all Microsoft 365 tenants are created equal, and choosing the wrong one is a compliance failure before you even begin.

• Commercial Microsoft 365: Not authorized for CUI storage or processing. Data residency and administrative access controls do not meet federal requirements.
• Microsoft 365 GCC: Meets FedRAMP Moderate baseline. Suitable for some CUI scenarios but does not satisfy ITAR or the most stringent DFARS requirements.
• Microsoft 365 GCC High: Meets FedRAMP High and is the standard for organizations handling CUI under DFARS, CMMC Level 2, and ITAR-controlled technical data. Administrative access is restricted to screened U.S. persons.

If you are uncertain which environment applies to your contract requirements, review your contract language carefully and consult with a qualified compliance advisor. Our post on what GCC High is for ITAR and CMMC 2.0 provides a solid starting point.

CUI Labeling in Microsoft 365: Using Sensitivity Labels Correctly

Labeling is the foundation of any CUI handling program in Microsoft 365. Under 32 CFR Part 2002 and the CUI Registry, CUI must be marked so that anyone who encounters the information understands it requires protection. In a digital environment, sensitivity labels in Microsoft Purview (formerly Azure Information Protection) are the primary mechanism for meeting this requirement.

What Sensitivity Labels Must Accomplish

• Visually identify documents and emails containing CUI, typically with a header, footer, or watermark marking such as CUI or the applicable CUI category designation.
• Apply persistent protection that travels with the file, even when it leaves your organization's environment.
• Trigger downstream protections such as encryption, rights management, and DLP policy enforcement.
• Be applied consistently, whether by the user manually or through auto-labeling policies based on content inspection.

Configuring Labels for CUI Categories

Not all CUI is the same. CUI Basic and CUI Specified carry different handling requirements. Your label taxonomy should reflect the categories your organization actually handles, such as Controlled Technical Information (CTI), Export Controlled, Privacy, or Legal. Generic "Confidential" labels do not satisfy the specificity requirements of the CUI Program.

Auto-labeling policies in Microsoft Purview can be configured to detect sensitive content patterns, such as export-controlled terms, Social Security numbers, or contract numbers, and apply the appropriate label automatically. This reduces the burden on end users and improves consistency. For a deeper look at how this works in practice, see our post on classifying and protecting CUI with Azure Information Protection.

Access Controls: Limiting CUI to Authorized Users

NIST SP 800-171 Control 3.1.1 requires that organizations limit system access to authorized users and to the types of transactions those users are permitted to execute. In Microsoft 365, this translates to a layered set of access controls that must be deliberately configured.

Key Access Control Requirements for CUI Environments

• Multi-Factor Authentication (MFA): Required for all users with access to CUI. Conditional Access policies in Azure AD (Entra ID) should enforce MFA for every sign-in, with no exceptions for privileged accounts.
• Role-Based Access Control (RBAC): Users should only have access to CUI they need to perform their job function. SharePoint site permissions, Teams channel access, and OneDrive sharing settings must be reviewed and tightened beyond default configurations.
• External Sharing Restrictions: Sharing CUI with external parties requires authorization and, in most cases, the use of approved secure channels. External sharing of CUI via Microsoft 365 should be disabled by default and enabled only through controlled exceptions.
• Guest Access Controls: Microsoft 365 guest access can inadvertently expose CUI to unauthorized individuals. Guest accounts in CUI-processing environments should be prohibited or strictly governed.
• Privileged Identity Management (PIM): Administrative access to your Microsoft 365 tenant should be governed through just-in-time access controls. Permanent global administrator assignments are a red flag in any CMMC or DFARS assessment.

Access controls are not a one-time configuration. They must be reviewed regularly and tied to your organization's user provisioning and de-provisioning processes. When an employee leaves or changes roles, their access to CUI systems must be revoked promptly. Our CMMC, CUI, and DFARS compliance services help organizations build and maintain these controls systematically.

Data Loss Prevention: Preventing Unauthorized Disclosure

Even with proper labeling and access controls in place, CUI can still be exfiltrated through email, chat, or file sharing if Data Loss Prevention (DLP) policies are not configured. Microsoft Purview DLP allows you to create policies that detect and block the transmission of CUI to unauthorized recipients or locations.

Effective DLP configurations for CUI environments typically include policies that prevent labeled CUI documents from being emailed to external domains, block the upload of CUI to personal cloud storage services, alert administrators when CUI is accessed outside of expected patterns, and restrict printing or downloading of CUI to unmanaged devices.

For a more detailed breakdown of DLP strategy, see our post on understanding Data Loss Prevention.

Audit Logging: Meeting the Evidence Requirements

NIST SP 800-171 requires audit logging under controls 3.3.1 and 3.3.2. Auditable events must be captured, protected, and reviewed. Microsoft 365 provides extensive audit logging capabilities through the Microsoft Purview compliance portal, but those logs must be actively enabled, configured, and retained to satisfy compliance requirements.

What Must Be Logged in a CUI Environment

• User sign-in events, including failed authentication attempts
• File access, modification, download, and deletion events for CUI
• Changes to permissions and access control configurations
• DLP policy matches and override events
• Sensitivity label application, modification, or removal
• Administrative actions affecting tenant configuration
• External sharing events and guest access activities

Log Retention and Protection

Audit logs must be retained for a period consistent with your organization's security plan. For most CMMC Level 2 environments, a minimum of 90 days of online log availability and one year of total retention is a reasonable baseline, though your specific requirements may vary based on contract language or agency direction. Logs must also be protected from unauthorized modification or deletion. Exporting audit logs to an immutable storage location, such as Azure Blob Storage with retention lock, is a common and defensible approach.

Without a functioning audit program, you cannot demonstrate that your controls are actually operating as designed. This is one of the areas where assessors consistently find gaps. Our post on SSP and POA&M as critical components of a strong security program explains how audit evidence ties into your broader compliance documentation.

Microsoft 365 Licensing: Do You Have the Right Plan?

Many of the compliance features described in this post, including advanced sensitivity labeling, auto-classification, DLP for Teams and SharePoint, and Privileged Identity Management, require Microsoft 365 E3 or E5 licensing, or the equivalent government licensing tier. Organizations running on basic Business or F-series licenses will not have access to these controls. Understanding your licensing baseline is a prerequisite to any compliance configuration effort. Our post on what a Microsoft 365 E5 license includes covers the compliance-relevant features in detail.

Common Mistakes We See in CUI Microsoft 365 Environments

1. Using commercial M365 tenants to store CUI because it was already in place before a defense contract was awarded.
2. Applying generic "Confidential" labels that do not map to the CUI Registry and do not carry enforceable protection settings.
3. Leaving external sharing enabled at the tenant or site level, allowing CUI to flow to unauthorized recipients.
4. Failing to enable or retain audit logs, making it impossible to demonstrate compliance or investigate incidents.
5. Treating Microsoft 365 configuration as a one-time project rather than an ongoing governance and monitoring responsibility.

Building a Sustainable CUI Compliance Program in Microsoft 365

Properly handling CUI in Microsoft 365 is not a technology problem with a technology solution. It is a governance problem that requires written policies, trained personnel, enforced technical controls, and ongoing monitoring. The configuration work is significant, but it must be supported by a System Security Plan that documents how each NIST 800-171 control is implemented, a POA&M that tracks open gaps, and regular reviews that verify controls remain effective.

Organizations pursuing CMMC certification should also understand that assessors will test whether your Microsoft 365 controls are actually functioning, not just whether they are documented. A label taxonomy that exists in the compliance portal but is never applied by users is not a functioning control. For further reading on the underlying NIST requirements your Microsoft 365 configuration must support, our guide to NIST SP 800-171 Revision 3 is required reading for any compliance manager in this space.

If your organization is building or modernizing its approach to handling CUI in federal and defense-adjacent cloud environments, our IT compliance services and regulatory vCISO services are structured to help you get there efficiently and defensibly.

Ready to Get Your Microsoft 365 CUI Environment Compliant?

Cleared Systems works with defense contractors and federal agencies to configure Microsoft 365 environments that meet CMMC, DFARS, and NIST SP 800-171 requirements, from sensitivity label taxonomy and DLP policy design to audit log retention and access control governance. If you are unsure whether your current environment would survive an assessor review, the time to find out is before the assessment, not during it. Request a quote today to speak with our team about where your program stands and what it will take to get it where it needs to be.