How to Run a Microsoft 365 Compliance Assessment Aligned to NIST 800-171 and CMMC

Why Your Microsoft 365 Environment Needs a Compliance Assessment

Microsoft 365 is the backbone of day-to-day operations for most defense contractors and federal agencies. Email, file collaboration, video calls, and document storage all flow through it. But deploying Microsoft 365 and securing it for Controlled Unclassified Information (CUI) are two entirely different things. A default Microsoft 365 configuration leaves significant security gaps that will surface during a CMMC assessment or a DIBCAC audit.

A structured Microsoft 365 compliance assessment closes those gaps before they cost you a contract. This post walks through how to run one, which NIST 800-171 domains it maps to, and what assessors will look for when they arrive.

Step 1: Establish Your Scope and Asset Inventory

Before you touch a configuration setting, define exactly which systems, users, and data flows are in scope. This means identifying every Microsoft 365 workload that touches CUI: Exchange Online, SharePoint, OneDrive, Teams, and any connected third-party applications.

• Document which user accounts have access to CUI repositories
• Identify guest accounts, shared mailboxes, and service accounts
• Map data flows between Microsoft 365 and on-premises systems
• Determine whether you are operating on a commercial tenant, GCC, or GCC High tenant

Tenant type matters enormously. If your contracts require ITAR compliance or CMMC Level 2 certification, a commercial Microsoft 365 tenant almost certainly does not meet the bar. Our post on what GCC High means for ITAR and CMMC 2.0 explains those distinctions in detail. Getting scope wrong at this stage means everything downstream is built on a faulty foundation.

Step 2: Map Your Assessment to NIST 800-171 Domains

NIST SP 800-171 organizes its 110 security requirements across 14 domains. A Microsoft 365 compliance assessment does not cover all 14 equally, but it has direct implications for at least nine of them. The most critical for Microsoft 365 include:

• Access Control (3.1): Conditional Access policies, role-based access, least privilege enforcement in Azure AD and Entra ID
• Audit and Accountability (3.3): Unified Audit Log configuration, log retention, and alert policies in Microsoft Purview
• Configuration Management (3.4): Baseline configurations enforced through Microsoft Intune and Group Policy
• Identification and Authentication (3.5): Multi-factor authentication enforcement, password policies, privileged identity management
• Incident Response (3.6): Microsoft Defender for Office 365 alert integration and incident response playbooks
• Media Protection (3.8): Sensitivity labels and data loss prevention policies governing CUI exports
• Risk Assessment (3.11): Secure Score benchmarking and vulnerability reporting
• System and Communications Protection (3.13): Encryption in transit and at rest, Teams meeting security, and external sharing controls
• System and Information Integrity (3.14): Defender antimalware policies and patch management for Microsoft 365 Apps

For a plain-language breakdown of all 14 domains, see our guide on NIST 800-171 security requirements.

Step 3: Review Identity and Access Controls

Access control failures are among the most common findings in Microsoft 365 environments. Your assessment must validate the following:

1. Multi-factor authentication is enforced for all users, including administrators, with no exceptions for legacy authentication protocols
2. Conditional Access policies restrict CUI access to compliant, managed devices
3. Privileged Identity Management is configured so that global administrator roles require just-in-time activation
4. External sharing in SharePoint and OneDrive is disabled or restricted to approved domains only
5. Guest account access is reviewed and limited to explicitly authorized collaborators

Each of these maps directly to NIST 800-171 control families 3.1 and 3.5, and each is something a C3PAO assessor will test during a CMMC Level 2 audit. Gaps here are rarely minor findings.

Step 4: Assess Data Loss Prevention and Sensitivity Labeling

One of the clearest indicators of CUI protection maturity is how well an organization has implemented Microsoft Purview sensitivity labels and Data Loss Prevention policies. Many contractors have licenses for these tools but have never configured them meaningfully.

Your assessment should verify:

• Sensitivity labels are defined and published for CUI categories relevant to your contracts
• Auto-labeling policies are configured to catch unclassified CUI at rest and in transit
• DLP policies prevent CUI from being emailed externally, shared via personal OneDrive, or copied to unmanaged devices
• Endpoint DLP extends coverage to local file copies on managed workstations

Our post on understanding Data Loss Prevention provides useful background on how DLP policies work within the Microsoft ecosystem. For organizations that have struggled to implement labeling in practice, our case study on Microsoft AIP for CUI and ITAR data labeling shows what a successful deployment looks like.

Step 5: Audit Logging and Monitoring Configuration

NIST 800-171 requires that you create and retain system audit logs sufficient to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. In Microsoft 365, this means the Unified Audit Log must be enabled, configured to capture the right event types, and retained for a period consistent with your SSP commitments.

During your assessment, confirm that:

• Unified Audit Log is enabled across the entire tenant, not just for selected workloads
• Audit log retention meets your documented policy, typically 90 days minimum with longer retention for high-value events
• Alert policies are configured for high-risk activities: mass file downloads, external forwarding rules, admin role changes, and failed login spikes
• Logs are being exported to a SIEM or log management platform for analysis

Logging that exists but is never reviewed does not satisfy the intent of the control. Assessors will ask for evidence of monitoring activity, not just configuration screenshots.

Step 6: Endpoint and Device Compliance

Microsoft Intune is the primary tool for enforcing device compliance policies in a Microsoft 365 environment. Your assessment must confirm that device compliance policies are actually blocking non-compliant devices from accessing CUI, not just flagging them.

Key items to assess include:

• Intune compliance policies require disk encryption, OS patch currency, and antivirus status
• Conditional Access is integrated with Intune so that non-compliant devices are blocked, not granted limited access
• Mobile devices accessing corporate email or Teams are enrolled and managed
• Application protection policies prevent copy-paste of CUI data into unmanaged applications

Step 7: Document Findings and Build Your POA&M

A compliance assessment is only as valuable as the remediation plan it produces. Every gap identified during the assessment must be documented with a severity rating, a responsible owner, and a realistic remediation timeline. This documentation feeds directly into your Plan of Action and Milestones (POA&M) and your System Security Plan (SSP).

Organizations pursuing CMMC, CUI, and DFARS compliance need both documents to be current and accurate before a C3PAO assessment begins. An assessor who finds gaps between your SSP and your actual configuration will treat the discrepancy as a finding, regardless of whether the technical control is partially in place.

For a deeper look at how these documents work together, see our post on SSP and POA&M as critical components of a strong security program.

Common Gaps We Find in Microsoft 365 Environments

After running assessments for defense contractors across the federal and defense sector, the same gaps appear repeatedly:

• Legacy authentication protocols enabled, bypassing MFA entirely
• Unified Audit Log disabled or configured with insufficient retention
• Sensitivity labels defined but not enforced through DLP or Conditional Access
• External sharing set to "Anyone with a link" on SharePoint sites containing CUI
• Microsoft Secure Score treated as a compliance metric rather than a starting point
• No integration between Microsoft Defender alerts and an incident response process

None of these gaps are difficult to close once they are identified. The problem is that most organizations do not know they exist until an assessor finds them.

Do You Need GCC High for This Assessment?

If your organization handles CUI under DFARS 252.204-7012 or is pursuing CMMC Level 2 certification, the assessment framework described here applies regardless of your tenant type. However, the tenant you are operating on will affect which controls are available to you and which compliance boundaries apply. Our detailed post on Microsoft Office 365 GCC High features enabling CMMC compliance explains the architectural differences that matter most for defense contractors.

Our IT compliance services team works with organizations across both commercial M365 and GCC High environments to run these assessments and develop remediation roadmaps that hold up under scrutiny.

Take the Next Step

A Microsoft 365 compliance assessment aligned to NIST 800-171 and CMMC is one of the highest-value activities a defense contractor can undertake before pursuing certification. It surfaces real gaps, informs your SSP, and gives your remediation team a clear priority list. If your organization needs a structured assessment led by experienced compliance professionals, Cleared Systems is ready to help. Request a quote to discuss your environment, your contract requirements, and the fastest path to a defensible compliance posture.