Why a Microsoft 365 Compliance Assessment Is Non-Negotiable for Defense Contractors
Microsoft 365 is the productivity backbone for thousands of defense contractors. It is also one of the most frequently misconfigured environments we encounter during compliance engagements. Out-of-the-box settings are designed for commercial convenience, not regulatory compliance. When Controlled Unclassified Information flows through an improperly configured M365 tenant, you are not just creating audit exposure — you are creating a breach waiting to happen.
A structured Microsoft 365 compliance assessment gives compliance managers and executives a clear picture of where their environment stands against CMMC, DFARS 252.204-7012, NIST SP 800-171, and ITAR requirements. The 30 areas below represent the critical evaluation points our team examines on every engagement. Use this as your starting framework.
Tenant Configuration and Licensing
1. Tenant Type Verification
Confirm whether your organization is operating on Commercial, GCC, or GCC High. Many contractors handling CUI are running on commercial tenants that do not meet FedRAMP Moderate Equivalency requirements. GCC High is generally required for ITAR-controlled data and CMMC Level 2 environments with CUI.
2. License Level Adequacy
Evaluate whether your current license tier provides the compliance tooling you need. Microsoft 365 E3 lacks several controls required for CMMC Level 2. Microsoft 365 E5 or equivalent Government G5 licenses include Defender for Endpoint Plan 2, Purview Information Protection, and advanced audit capabilities that lower-tier licenses do not.
3. Tenant Isolation Controls
Assess whether your tenant is properly isolated from non-compliant partner tenants. External collaboration settings, guest access policies, and cross-tenant sync configurations must all be reviewed to prevent unauthorized CUI exposure.
Identity and Access Management
4. Multi-Factor Authentication Coverage
Verify that MFA is enforced for all users, not just administrators. Conditional Access policies should require phishing-resistant MFA for any account that can access CUI. Gaps here directly map to NIST SP 800-171 control 3.5.3.
5. Privileged Identity Management
Evaluate whether privileged roles are managed through Azure AD Privileged Identity Management (PIM) with just-in-time access and approval workflows. Standing global administrator privileges are a significant finding in every assessment we conduct.
6. Conditional Access Policy Architecture
Review the completeness of your Conditional Access policy set. Policies must address compliant device requirements, location-based access restrictions, sign-in risk thresholds, and legacy authentication blocking.
7. External Guest Access Controls
Determine whether guest and external user access is appropriately restricted. B2B collaboration settings must prevent foreign nationals from accessing ITAR-controlled technical data or CUI repositories without proper authorization.
Data Protection and Information Governance
8. Sensitivity Label Deployment
Assess whether Microsoft Purview sensitivity labels are deployed, published to all relevant users, and actively applied to CUI categories. Labels should enforce encryption, restrict sharing, and support consistent data classification across your organization.
9. Data Loss Prevention Policy Coverage
Evaluate DLP policies across Exchange, SharePoint, OneDrive, and Teams. Policies must detect and block the exfiltration of CUI, export-controlled technical data, and personally identifiable information. Review how DLP enforcement gaps create compliance liability before your next audit.
10. Retention Policy Alignment
Confirm that retention policies align with your contractual and regulatory obligations. DFARS and FAR clauses impose specific records retention requirements that must be reflected in your Microsoft Purview retention configurations.
11. CUI Boundary Definition in M365
Identify which SharePoint sites, Teams channels, OneDrive folders, and mailboxes are within your CUI boundary. Undefined boundaries are a leading cause of scope creep and uncontrolled data exposure during CMMC assessments.
Endpoint Security and Device Management
12. Intune Device Compliance Policies
Review Microsoft Intune compliance policies to confirm they enforce disk encryption, OS patch levels, antivirus status, and screen lock requirements on all devices accessing M365 resources. Non-compliant devices should be blocked from accessing CUI environments.
13. Microsoft Defender for Endpoint Configuration
Assess Defender for Endpoint configuration against CMMC and CIS benchmark requirements. Attack surface reduction rules, network protection, and behavioral monitoring settings require explicit hardening beyond default states.
14. Mobile Device Management Scope
Determine whether mobile devices accessing M365 are enrolled in Intune or subject to app protection policies. Unmanaged mobile devices with access to Exchange Online represent a persistent gap in many defense contractor environments.
Email and Collaboration Security
15. Exchange Online Protection Configuration
Evaluate anti-phishing, anti-spoofing, safe links, and safe attachments configurations in Microsoft Defender for Office 365. Preset security policies should be reviewed against your organization's threat profile.
16. Secure Email Transmission Controls
Confirm that email transmission of CUI is encrypted and that transport rules enforce appropriate handling. SMIME or OME configurations must align with your CUI handling requirements and NIST SP 800-171 transmission confidentiality controls.
17. Teams External Access and Federation
Review Microsoft Teams external access settings. Federation with commercial tenants, anonymous meeting join capabilities, and file sharing permissions in Teams channels must be restricted appropriately for CUI environments.
Audit Logging and Monitoring
18. Unified Audit Log Status
Verify that the Unified Audit Log is enabled and that log retention periods meet your compliance requirements. CMMC Level 2 requires audit log retention for a minimum of 90 days online with three years of archival retention.
19. Alert Policy Configuration
Assess whether alert policies are configured to detect high-risk activities including mass file downloads, external sharing of labeled content, impossible travel sign-ins, and privilege escalation events.
20. SIEM Integration
Determine whether M365 audit logs are forwarded to a SIEM or equivalent monitoring platform. Relying solely on the M365 portal for audit review does not meet continuous monitoring requirements under NIST SP 800-171 and CMMC.
SharePoint and OneDrive Controls
21. External Sharing Policies
Review tenant-level and site-level external sharing settings. Many organizations inadvertently allow anonymous link sharing at the site or library level even when tenant-level policies appear restrictive.
22. Site Access Reviews and Permissions
Evaluate whether SharePoint site access is periodically reviewed and whether least-privilege principles are enforced. Over-permissioned sites are among the most common findings in Microsoft 365 compliance assessments at defense contractors.
Security Baselines and Configuration Management
23. Microsoft Secure Score Benchmarking
Review your Microsoft Secure Score against peer benchmarks and compliance targets. While Secure Score is not a compliance certification, a low score often signals configuration gaps that directly map to NIST SP 800-171 control failures.
24. Security Defaults and Legacy Protocol Blocking
Confirm that legacy authentication protocols such as Basic Auth for Exchange are fully disabled. Microsoft has deprecated these protocols, but many contractors still have service accounts or third-party integrations relying on legacy authentication pathways.
25. Configuration Drift Monitoring
Assess whether your organization has a process for detecting and remediating configuration drift in M365. Security configurations that are set correctly at one point in time will drift without active monitoring and change management controls.
Incident Response and Recovery Capabilities
26. Incident Response Plan Coverage for M365
Verify that your incident response plan explicitly addresses M365-based incidents including account compromise, data exfiltration via SharePoint or Teams, and ransomware propagation through OneDrive sync.
27. Backup and Recovery Architecture
Microsoft's shared responsibility model does not guarantee point-in-time recovery of deleted or corrupted data beyond limited native retention. Assess whether your backup architecture meets RTO and RPO requirements for CUI systems.
Compliance Documentation and Governance
28. System Security Plan Accuracy for M365 Components
Evaluate whether your System Security Plan accurately describes M365 as a system component, including how each NIST SP 800-171 control is satisfied, inherited, or planned within the M365 environment. Inaccurate SSPs are a primary cause of CMMC assessment failures.
29. Third-Party App and Integration Review
Inventory all third-party applications with OAuth permissions to your M365 tenant. Applications with excessive permissions to read mail, access files, or manage users represent a significant attack surface and compliance risk in regulated environments.
30. Supply Chain and Subcontractor Access Controls
Assess how subcontractors and vendors access your M365 environment. Guest accounts, shared mailboxes, and delegated access arrangements used by supply chain partners must be governed by the same controls applied to your internal workforce. Our CMMC, CUI, and DFARS compliance services include supply chain access review as a standard deliverable.
Mapping Your Findings to a Remediation Roadmap
Working through these 30 areas will surface a range of findings — from quick-win configuration changes to longer-term architectural decisions involving migration to GCC High or significant policy development efforts. The critical next step is prioritization. Map each finding to its corresponding NIST SP 800-171 control, assign a risk rating, and build a remediation timeline that is defensible under CMMC scrutiny.
Organizations that treat a Microsoft 365 compliance assessment as a one-time exercise rather than an ongoing program tend to accumulate configuration drift and undocumented changes that create audit exposure over time. Our IT compliance services team works with defense contractors to establish continuous monitoring programs that keep M365 environments aligned with evolving regulatory requirements.
Take the Next Step Toward a Compliant M365 Environment
If your organization handles CUI, ITAR-controlled data, or works under DFARS-covered contracts, the configuration of your Microsoft 365 environment directly affects your contract eligibility and regulatory standing. Cleared Systems conducts structured Microsoft 365 compliance assessments for defense contractors, federal agencies, and regulated industries — delivering actionable findings mapped to CMMC, NIST SP 800-171, and DFARS requirements. Request a quote to discuss your assessment scope, or review our engagement models to find the right fit for your organization's size and compliance maturity.