What We See Every Time We Run a Microsoft 365 Security Assessment
After conducting hundreds of Microsoft 365 security assessments inside defense contractor environments, the same gaps appear with remarkable consistency. Some are configuration oversights. Some are architectural decisions made years ago that no longer meet current requirements. Others are gaps that emerged when remote work expanded environments faster than security policies could keep pace.
What makes these findings particularly significant is the regulatory weight behind them. Defense contractors handling Controlled Unclassified Information (CUI) are subject to DFARS 252.204-7012, NIST SP 800-171, and increasingly, CMMC Level 2 certification requirements. Microsoft 365 is often the center of gravity for how CUI moves through an organization. A misconfigured tenant is not a minor IT problem. It is a compliance liability that can affect contract eligibility.
This post summarizes the ten most common gaps we find, what they mean in practice, and what you need to do about them.
Gap 1: Wrong Tenant Type for CUI Workloads
This is the most consequential finding we encounter, and it is far more common than it should be. Many defense contractors are processing CUI inside a commercial Microsoft 365 tenant when the work requires GCC High. Commercial tenants do not meet the data residency, personnel vetting, or compliance boundary requirements for CUI under DFARS and CMMC.
If your organization handles technical data, contract deliverables, or any information marked as CUI and you are operating in commercial M365, you have a foundational compliance gap. Understanding which tenant type is required for CUI in Microsoft 365 is the starting point for every assessment we conduct.
Gap 2: Multi-Factor Authentication Not Enforced Across All Users
MFA is a baseline requirement under NIST SP 800-171 control 3.5.3 and maps directly to multiple CMMC Level 2 practices. Despite this, we routinely find environments where MFA is enabled for most users but not all. Service accounts, shared mailboxes, legacy authentication protocols, and recently onboarded users are the most common exceptions.
Partial MFA enforcement is not the same as compliant MFA enforcement. Every account with access to systems that store or process CUI must be covered without exception.
Gap 3: Conditional Access Policies Are Absent or Incomplete
Conditional Access is Microsoft's primary mechanism for enforcing Zero Trust access controls. We frequently find environments where Conditional Access policies either do not exist or were configured years ago and never updated. Common deficiencies include no device compliance requirements, no location-based restrictions, and no controls on legacy authentication protocols that bypass MFA entirely.
A Microsoft 365 security assessment that does not evaluate Conditional Access policy coverage is incomplete. This is a critical control layer for any contractor managing CUI.
Gap 4: Data Loss Prevention Policies Are Not Configured for CUI
Microsoft Purview includes powerful Data Loss Prevention capabilities, but they require deliberate configuration. Most organizations we assess have DLP policies in a default or minimally configured state that does not account for CUI categories, ITAR-controlled technical data, or contractor-specific data classification requirements.
Without properly scoped DLP policies, CUI can be emailed externally, uploaded to personal cloud storage, or shared through Teams with unauthorized recipients without any technical control triggering an alert or block. Our post on understanding Data Loss Prevention covers the foundational concepts, and proper DLP configuration should be a deliverable of any serious security assessment.
Gap 5: Sensitivity Labels Are Not Applied or Enforced
Microsoft Information Protection sensitivity labels are the mechanism by which CUI and ITAR-controlled data gets identified, marked, and protected at the file level. We see three failure modes consistently: labels have not been created, labels exist but are not enforced through policy, or labels were deployed but employees are not trained to use them correctly.
For contractors subject to CUI marking requirements, unforced labeling is a direct compliance gap. Labels must be configured to apply encryption, access restrictions, and visual markings aligned to the CUI registry categories your organization handles. Properly classifying and protecting CUI with Azure Information Protection requires intentional architecture, not default settings.
Gap 6: Audit Logging Is Incomplete or Not Retained Long Enough
NIST SP 800-171 requires audit logging of a defined set of events, and CMMC assessors will ask to see log coverage and retention records. In Microsoft 365, unified audit logging must be explicitly enabled and configured. We routinely find environments where audit logging is either partially enabled, missing coverage for key workloads like SharePoint or Teams, or where logs are retained for only 90 days against a requirement of one year or more.
This gap is particularly problematic during incident response. If you cannot produce audit logs demonstrating who accessed CUI and when, you cannot meet your reporting obligations under DFARS 252.204-7012.
Gap 7: External Sharing in SharePoint and OneDrive Is Not Restricted
SharePoint Online and OneDrive for Business default sharing settings are designed for collaboration, not for CUI protection. We find external sharing enabled at the tenant level, site level, or both in the majority of environments we assess. This allows CUI to be shared with anyone who receives a link, including foreign nationals and competitors.
External sharing controls must be scoped to the minimum necessary, enforced through Conditional Access and DLP policies, and verified through regular configuration audits. This is a control area that our CMMC, CUI, and DFARS compliance services address in detail during every engagement.
Gap 8: Endpoint Management Through Intune Is Not Enforced
Microsoft Intune provides device compliance policy enforcement, but it only works if devices are enrolled and policies are actively applied. We see three common failure patterns: personal devices accessing M365 with no compliance policy, enrolled devices with compliance policies that are not set to block noncompliant access, and gaps in coverage for Linux or macOS endpoints used in engineering environments.
CMMC Level 2 requires that endpoint security controls be documented and demonstrably enforced. Intune enrollment alone is not sufficient. The compliance policies must be linked to Conditional Access rules that block access when a device falls out of compliance.
Gap 9: Privileged Access Is Not Segmented or Monitored
Global administrator accounts are treated as standard working accounts in a surprising number of defense contractor environments. We find Global Admins using their privileged accounts for day-to-day email and file access, no Privileged Identity Management (PIM) configured for just-in-time access, and no separation between administrative roles and end-user roles.
Privileged access abuse is one of the most common paths adversaries use to escalate access inside contractor environments. This finding consistently appears in our assessments and is directly addressed under the CMMC Identification and Authentication and Access Control domains. Working with a Regulatory vCISO can help organizations establish and maintain the governance structures needed to close this gap sustainably.
Gap 10: No Formal Configuration Baseline or Change Management Process
The most technically capable Microsoft 365 environments we assess still fail on this point: there is no documented configuration baseline and no process for detecting or approving changes to that baseline. Security settings drift over time. New features are enabled without security review. Third-party app integrations are approved without evaluating their data access permissions.
CMMC assessors will ask for your System Security Plan and evidence that your configuration is maintained and monitored. Without a documented baseline, you cannot demonstrate control. Our blog post on SSP and POA&M as critical components of a strong security program outlines why this documentation layer matters as much as the technical controls themselves.
How These Gaps Compound Each Other
Each of these findings is significant on its own. In combination, they create environments where CUI protection is effectively unenforceable. A contractor operating in a commercial tenant with incomplete MFA, no DLP policies, and unmanaged endpoints has not implemented meaningful CUI protection regardless of what their policies say on paper.
Defense contractors serving the federal and defense industrial base cannot afford to treat Microsoft 365 as a commodity productivity tool. It is the technical backbone of CUI handling for most organizations, and it must be configured to that standard.
What a Proper Microsoft 365 Security Assessment Covers
A thorough assessment evaluates tenant configuration, identity and access management, data protection controls, device compliance, audit and logging, external collaboration settings, administrative access hygiene, and change management processes. It produces a prioritized findings report tied to NIST SP 800-171 control families and CMMC practices, along with a remediation roadmap your team can execute.
Our IT Compliance Services include Microsoft 365 security assessments structured specifically for defense contractor environments, with findings documented in a format that supports your System Security Plan and CMMC audit preparation. If your organization is preparing for a C3PAO assessment or responding to DFARS audit inquiries, understanding exactly where your M365 environment stands is not optional.
Take the Next Step
If your organization has not had a formal Microsoft 365 security assessment conducted against NIST SP 800-171 and CMMC requirements, now is the time to act. The gaps described in this post are not hypothetical. They appear in most environments we assess, and they are the exact findings that create problems during CMMC audits, DCSA reviews, and DoD contract renewals. Contact Cleared Systems today to request a quote for a Microsoft 365 security assessment tailored to your compliance obligations and contract profile.