Microsoft and the Cybersecurity Maturity Model Certification (CMMC)

The Cybersecurity Maturity Model Certification (CMMC) is a United States Department of Defense (DoD) unified standard for implementing cybersecurity. It establishes three certification levels that reflect the maturity and reliability of a company's cybersecurity infrastructure to safeguard sensitive government information. This standard helps enhance the protection of unclassified information within the supply chain to strengthen the security and resiliency of the Defense Industrial Base (DIB) sector from cyberattacks.

The CMMC standard and certification apply to all customers and prospects in the entire DIB supply chain of commercial contractors. The DoD makes the CMMC standard and certification a contractual requirement and condition for award.

If your organization is working with the Department of Defense, you need to get certified. Discover how Microsoft provides a trusted and comprehensive platform to help your organizations support CMMC certification efforts from Level 1 to Level 3.

Microsoft platforms and services provide integration, security, and clouds built for compliance and innovation:

• Trusted cloud platform: More than 100 compliance offerings across global and U.S. government clouds, including FedRAMP High–authorized services.
• Broad compliance capabilities: AI-powered solutions across cloud, business applications, and productivity, combined with world-class security and seamless scalability.
• Integrated security controls: Integrated security and compliance capabilities across apps, endpoints, identity, data, and cloud.

For more information, see the Microsoft Product Placemat for CMMC.

Microsoft services

Microsoft 365

• Microsoft 365 for Enterprise: Get the power of a secure, comprehensive, AI-powered cloud solution to run your business. Supports organizations in meeting CMMC Level 1 requirements and FedRAMP High for some services. Learn more
• Microsoft 365 GCC: Achieve compliance with FedRAMP High, Defense Federal Acquisition Regulations Supplement (DFARS), and DISA Cloud Computing Security Requirement Guide (CC SRG) Impact Level 2. Learn more
• Microsoft 365 GCC High: Supports organizations in meeting CMMC Level 2 and Level 3 requirements (when configured appropriately), FedRAMP High, Defense Federal Acquisition Regulations Supplement (DFARS), DISA Cloud Computing Security Requirement Guide (CC SRG) Impact Level 4, and International Traffic in Arms Regulations (ITAR). Learn more

Cloud infrastructure

• Azure Commercial: Build and manage powerful applications by using Azure commercial cloud services. In Commercial, both Office 365 Commercial and Office 365 GCC pair with Microsoft Entra ID.
• Azure Government: Azure Government provides a fully isolated cloud environment designed for data sovereignty. It supports compliance with FedRAMP High, DFARS 7012, DoD CC SRG IL4/5, ITAR, and EAR.

Business applications

• Dynamics 365 - Commercial: Help teams deliver positive customer experiences while supporting efficient resource use and operational cost management. Dynamics 365 in Commercial is compatible with Entra ID in Commercial.
• Dynamics 365 - Government: The services offered in GCC and GCC High are further protected by heightened compliance demands. Check the feature availability site to learn which features are available in each environment.

Security and compliance capabilities that support CMMC requirements

• Defend against cyberthreats and safeguard business data: Defend against phishing and ransomware across apps and devices and protect confidential business information.
• Protect identities and secure remote access: Grant secure access to apps and data, protect and verify each identity, and apply least-privilege access.
• Manage work data on personal and company-owned devices: Streamline onboarding and manage phones, tablets, and computers that connect to your business data.
• Enable data security, governance, and compliance: Confidently understand your data, secure it wherever it leaves, and enable ease of investigation.

Partner solutions and services

Support your journey by working with our partners that offer strategy guidance, assessment services, and deployment support.

Example partner solutions available in the marketplace:

• Agile IT: AgileAscend: Microsoft 365 GCC High Implementation for CMMC Compliance
• C3 Integrated Solutions: CMMC Data Enclave Deployment: 4-Week Implementation
• Coretek Services: CMMC Workshop: 2-Hour Free Discovery Workshop
• Daymark: Microsoft GCC High Rapid Deployment
• Golden Five: CMMC Implementation
• Insight: CMMC Compliance with Microsoft 365: 4 wk implementation.
• KAMIND IT, Inc.: Microsoft 365 E5 CMMC L3 8 Week Implementation
• KMicro Tech, Inc.: Microsoft 365 CMMC: 4-Wk Workshop
• KTL: CMMC Roadmap: 6-Week Implementation
• Planet Technologies: CMMC Secure Enclave
• R3: GCCH Enclave White Glove Deployment in 4 weeks
• RSM: CMMC Advisory Workshop
• Sirius Computer Solutions: CMMC Compliance: 4 week Workshop
• Summit 7 Systems, Inc: CMMC Implementation for Microsoft 365 (8 Week Project)
• Protiviti: Azure CMMC Solutions: 1 Week Jumpstart

FAQ

Common questions regarding cloud migration, GCC vs. GCC High, and compliance strategy.

I can just stay on-premises. Why do I need to move to the cloud?

This approach depends on your confidence in achieving compliance while remaining on-premises (for example, keeping email, file servers, and so on) and demonstrating it at a reasonable cost. Consider if you need users to have geographic flexibility in accessing data. Organizations often find that on-premises environments can introduce higher operational cost and complexity, particularly when scaling security and compliance controls.

Microsoft 365 GCC is good enough, why do I need Microsoft 365 GCC High?

CMMC compliance can be expensive, and Microsoft has a purpose-built platform in GCC High to help organizations achieve requirements from the DoD. GCC isn't suitable to hold CUI Specified (for example, ITAR, Nuclear, and so on). This type of data requires US sovereignty, which only GCC High offers.

Microsoft 365 GCC High/GCC lacks feature parity with Commercial. Should I still invest in Microsoft 365 GCC High?

Federal, state, and local US Government agencies, as well as commercial companies, holding Controlled Unclassified Information (CUI), Criminal Justice Information (CJIS), and export-controlled data (ITAR/EAR) find that Microsoft 365 Government Cloud provides a broad set of capabilities while supporting required regulatory controls. Some of the parity items are by design because you need to apply concepts like Zero Trust from the start.

I don't work with the government or Department of Defense. Do I still need CMMC certification?

Not working with government or DoD contracts doesn't necessarily mean that you don't need CMMC compliance. The basic principles of CMMC compliance relate to proactive and consistent security best practices. In addition, CMMC might still apply because you might provide a service to companies that need to comply with CMMC. This means they flow down the requirements to you.

I have existing in-house products (non-Microsoft). Why should I invest in Microsoft products?

Many organizations use various security and collaboration products. But managing that system and compliance boundary is difficult and increases risk. The G3 and G5 package already includes security and compliance capabilities that natively integrate across the Microsoft platform. ​

How do I migrate from a commercial cloud to a Government cloud?

The migration process is similar to migration from any other cloud or on-premises. Allocate at least three months for the migration phase and use tools to facilitate the process.​

I have multiple business units with respective compliance requirements. How should I manage my solution and architecture?

If you have multiple business units, put all of them in one cloud environment with GCC High. This approach gives you the high bar of security requirement, irrespective of the specific compliance requirements of that business unit and the information you're controlling.

Should I build a data enclave or should I go all in?

A data enclave might seem to be a quick and easy to deploy solution, and often maps 1:1 with a data enclave that's on-premises today. This approach can help organizations manage costs compared to approaches that place more users and workloads in GCC High.​

However, with organizations, the most common spillage happens through personal storage, especially in email. If your personal data solutions don't meet the high bar for compliance, or worse, if they're hosted in a commercial cloud, you have much more scope outside the accreditation boundary than where your shared data resides.

For more information, see The Microsoft 365 Government (GCC High) Conundrum - DIB Data Enclave vs Going All In.

Resources

Blogs

• Accelerating CMMC compliance for Microsoft cloud
• Microsoft CMMC Acceleration Program Update
• History of Microsoft Cloud Service Offerings leading to the US Sovereign Cloud
• Understanding Compliance Between Microsoft 365 Commercial
• The Microsoft 365 Government GCC High Conundrum – DIB Data Enclave vs Going All In
• Microsoft expands qualification of contractors for government cloud
• Lessons learned from a joint surveillance voluntary assessment for CMMC

Guides

• Microsoft CMMC 2.0 level 1 Implementation Guide
• A guide to buying Microsoft 365 for Government
• CMM templates in Compliance Manager
• A guide to buying Azure for Government
• Build your Azure environment using Microsoft built reference architecture

Webinars and videos

• Start your CMMC compliance journey on the right foot
• Collaborating across tenants
• Collaborating across tenants: OneDrive/SharePoint
• Collaborating across tenants: Meeting Just a Calendar Sharing
• Collaborating across tenants: teams B2B guest
• Microsoft 365 GCC High: The Inside Story with Richard Wakeman

Other resources

• Official CMMC FAQ by the CMMC-A
• Microsoft Product Placement for CMMC Level 3
• Microsoft Technical Reference Guide for CMMC 2.0
• Getting started with Microsoft for CMMC