Implement Microsoft Government For CMMC

    This blog enables contractors with the ability to choose the right technical design for their organization's CMMC compliance journey.

    4 Minutes Read

    Implement Microsoft Government for CMMC

    At this point in your CMMC compliance journey, you should have determined your required CMMC Level, identified relevant CMMC assets, and chosen your technical design for CMMC implementation. With the assumption that Microsoft Government Cloud is your platform of choice for CMMC, this blog will focus on implementing Microsoft 365 GCC and/or GCC High for CMMC.  

    Steps to implement Microsoft Government for CMMC: 

    1. Choose your implementation plan (Lift and Shift or Enclave)
    2. Select the right Microsoft Gov licensing for your needs (GCC or GCC High)
    3. Migrate your existing IT environment and implement the appropriate CMMC solution



    One more note before we go any further. For the purposes of this blog, the following criteria are assumed:  

    1. During Step 1, you discovered you have a DFARS 252.204-7012 requirement and handle CUI
    2. The type of contract data discovered is a CUI and/or a type of CUI
    3. You have chosen Microsoft 365 GCC or GCC High as your compliance platform 

    Choosing Your Implementation Plan

    During Step 3 of this 7-part blog series, we walked the reader through two potential technical approaches to CMMC compliance:

    • Full Migration (Lift & Shift)
    • Partial Migration (Enclave) 

    As mentioned in the previous blog, these options are dependent on the extent of CUI data interacting with the identified assets on the information system. Contrary to popular opinion, the enclave approach is not always the best methodology for organizations supporting the DoD supply chain pursuing CMMC Level 2 compliance. Cloud enclaves work wonders for companies that can contain their CUI within an enclave. Unfortunately, CUI data flows tend to closely follow business data flows. As a result, most companies dramatically under-scope and underfund their cloud and on-premises environments while simultaneously setting themselves up for failure during a CMMC assessment. Sometimes, a full migration is the better approach for aerospace and defense contractors.

    Selecting Your Microsoft Government Licensing 

    The suite of collaboration and productivity tools offered with M365 licensing is second to none. There are many licensing in the M365 stack that provides industry-leading solutions that the organization can leverage to increase employee collaboration and maintain productivity, no matter the physical location of the user and resources. When licensing Microsoft (Office) 365 for your company it is essential to understand the various types of licensing and how they impact your security and compliance goals. The guide to Microsoft 365 GCC High licensing below will help you decide which licenses are right for your CMMC journey.


    With the M365 license, organizations can communicate effectively and share work in an environment capable of protecting the infrastructure and its data to the regulatory standards imposed on the organization. You can avoid hiccups in your business processes with M365 (and O365), but these licenses also maintain the ability to meet regulatory requirements as discussed in other blogs on Microsoft Gov. 



    Migrating Your Existing Environment to M365 GCC/GCC High and Azure Gov 

    Planning and mapping are the most critical components of migration - especially when transitioning from something like Google Workspace or AWS to the Microsoft Government cloud. Migrating the wrong way, or to the wrong platform, can lead to headaches for organizations that want to quickly create compliant IT environments as CMMC continues to approach.  



    The most common issues companies run into with self-completed migrations are related to workflow and automation processes being disrupted; these don’t directly affect CMMC compliance, but they create barriers for companies that need to collaborate securely and effectively while maintaining compliant infrastructures.   




    The Microsoft Product Placemat for CMMC 2.0 visually demonstrates not only the control mappings for their technical services but also the “behind the scenes” role both Microsoft and the customer organization play in the implementation and continuous execution of the customer’s infrastructure. 

    Microsoft CMMC Acceleration Update – March 2022 - Microsoft Tech Community
    Technical Services
    in Microsoft Government

    Your steps to CMMC compliance would be much easier if all that was needed was a secure online collaborative environment. However, the requirements of CMMC follow the data, and that data flow expands the scope typically far past one software suite, or cloud environment for that matter. Realistically, the environment of many DIB OSCs will consist of endpoints, servers, and multiple cloud applications that will be in scope; these will more than likely must conform to the organization's regulatory requirements.

    The technical services provided with versions of M365 GCC High licensing offer organizations the most comprehensive, “Best of Platform” package of products and features; this allows organizations that appropriately leverage the M365 suite to satisfy 77 of the 110 controls found in CMMC Level 2 and NIST SP 800-171.

    The table below demonstrates the foundational areas of CMMC Level 2 compliance available to customers building infrastructure using M365 GCC High:  

    Identity and Access Management  

    • Azure Active Directory (Azure AD) 
    • Azure AD MFA  
    • Privileged Identity Management (PIM) 

    Data Governance and Data Loss Prevention 

    • Microsoft Purview 

    Audit & Accountability and Incident Response 

    • Microsoft Sentinel 

    Endpoint Management and Protection 

    • Microsoft Intune  
    • Microsoft Defender for Endpoint and Defender for Endpoint Servers  

    Cloud platform and Cloud Application governance and security  

    • Microsoft Defender for Cloud 
    • Microsoft Defender Cloud Applications 

    The Solution to CMMC Level 2 

    Technical implementation/mitigation for CMMC Level 2 only covers around 70% of the DoD-defined requirements - typically, this is the biggest expense and time consumption for companies preparing for CMMC assessments.

    The 70% mentioned above only applies to organizations that adopt the culture change needed by performing the continuous processes that CMMC requires. The deployment of the Summit 7 CMMC Level 2 solution enables organizations to achieve their technical compliance goals while executing their business deliverables. Implementation of the Summit 7 CMMC 2.0 Level 2 Solution can include, but is not limited to: 

    • Baselining your Microsoft 365 GCC or GCC High tenant  
    • Configuring Microsoft Security products to meet CMMC / NIST 800-171 technical requirements  
    • Securing in scope endpoints with Microsoft Intune  
    • Configuring Identity and Access Management, to include MFA using Azure Active Directory   
    • Implementing Microsoft Purview Information Protection (MPIP)  
    • Deploying Microsoft Defender suite products and services for the protection of endpoints, 3rd party cloud applications and platforms, data, and external connection
    • Other duties as identified 

    (V3) CMMC 2.0 Level 2 Solution Set-4


    Implementing a technical solution for CMMC is not the last stop for companies on the journey to CMMC assessment preparation. Documentation, training, policies, and other things are still left in place and must be properly approached in a thorough and timely manner. We'll cover more of these in the rest of this blog series.


    Next Steps 

    As the DoD seemingly continues to delay timelines for CMMC, contractors should be moving forward in their steps to CMMC compliance. In the next blog, we're going to cover what, how, and why you should be looking to an external service provider to meet and maintain CMMC compliance. We'll cover what questions companies should be asking their current, or prospective MSP / MSSP in regards to NIST 800-171 and CMMC.

    Subscribe to the blog and the Summit 7 YouTube channel to get notified of content regarding all things security and compliance.  



    Jason Sproesser