Why CMMC Compliance with Microsoft 365 is Complex and Costly

Jan 06 2025 - Explore the complexities and expenses of achieving CMMC compliance with Microsoft 365, including licensing, technical requirements, shared responsibilities, and implementation challenges.

cmmc

9 min read

Navigating CMMC compliance with Microsoft 365 presents unique challenges, from complex licensing and shared responsibilities to technical configurations that align with stringent audit requirements. Organizations of all sizes face similar hurdles in achieving compliance, whether implementing Zero Trust principles or managing migrations to GCC or GCC High environments.

This post explores why these challenges exist and provides insights to help organizations prepare effectively.

Required & Penalties
Size Doesn’t Matter
The Local Approach
Shared Responsibilities
Microsoft 365 GCC or GCC High is wide open.
Licensing Matters
Knowledge: Technical & Controls
More Complexities
Conclusion

Required & Penalties

Let’s get this out of the way. You need to meet the CMMC requirements because of a government contract.

You might even be an IT provider as a consultant, MSP, MSSP, or something else where a CMMC attestation and audit can come your way. Even more so, you don’t want to lose a contract, pay a penalty, or in the worst case go to jail.

If you’re an organization needing to meet CMMC and leveraging an implementor, MSP, MSSP, etc. they have the exact same worries and risks that you do.

If you use an outside vendor as a CMMC implementor, they have the same risks and potential of a DOJ visit.

Size Doesn’t Matter

If your organization is only four people or has 40,000 employees, the requirements specified in CMMC and the ability to pass an audit are the same. This is a frequently asked question from many small businesses.

You’d think that with less people, that there would be a simpler approach to meeting CMMC compliance. It’s reasonable to think that with fewer people, you’ll have less complexity with fewer scenarios to manage.

However, there are many common areas for identity, access, management, and monitoring that are essentially the same and thus need the documentation, configuration, and operational procedures regardless of the size of the organization.

The Local Approach

There are many that suggest that overall implementation of CMMC could be done cheaper with a traditional IT approach by purchasing your own hardware and perpetual software. Perhaps that could be the case, but there are many downsides to this. Here are just a few:

Hardware support: What if the hardware goes bad and you need a local provider to interact with it and it has CUI data
Innovations: Much of the productivity and integrations available in today’s applications are cloud centric
IT skills: Having IT people on-staff or via a local IT provider will need to be maintained long term
Forgotten costs: Many forget about the costs for power (including UPS, generators, and gas), Internet bandwidth, and physical security when assessing costs against cloud services
Business Continuity: How does your business continue of there is a fire, natural disaster, theft, etc.

There are many ways to mitigate these issues. If you’re a smaller organization, preparing and handling these issues can provide an even greater cost and distractions that don’t seem worth the cost savings you think you might be getting.

Shared Responsibilities

The Shared Responsibilities model allows organizations to leverage the investments, and certifications, of providers within the full context of their service and audit. Thus, when leveraging Microsoft 365 with CMMC, Microsoft has their own documentation and audits. One standout area is the physical security and management of the services they are offering.

In the case of CMMC, there is the GCC and GCC High implementation of Microsoft 365. I won’t go into which is right for you as that’s a broader topic. However, one key example are those organizations required to meet data sovereignty such as ITAR can be met with GCC High and NOT GCC or Commercial.

With Microsoft 365 GCC High, Microsoft has made the investment and share in the responsibilities to ensure that all data in the subscribed GCC High tenant reside only in the Continental United States. BUT, only up to the point where the customer configures their portion of access and management within their Microsoft 365 GCC High environment to further that same restriction.

Microsoft 365 GCC or GCC High is wide open.

If you purchase a new tenant that’s GCC or GCC High with Microsoft 365, with a few exceptions the environment is not Zero Trust by default. This means that as users are created, devices are joined, Microsoft Teams are created, OneDrive is enabled and users can sync, there are no restrictions and data can go worldwide.

Even in this wide-open environment starting off as a green field deployment, Microsoft is still meeting their part of the shared responsibilities. Now the responsibility is for the organization to apply the configurations to apply the controls that align to CMMC.

Yes, this is just like the experience of creating a new commercial environment. You might wonder why doesn’t GCC or GCC High come with a set of default implementations towards CMMC.

Licensing Matters

Microsoft licensing is always a complex and often frustrating conversation. Mainly, organizations don’t want to over purchase and often have different user personas (E.g. information workers versus frontline workers) that require different capabilities and data limits. Rightsizing licensing is a journey and often evolves as an organization adapts to business needs and size.

Organizations can opt to use many of the common Microsoft 365 services which fall inline with CMMC requirements and use other CMMC compliant services from another vendor. A classic example is using an MSSP that covers additional security and compliance requirements.

If you’re a fan of vendor consolidation, reduced redundant support costs, and increasing buying power with a vendor, then purchasing a collection of Microsoft 365 and Azure services is your starting point. Even then, you don’t have to purchase all of the most expensive licenses (Microsoft 365 E5). Nor is it the only license you’ll purchase. Again, it depends on your scenario.

One thing to keep in mind is that you’ll also be purchasing an Azure Government subscription where logging with Azure Log Analytics workspace and Azure Sentinel for SIEM will be stored.

Knowledge: Technical & Controls

Technical knowledge of Microsoft services and how to configure them is one thing. Understanding the specific implementation and mapping to the requirements of CMMC policies are another. Being able to do both continuously is where working with an IT vendor becomes almost necessary for small to medium sized organizations.

Let’s use a quick example of Access Control (AC) AC.L1-3.1.1

Based on the most recent “Microsoft Technical Reference Guide for CMMC” document by Microsoft, below is a snippet from this control:

💡

Practice: Limit information system access to authorized users, processes acting on behalf of authorized users or devices (including other information systems).

Assessment Objectives:

[a] authorized users are identified;
[b] processes acting on behalf of authorized users are identified;
[c] devices (and other systems) authorized to connect to the system are identified;
[d] system access is limited to authorized users;
[e] system access is limited to processes acting on behalf of authorized users; and
[f] system access is limited to authorized devices (including other systems).

Primary Services

Microsoft Entra ID
Azure RBAC
Intune/Intune Suite

Secondary Services

Microsoft Information Protection
Conditional Access
Customer Lockbox
Privileged Identity Management (PIM)
Microsoft 365 Web Apps
M365 Groups
Microsoft Entra ID Multi-Factor Authentication

There’s more in this section of the document, but let’s focus on the Conditional Access portion.

💡

Conditional Access

Conditional Access allows you to set up access policies to prohibit a specific activity, as well as to trigger MFA according to rules that you define). It is a very powerful engine. You may target conditional access policies toward specific users or groups, or to specific apps. Additionally, you can create conditional access session control policies to enable a limited experience within specific cloud applications.

For Example, you could create a policy to limit information system access to devices such as printers to block the ability to print sensitive documents on unmanaged devices.

To learn more, see Conditional Access: Session. https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-session

**Intune/Intune Suite **

A cloud-based Enterprise Mobility Management (EMM) service that enables administrators to enroll mobile devices, deploy apps, and enforce security policies. As a Security Admin, use the Endpoint security node in Intune to configure device security and to manage security tasks for devices when those devices are at risk.

To protect your devices and corporate resources, you can use Microsoft Entra ID Conditional Access policies with Intune.

Intune passes the results of your device compliance policies to Microsoft Entra ID , which then uses conditional access policies to enforce which devices and apps can access your corporate resources. Conditional access policies also help to gate access for devices that aren’t managed by Intune and can use compliance details from Mobile Threat Defense partners you integrate with Intune.

The following are two common methods of using conditional access with Intune:

Device-based conditional access, to ensure only managed and compliant devices can access network resources.
App-based conditional access, which uses app-protection policies to manage access to network resources by users on devices that you do not manage with Intune.

There’s some good information here but doesn’t include the actual policy configurations that could or should be used. This is because the actual implementation depends on the licensing the organization has, what locations should be allowed to connect, how and if Intune device compliance will be leveraged, if and what hardware-based authentication devices will be used, and more.

There are Conditional Access policy templates that can be used to get started. However, these are just starting points and will need to be customized to meet the organization’s specific requirements.

More Complexities

Starting with a fresh (aka green field) deployment in Microsoft 365 GCC or GCC High often requires a migration. This includes coming from an existing Microsoft 365 commercial environment (which requires additional migration steps).

What to do with your existing infrastructure and applications. If they’re in scope of your CMMC documentation and audit, you don’t want to put off how these will either need to be migrated and/or updated.

Hybrid, On-Premises, Servers
Applications: Server, SaaS, PaaS, SharePoint Server
Multiple Identity providers
Switching identity integrations and endpoints
Moblie devices (iOS, Android)

Conclusion

While this is a brief explanation on why CMMC with Microsoft 365, it shouldn’t sway you not to use Microsoft 365 for your CMMC needs. Think of the productivity gains, integrated security and compliance capabilities, and vast third-party providers and applications that you’ll have access to.

This is merely to help answer questions that I hear from customers, IT professionals, and in many online communities.

It’s not that Microsoft and the many IT providers and CMMC implementors are trying to overprice things (not to say some don’t), but there are good reasons why it’s not fast, cheap, and easy.