Executive Introduction

Who this guide is for, how to navigate it, CUI scope, and its relationship to your System Security Plan.

Phase 1: Scoping

Goal

Before configuration, you must understand where your Controlled Unclassified Information (CUI) lives, who interacts with it, and which third parties are responsible for its protection.

Chapter 1: CUI Data Flows & Business Applications

Mapping how CUI enters, moves through, and exits your business applications — email, ERP, SAFE exchange portals, and file shares.

Chapter 2: People, Technology, and Processes

Identifying CUI Assets, Security Protection Assets (SPAs), and CRMAs to define what the assessor will actually examine.

Chapter 3: External Service Provider Management

Inventorying third parties — MSPs, SaaS tools, subcontractors — and validating FedRAMP Moderate Equivalency for each.

Chapter 4: Contractual Ingestion & LOB Strategy

Analyzing DoD contract flow-downs (DFARS 7012) and the process for identifying CUI obligations at the point of contract award.

Phase 2: Identity Architecture

Goal

Secure the "Who" before building the "What." Identity is the perimeter in a cloud-first CUI environment.

Chapter 5: Sovereign Cloud Considerations

The GCC High vs. Commercial decision matrix, AOS-G purchasing constraints, feature parity gaps, and timeline expectations.

Chapter 6: Cloud Strategy

Cloud-only vs. hybrid architecture tradeoffs. Why reducing Active Directory dependency increases security posture for CMMC.

Chapter 7: Phishing-Resistant Authentication

Windows Hello for Business and FIDO2 as the primary MFA mechanism. Eliminating SMS and authenticator app fallbacks for CUI access.

Chapter 8: Directory Synchronization

Entra Connect Sync architecture, filtering strategy for limiting what synchronizes to GCC High, and hybrid identity gotchas.

Chapter 9: Entra Security Settings

Tenant-wide security defaults, legacy authentication blocking, and Entra ID Protection configuration for GCC High.

Chapter 10: Identity Governance

Privileged Identity Management (PIM) for just-in-time elevation, Entitlement Management for access packages, and access review scheduling.

Chapter 11: Cross-Tenant Collaboration

Cross-tenant access settings, B2B limitations in GCC High (cross-cloud B2B off by default), and DNS record requirements.

Chapter 12: Conditional Access

The CMMC baseline policy set: geo-blocking, phishing-resistant MFA enforcement, compliant device requirement, and break-glass account documentation.

Phase 3: Devices

Goal

Define "Where" CUI lives to minimize audit scope. Cloud-managed, Entra-joined devices reduce the attack surface and simplify compliance evidence.

Device Architecture

Chapter 13: Virtual Desktop Strategy

Using Azure Virtual Desktop to contain CUI on session hosts rather than physical endpoints. Screen capture protection, watermarking, and GCC High-specific gaps.

Chapter 14: Foundational Architecture & Design

The Entra Join-only model: why hybrid join adds complexity without compliance benefit for most DIB organizations.

Chapter 15: Provisioning with Windows Autopilot

Zero-touch provisioning for Entra-joined devices. Autopilot profiles, deployment modes, and the GCC High enrollment URL.

Chapter 16: Entra Join — Cloud-Only Deployment

Step-by-step checklist for a greenfield cloud-only deployment: prerequisites, Intune enrollment, Autopilot, and validation.

Chapter 17: Hybrid Deployment

Transition path for organizations with existing on-premises AD. Hybrid Entra Join configuration, co-management, and migration sequencing.

Chapter 18: Windows Hello for Business Setup

End-to-end WHfB provisioning: prerequisites, Intune policy configuration, and troubleshooting common enrollment failures.

Chapter 19: AVD — Dedicated Sovereign Tenant

Personal host pool architecture, VM sizing, Nerdio, and CMMC control mapping for a 20-user greenfield deployment.

Chapter 20: AVD — Enclave in Existing Tenant

Custom Security Attributes and Conditional Access to enforce an isolated CUI enclave inside a GCC High tenant you already own.

Chapter 21: Shared PC Mode

Kiosk and shared workstation configuration for non-dedicated endpoint environments.

Chapter 22: Migrating to Entra Join

Phased migration from domain-joined to cloud-managed endpoints without disrupting users.

Device Operations

Chapter 23: Modern Endpoint Operations

The operational model for a cloud-managed device fleet: update rings, compliance policy cadence, and the Intune admin workflow.

Chapter 24: Device Lifecycle & Onboarding

Onboarding new hires, reprovisioning returned devices, and retiring endpoints — including the sanitization evidence trail for MP.L2-3.8.3.

Chapter 25: Mobile & Endpoint Security

Attack Surface Reduction rules, CMMC control mapping matrix, and Mobile Application Management for GCC High Government app variants.

Chapter 26: Intune Diagnostics & Audit Evidence

Pulling compliance reports, device configuration state, and policy assignment evidence in the format C3PAO assessors request.

Chapter 27: Defender for Endpoint

Full MDE onboarding guide for GCC High: Tamper Protection, Attack Surface Reduction, and Microsoft Sentinel integration with CMMC practice mapping.

Chapter 28: M365 Apps Deployment via ODT

Why the built-in M365 Apps policy fails and how to package a Win32 Intune app using the Office Deployment Tool — with channel control, app exclusions, detection rules, and Company Portal deployment guidance.

Chapter 29: Intune RBAC & Governance

Intune RBAC role design, scope tags, and assignment filters — delegation model and tagging taxonomy for a well-governed Intune environment.

Chapter 30: Entra Device Hygiene

Identifying and removing stale or duplicate Entra device objects at scale — trust type priority ranking, two-phase disable-then-delete process, pre-imaging checklist, and BitLocker key preservation.

Chapter 31: GPO-to-Intune Migration

Top-down approach for migrating Group Policy estates into a structured Intune policy architecture using the Open Intune Baseline taxonomy, Group Policy Analytics, and a five-tier policy hierarchy.

Phase 4: Data Protection

Goal

Encrypt and tag CUI wherever it travels — files, email, Teams messages, and structured data in Azure SQL — so that label-based controls follow the data, not the location.

Chapter 32: Data Protection Requirements

CMMC and NIST SP 800-171 control mapping for the information protection domain. CUI label taxonomy design.

Chapter 33: Asset Inventory

Content Explorer for labeled cloud content, the Purview Information Protection Scanner for on-premises shares, and Intune device inventory for auditors.

Chapter 34: Compliance Manager Assessment

Using Microsoft Purview Compliance Manager to run a CMMC Level 2 gap assessment and generate improvement action evidence.

Chapter 35: Purview Deployment Blueprint

Phased rollout sequence for sensitivity labels, DLP, and auto-labeling across a GCC High tenant.

Chapter 36: Structured Data Governance

Purview Data Map for Azure SQL classification, Power BI Row-Level Security to restore source system access controls, and Copilot grounding governance.

Chapter 37: Sensitive Information Types & Classifiers

Built-in and trainable classifiers for CUI detection. Custom SITs for business-specific patterns.

Chapter 38: Sensitivity Labels

Label taxonomy design, encryption configuration, and auto-labeling policy for GCC High sovereign endpoints.

Chapter 39: Data Loss Prevention Policies

DLP policy scope for Exchange, SharePoint, OneDrive, Teams, and endpoints — with CMMC control mapping and GCC High sovereign endpoint notes.

Chapter 40: Incident Response & Insider Risk

Purview Insider Risk Management for data exfiltration detection, alert triage workflow, and HR connector integration.

Chapter 41: Information Protection Scanner

On-premises file share scanning with the Purview AIP scanner: deployment, scan rule configuration, and SQL audit queries.

Chapter 42: CAB Runbook — Sensitivity Labels & DLP

Change Advisory Board submission template for deploying a sensitivity label taxonomy and foundational DLP policies — including implementation plan, validation checklist, rollback procedures, and risk register.

Chapter 43: Secure Collaboration

Sensitivity labels in Teams and SharePoint, external sharing controls, and the Teams Voice constraint in GCC High (no Calling Plans — Direct Routing required).

Phase 5: Monitoring

Goal

Prove to auditors that you are watching. Active monitoring satisfies AU and IR domain controls and generates the continuous-monitoring evidence required for CMMC assessment.

Chapter 44: Microsoft Defender XDR

Unified threat detection across endpoint, email, identity, and cloud apps. Defender for Cloud Apps shadow IT discovery and App Governance for OAuth risk.

Chapter 45: SIEM Strategy

Microsoft Sentinel architecture for GCC High: missing data connectors, custom log ingestion workarounds, and KQL alert rules for AU.L2-3.3.1.

Chapter 46: Audit Readiness

Purview Audit Premium for MailItemsAccessed forensics, diagnostic settings for 1-year log retention, and the audit evidence package structure for a C3PAO assessment.

Appendices

Goal

Reference material for implementation and assessment. Each appendix is designed to be extracted as a standalone deliverable for your SSP or C3PAO evidence package.

AVD Deployment Runbook — Step-by-step runbook from empty subscription to 20 Entra-joined, Intune-enrolled session hosts: VNet, Azure Firewall, UDR, host pool, Entra SSO configuration, and validation.
AVD Firewall Reference — Azure Firewall application and network rule collections for GCC High AVD, with customer rule template and troubleshooting KQL.
AVD Deployment Timeline — Phased 65-hour implementation guide for a greenfield 20-VM personal pool deployment.

Appendix D: Licensing & Compliance Matrix

G3 vs. G5 feature comparison mapped to CMMC Level 2 practices. Covers Defender XDR workloads, Purview compliance features, Intune compliance posture, and the E5 Security add-on middle ground.