Appendix A: CMMC Level 2 Controls

This matrix maps technical implementation to Microsoft 365 capabilities. Administrative controls (Policy, HR, Physical Security) are noted where specific Microsoft technologies support them.

Author's Note on NIST Versions

You may notice that NIST has labeled SP 800-171 Rev 2 as "Withdrawn" in favor of Rev 3. For CMMC Level 2 compliance, Revision 2 remains the mandatory standard. The DoD’s CMMC Final Rule (32 CFR Part 170) specifically mandates Rev 2. All technical configurations in this book — including Entra ID Conditional Access and Intune Device Compliance — are designed to meet the Rev 2 assessment objectives.

CMMC Practice	Microsoft Technology	Book Reference
ACCESS CONTROL (AC)
AC.L2-3.1.1 (Authorized Access)	Entra ID (Conditional Access)	Conditional Access Policies
AC.L2-3.1.2 (Transaction Recovery)	Entra ID (Logs), Purview Audit	Audit Readiness
AC.L2-3.1.3 (CUI Flow Control)	Teams (Private Channels), Exchange	Secure Collaboration
AC.L2-3.1.5 (Least Privilege)	Entra ID PIM (Just-in-Time Access)	Access Governance
AC.L2-3.1.16 (Wireless Access)	Intune (Wi-Fi Config Profiles)	Mobile & Endpoint Security
AC.L2-3.1.18 (Mobile Devices)	Intune (MAM/MDM)	Mobile & Endpoint Security
AWARENESS & TRAINING (AT)
AT.L2-3.2.2 (Insider Threat)	Defender for Office 365 (Simulations)	Threat Defense
AUDIT & ACCOUNTABILITY (AU)
AU.L2-3.3.1 (System Auditing)	Microsoft Sentinel, Purview Audit	SIEM Strategy
AU.L2-3.3.2 (User Accountability)	Entra ID (Sign-in Logs)	Identity Foundation
AU.L2-3.3.5 (Audit Analysis)	Microsoft Sentinel (Analytics Rules)	SIEM Strategy
AU.L2-3.3.7 (Audit Retention)	Azure Storage (Diagnostic Settings)	Audit Readiness
CONFIGURATION MANAGEMENT (CM)
CM.L2-3.4.1 (Baseline Config)	Intune (Device Compliance Policies)	Mobile & Endpoint Security
CM.L2-3.4.7 (Unauthorized Software)	Defender for Endpoint (Software Inventory)	Threat Defense
CM.L2-3.4.9 (User-Installed Software)	Intune (Endpoint Privilege Management)	Foundational Architecture & Design
IDENTIFICATION & AUTHENTICATION (IA)
IA.L2-3.5.1 (Identification)	Entra ID (User Accounts)	Identity Foundation
IA.L2-3.5.3 (MFA)	Entra ID (Conditional Access)	Conditional Access Policies
IA.L2-3.5.7 (Password Complexity)	Entra ID (Password Protection)	Identity Foundation
INCIDENT RESPONSE (IR)
IR.L2-3.6.1 (Incident Handling)	Microsoft Sentinel (Incident Management)	SIEM Strategy
IR.L2-3.6.2 (Incident Reporting)	Defender XDR (Alerts)	Threat Defense
MAINTENANCE (MA)
MA.L2-3.7.5 (Remote Maintenance)	Windows 365 / AVD (Secure Admin Workstations)	Virtual Desktop Strategy
MEDIA PROTECTION (MP)
MP.L2-3.8.1 (Media Protection)	BitLocker (Intune Policy)	Mobile & Endpoint Security
MP.L2-3.8.7 (Portable Storage)	Defender for Endpoint (Device Control)	Threat Defense
PERSONNEL SECURITY (PS)
PS.L2-3.9.2 (Personnel Termination)	Entra ID (Account Disable/Revocation)	Identity Foundation
PHYSICAL PROTECTION (PE)
PE.L2-3.10.1 (Physical Access)	Azure Virtual Desktop (Data stays in data center)	Virtual Desktop Strategy
RISK ASSESSMENT (RA)
RA.L2-3.11.2 (Vulnerability Scan)	Defender Vulnerability Management	Threat Defense
SECURITY ASSESSMENT (CA)
CA.L2-3.12.1 (Security Controls)	Compliance Manager / Secure Score	Audit Readiness
CA.L2-3.12.3 (Continuous Monitoring)	Microsoft Sentinel	SIEM Strategy
SYSTEM & COMMUNICATIONS (SC)
SC.L2-3.13.8 (Data in Transit)	TLS 1.2+ (Office 365 Defaults)	Secure Collaboration
SC.L2-3.13.11 (FIPS Encryption)	Intune (BitLocker FIPS Policy)	Mobile & Endpoint Security
SC.L2-3.13.16 (Data at Rest)	Purview Information Protection (Encryption)	Protection Architecture
SYSTEM & INFORMATION INTEGRITY (SI)
SI.L2-3.14.1 (Flaw Remediation)	Intune (Windows Autopatch/Updates)	Mobile & Endpoint Security
SI.L2-3.14.2 (Malicious Code)	Defender Antivirus	Threat Defense
SI.L2-3.14.4 (Security Alerts)	Defender XDR	Threat Defense