Appendix A: Compliance Controls
- GCC High
- Commercial
CMMC Level 2 Controls
This matrix maps technical implementation to Microsoft 365 capabilities. Administrative controls (Policy, HR, Physical Security) are noted where specific Microsoft technologies support them.
Author's Note on NIST Versions
You may notice that NIST has labeled SP 800-171 Rev 2 as "Withdrawn" in favor of Rev 3. For CMMC Level 2 compliance, Revision 2 remains the mandatory standard. The DoD's CMMC Final Rule (32 CFR Part 170) specifically mandates Rev 2. All technical configurations in this book — including Entra ID Conditional Access and Intune Device Compliance — are designed to meet the Rev 2 assessment objectives.
| CMMC Practice | Microsoft Technology | Book Reference |
|---|---|---|
| ACCESS CONTROL (AC) | ||
| AC.L2-3.1.1 (Authorized Access) | Entra ID (Conditional Access) | Conditional Access Policies |
| AC.L2-3.1.2 (Access Enforcement) | Entra ID Conditional Access enforcing approved access authorizations | Conditional Access Policies |
| AC.L2-3.1.3 (CUI Flow Control) | Teams (Private Channels), Exchange | Secure Collaboration |
| AC.L2-3.1.5 (Least Privilege) | Entra ID PIM (Just-in-Time Access) | Access Governance |
| AC.L2-3.1.14 (Remote Access) | Azure Virtual Desktop (AVD Gateway as the single managed remote access point — no direct RDP, no VPN required for CUI access) | Scenario: Azure Virtual Desktop |
| AC.L2-3.1.15 (Privileged Remote Access) | Azure Virtual Desktop (Virtual Machine Administrator Login role — restricts privileged console access to named admin accounts, logged in Entra sign-in logs) | Scenario: Azure Virtual Desktop |
| AC.L2-3.1.16 (Wireless Access) | Intune (Wi-Fi Config Profiles) | OIB Deployment — Wi-Fi Configuration |
| AC.L2-3.1.18 (Mobile Devices) | Intune (MAM/MDM) | Mobile Device Management & App Protection |
| AWARENESS & TRAINING (AT) | ||
| AT.L2-3.2.1 (Security Awareness Training) | Defender for Office 365 (Attack Simulation Training) | Threat Defense |
| AUDIT & ACCOUNTABILITY (AU) | ||
| AU.L2-3.3.1 (System Auditing) | Microsoft Sentinel, Purview Audit | SIEM Strategy |
| AU.L2-3.3.2 (User Accountability) | Entra ID (Sign-in Logs) | Identity Foundation |
| AU.L2-3.3.5 (Audit Analysis) | Microsoft Sentinel (Analytics Rules) | SIEM Strategy |
| AU.L2-3.3.7 (Audit Retention) | Azure Storage (Diagnostic Settings) | Audit Readiness |
| CONFIGURATION MANAGEMENT (CM) | ||
| CM.L2-3.4.1 (Baseline Config) | Intune (Device Compliance Policies); Entra ID device object hygiene (accurate inventory of managed endpoints) | OIB Deployment, Entra Device Hygiene |
| CM.L2-3.4.6 (Least Functionality) | MDE Attack Surface Reduction (ASR) Rules — blocks execution of unnecessary system features and living-off-the-land binaries | Defender for Endpoint |
| CM.L2-3.4.7 (Unauthorized Software) | Defender for Endpoint (Software Inventory) | Threat Defense |
| CM.L2-3.4.9 (User-Installed Software) | Intune (Endpoint Privilege Management) | OIB Deployment |
| IDENTIFICATION & AUTHENTICATION (IA) | ||
| IA.L2-3.5.1 (Identification) | Entra ID (User Accounts) | Identity Foundation |
| IA.L2-3.5.3 (MFA) | Entra ID (Conditional Access) | Conditional Access Policies |
| IA.L2-3.5.7 (Password Complexity) | Entra ID (Password Protection) | Identity Foundation |
| INCIDENT RESPONSE (IR) | ||
| IR.L2-3.6.1 (Incident Handling) | Microsoft Sentinel (Incident Management); MDE Incidents and automated investigation provide the response workflow | SIEM Strategy, Defender for Endpoint |
| IR.L2-3.6.2 (Incident Reporting) | Defender XDR (Alerts); MDE incident timeline and audit log satisfy documentation requirements | Threat Defense, Defender for Endpoint |
| MAINTENANCE (MA) | ||
| MA.L2-3.7.5 (Remote Maintenance) | Azure Virtual Desktop (Secure Admin Workstations — Virtual Machine Administrator Login gated by phishing-resistant CA) | Virtual Desktop Strategy, Scenario: Azure Virtual Desktop |
| MEDIA PROTECTION (MP) | ||
| MP.L2-3.8.1 (Media Protection) | BitLocker (Intune Policy) | OIB Deployment |
| MP.L2-3.8.7 (Portable Storage) | Defender for Endpoint (Device Control) | Threat Defense |
| PERSONNEL SECURITY (PS) | ||
| PS.L2-3.9.2 (Personnel Termination) | Entra ID (Account Disable/Revocation) | Identity Foundation |
| PHYSICAL PROTECTION (PE) | ||
| PE.L2-3.10.1 (Physical Access) | Azure Virtual Desktop (CUI never touches end-user hardware — users see only a rendered screen; data remains in Azure Government FedRAMP High datacenters) | Virtual Desktop Strategy, Scenario: Azure Virtual Desktop |
| RISK ASSESSMENT (RA) | ||
| RA.L2-3.11.2 (Vulnerability Scan) | Defender Vulnerability Management | Threat Defense |
| SECURITY ASSESSMENT (CA) | ||
| CA.L2-3.12.1 (Security Controls) | Compliance Manager / Secure Score | Audit Readiness |
| CA.L2-3.12.3 (Continuous Monitoring) | Microsoft Sentinel; MDE Secure Score, device health reports, and alert pipeline provide continuous monitoring evidence | SIEM Strategy, Defender for Endpoint |
| SYSTEM & COMMUNICATIONS (SC) | ||
| SC.L2-3.13.1 (Network Boundary Monitoring) | Azure Firewall (deny-all with explicit allow rules, FQDN-based egress control for AVD session hosts) | AVD Firewall Reference, Scenario: Azure Virtual Desktop |
| SC.L2-3.13.5 (Subnetworks / No Public Exposure) | Azure Virtual Desktop (session hosts have no public IPs; inbound via AVD Gateway service tag only; outbound via Azure Firewall UDR) | Scenario: Azure Virtual Desktop |
| SC.L2-3.13.8 (Data in Transit) | TLS 1.2+ (Office 365 Defaults); AVD Gateway enforces TLS on all RDP sessions | Secure Collaboration, Scenario: Azure Virtual Desktop |
| SC.L2-3.13.11 (FIPS Encryption) | Intune (BitLocker FIPS Policy) | OIB Deployment |
| SC.L2-3.13.16 (Data at Rest) | Purview Information Protection (Encryption) | Sensitivity Labels |
| SYSTEM & INFORMATION INTEGRITY (SI) | ||
| SI.L2-3.14.1 (Flaw Remediation) | Intune (Windows Autopatch/Updates) | OIB Deployment |
| SI.L2-3.14.2 (Malicious Code) | Defender Antivirus | Threat Defense |
| SI.L2-3.14.4 (Malicious Code Protection Updates) | MDE platform and signature updates managed by Microsoft — no separate update infrastructure required | Defender for Endpoint |
| SI.L2-3.14.7 (Identify Unauthorized Use) | MDE behavioral analytics and anomaly detection — surfaces unexpected process execution, lateral movement, and data exfiltration patterns | Defender for Endpoint |
NIST SP 800-171 Rev. 3 Controls
This matrix maps commercial Microsoft 365 capabilities to NIST SP 800-171 Rev. 3 security requirements. Organizations may voluntarily align to this framework for structured security program management. Control identifiers follow the Rev. 3 numbering; verify against NIST SP 800-171 Rev. 3 for the authoritative text.
| NIST SP 800-171 Rev. 3 Requirement | Microsoft 365 Technology | Book Reference |
|---|---|---|
| ACCESS CONTROL (AC) | ||
| 3.1.1 (Authorized Access) | Entra ID (Conditional Access) | Conditional Access Policies |
| 3.1.2 (Access Enforcement) | Entra ID Conditional Access enforcing approved access authorizations at sign-in; Microsoft 365 role-based access control | Conditional Access Policies |
| 3.1.3 (Information Flow Control) | Teams (Private Channels), Exchange Online | Secure Collaboration |
| 3.1.5 (Least Privilege) | Entra ID PIM (Just-in-Time Access) | Access Governance |
| 3.1.12 (Remote Access) | Azure Virtual Desktop or Conditional Access with compliant-device requirement; Entra PIM with phishing-resistant MFA and Azure Bastion / AVD Virtual Machine Administrator Login for privileged sessions | Scenario: Azure Virtual Desktop |
| 3.1.16 (Wireless Access) | Intune (Wi-Fi Configuration Profiles) | OIB Deployment — Wi-Fi Configuration |
| 3.1.18 (Mobile Devices) | Intune (MAM/MDM) | Mobile Device Management & App Protection |
| AWARENESS & TRAINING (AT) | ||
| 3.2.1 (Literacy Training and Awareness) | Defender for Office 365 (Attack Simulation Training) | Threat Defense |
| AUDIT & ACCOUNTABILITY (AU) | ||
| 3.3.1 (System Auditing) | Microsoft Sentinel, Purview Audit | SIEM Strategy |
| 3.3.2 (Audit Record Content) | Entra ID (Sign-in Logs) | Identity Foundation |
| 3.3.5 (Audit Analysis) | Microsoft Sentinel (Analytics Rules) | SIEM Strategy |
| 3.3.7 (Audit Retention) | Azure Storage (Diagnostic Settings) | Audit Readiness |
| CONFIGURATION MANAGEMENT (CM) | ||
| 3.4.1 (Baseline Configuration) | Intune (Device Compliance Policies) | OIB Deployment |
| 3.4.6 (Least Functionality) | MDE Attack Surface Reduction (ASR) Rules — blocks execution of unnecessary system features and living-off-the-land binaries | Defender for Endpoint |
| 3.4.8 (Authorized Software — Allow by Exception) | Defender for Endpoint (Software Inventory); Intune (Endpoint Privilege Management) | Threat Defense, OIB Deployment |
| IDENTIFICATION & AUTHENTICATION (IA) | ||
| 3.5.1 (Identification) | Entra ID (User Accounts) | Identity Foundation |
| 3.5.3 (Multifactor Authentication) | Entra ID (Conditional Access) | Conditional Access Policies |
| 3.5.7 (Password Complexity) | Entra ID (Password Protection, banned-password list) | Identity Foundation |
| 3.5.12 (Authenticator Management) | Windows Hello for Business (TPM-bound, phishing-resistant credential lifecycle — control added in Rev. 3) | Phishing-Resistant Authentication |
| INCIDENT RESPONSE (IR) | ||
| 3.6.1 (Incident Handling) | Microsoft Sentinel (Incident Management); MDE automated investigation and response | SIEM Strategy, Defender for Endpoint |
| 3.6.2 (Incident Reporting) | Defender XDR (Alerts and incident timeline) | Threat Defense, Defender for Endpoint |
| MAINTENANCE (MA) | ||
| 3.7.5 (Remote Maintenance MFA) | Entra PIM with Conditional Access requiring phishing-resistant MFA for privileged remote sessions | Identity Foundation |
| MEDIA PROTECTION (MP) | ||
| 3.8.1 (Media Protection) | BitLocker (Intune Policy) | OIB Deployment |
| 3.8.7 (Portable Storage Devices) | Defender for Endpoint (Device Control) | Threat Defense |
| PERSONNEL SECURITY (PS) | ||
| 3.9.2 (Personnel Termination) | Entra ID (Account disable, token revocation, access package removal) | Identity Foundation |
| PHYSICAL PROTECTION (PE) | ||
| 3.10.1 (Physical Access to Systems) | Microsoft Azure datacenter physical controls (SOC 2 Type II, ISO 27001 certified facilities) | Virtual Desktop Strategy |
| RISK ASSESSMENT (RA) | ||
| 3.11.2 (Vulnerability Scanning) | Defender Vulnerability Management | Threat Defense |
| SECURITY ASSESSMENT (CA) | ||
| 3.12.1 (Security Controls Assessment) | Compliance Manager / Secure Score | Audit Readiness |
| 3.12.3 (Continuous Monitoring) | Microsoft Sentinel; MDE Secure Score and device health reports | SIEM Strategy, Defender for Endpoint |
| SYSTEM & COMMUNICATIONS PROTECTION (SC) | ||
| 3.13.1 (Boundary Protection) | Azure Firewall or NSG with deny-all default; FQDN-based egress filtering; Azure Virtual Network with private endpoints and no public IP exposure for internal workloads (subnetworks) | Threat Defense, Scenario: Azure Virtual Desktop |
| 3.13.8 (Transmission and Storage Confidentiality) | TLS 1.2+ enforced by Microsoft 365 defaults and Conditional Access blocking legacy authentication (in transit); Purview Information Protection sensitivity label-based encryption (at rest) | Secure Collaboration, Sensitivity Labels |
| 3.13.11 (Cryptographic Protection) | Intune (BitLocker AES-256, FIPS-validated cryptographic module policy) | OIB Deployment |
| SYSTEM & INFORMATION INTEGRITY (SI) | ||
| 3.14.1 (Flaw Remediation) | Intune (Windows Update / Autopatch rings) | OIB Deployment |
| 3.14.2 (Malicious Code Protection) | Microsoft Defender Antivirus — protection mechanisms plus Microsoft-managed platform and signature updates | Threat Defense, Defender for Endpoint |
| 3.14.6 (System Monitoring) | MDE behavioral analytics and anomaly detection — surfaces unexpected process execution, lateral movement, and data exfiltration patterns | Defender for Endpoint |
📩 Don't Miss the Next Solution
Join the list to see the real-time solutions I'm delivering to my GCC High clients.