Appendix A: Compliance Controls
- GCC High
- Commercial
CMMC Level 2 Controls
This matrix maps technical implementation to Microsoft 365 capabilities. Administrative controls (Policy, HR, Physical Security) are noted where specific Microsoft technologies support them.
Author's Note on NIST Versions
You may notice that NIST has labeled SP 800-171 Rev 2 as "Withdrawn" in favor of Rev 3. For CMMC Level 2 compliance, Revision 2 remains the mandatory standard. The DoD's CMMC Final Rule (32 CFR Part 170) specifically mandates Rev 2. All technical configurations in this book — including Entra ID Conditional Access and Intune Device Compliance — are designed to meet the Rev 2 assessment objectives.
| CMMC Practice | Microsoft Technology | Book Reference |
|---|---|---|
| ACCESS CONTROL (AC) | ||
| AC.L2-3.1.1 (Authorized Access) | Entra ID (Conditional Access) | Conditional Access Policies |
| AC.L2-3.1.2 (Transaction Recovery) | Entra ID (Logs), Purview Audit | Audit Readiness |
| AC.L2-3.1.3 (CUI Flow Control) | Teams (Private Channels), Exchange | Secure Collaboration |
| AC.L2-3.1.5 (Least Privilege) | Entra ID PIM (Just-in-Time Access) | Access Governance |
| AC.L2-3.1.14 (Remote Access) | Azure Virtual Desktop (AVD Gateway as the single managed remote access point — no direct RDP, no VPN required for CUI access) | Scenario: Azure Virtual Desktop |
| AC.L2-3.1.15 (Privileged Remote Access) | Azure Virtual Desktop (Virtual Machine Administrator Login role — restricts privileged console access to named admin accounts, logged in Entra sign-in logs) | Scenario: Azure Virtual Desktop |
| AC.L2-3.1.16 (Wireless Access) | Intune (Wi-Fi Config Profiles) | Mobile & Endpoint Security |
| AC.L2-3.1.18 (Mobile Devices) | Intune (MAM/MDM) | Mobile & Endpoint Security |
| AWARENESS & TRAINING (AT) | ||
| AT.L2-3.2.2 (Insider Threat) | Defender for Office 365 (Simulations) | Threat Defense |
| AUDIT & ACCOUNTABILITY (AU) | ||
| AU.L2-3.3.1 (System Auditing) | Microsoft Sentinel, Purview Audit | SIEM Strategy |
| AU.L2-3.3.2 (User Accountability) | Entra ID (Sign-in Logs) | Identity Foundation |
| AU.L2-3.3.5 (Audit Analysis) | Microsoft Sentinel (Analytics Rules) | SIEM Strategy |
| AU.L2-3.3.7 (Audit Retention) | Azure Storage (Diagnostic Settings) | Audit Readiness |
| CONFIGURATION MANAGEMENT (CM) | ||
| CM.L2-3.4.1 (Baseline Config) | Intune (Device Compliance Policies); Entra ID device object hygiene (accurate inventory of managed endpoints) | Mobile & Endpoint Security, Entra Device Hygiene |
| CM.L2-3.4.6 (Least Functionality) | MDE Attack Surface Reduction (ASR) Rules — blocks execution of unnecessary system features and living-off-the-land binaries | Defender for Endpoint |
| CM.L2-3.4.7 (Unauthorized Software) | Defender for Endpoint (Software Inventory) | Threat Defense |
| CM.L2-3.4.9 (User-Installed Software) | Intune (Endpoint Privilege Management) | Foundational Architecture & Design |
| IDENTIFICATION & AUTHENTICATION (IA) | ||
| IA.L2-3.5.1 (Identification) | Entra ID (User Accounts) | Identity Foundation |
| IA.L2-3.5.3 (MFA) | Entra ID (Conditional Access) | Conditional Access Policies |
| IA.L2-3.5.7 (Password Complexity) | Entra ID (Password Protection) | Identity Foundation |
| INCIDENT RESPONSE (IR) | ||
| IR.L2-3.6.1 (Incident Handling) | Microsoft Sentinel (Incident Management); MDE Incidents and automated investigation provide the response workflow | SIEM Strategy, Defender for Endpoint |
| IR.L2-3.6.2 (Incident Reporting) | Defender XDR (Alerts); MDE incident timeline and audit log satisfy documentation requirements | Threat Defense, Defender for Endpoint |
| MAINTENANCE (MA) | ||
| MA.L2-3.7.5 (Remote Maintenance) | Azure Virtual Desktop (Secure Admin Workstations — Virtual Machine Administrator Login gated by phishing-resistant CA) | Virtual Desktop Strategy, Scenario: Azure Virtual Desktop |
| MEDIA PROTECTION (MP) | ||
| MP.L2-3.8.1 (Media Protection) | BitLocker (Intune Policy) | Mobile & Endpoint Security |
| MP.L2-3.8.7 (Portable Storage) | Defender for Endpoint (Device Control) | Threat Defense |
| PERSONNEL SECURITY (PS) | ||
| PS.L2-3.9.2 (Personnel Termination) | Entra ID (Account Disable/Revocation) | Identity Foundation |
| PHYSICAL PROTECTION (PE) | ||
| PE.L2-3.10.1 (Physical Access) | Azure Virtual Desktop (CUI never touches end-user hardware — users see only a rendered screen; data remains in Azure Government FedRAMP High datacenters) | Virtual Desktop Strategy, Scenario: Azure Virtual Desktop |
| RISK ASSESSMENT (RA) | ||
| RA.L2-3.11.2 (Vulnerability Scan) | Defender Vulnerability Management | Threat Defense |
| SECURITY ASSESSMENT (CA) | ||
| CA.L2-3.12.1 (Security Controls) | Compliance Manager / Secure Score | Audit Readiness |
| CA.L2-3.12.3 (Continuous Monitoring) | Microsoft Sentinel; MDE Secure Score, device health reports, and alert pipeline provide continuous monitoring evidence | SIEM Strategy, Defender for Endpoint |
| SYSTEM & COMMUNICATIONS (SC) | ||
| SC.L2-3.13.1 (Network Boundary Monitoring) | Azure Firewall (deny-all with explicit allow rules, FQDN-based egress control for AVD session hosts) | AVD Firewall Reference, Scenario: Azure Virtual Desktop |
| SC.L2-3.13.5 (Subnetworks / No Public Exposure) | Azure Virtual Desktop (session hosts have no public IPs; inbound via AVD Gateway service tag only; outbound via Azure Firewall UDR) | Scenario: Azure Virtual Desktop |
| SC.L2-3.13.8 (Data in Transit) | TLS 1.2+ (Office 365 Defaults); AVD Gateway enforces TLS on all RDP sessions | Secure Collaboration, Scenario: Azure Virtual Desktop |
| SC.L2-3.13.11 (FIPS Encryption) | Intune (BitLocker FIPS Policy) | Mobile & Endpoint Security |
| SC.L2-3.13.16 (Data at Rest) | Purview Information Protection (Encryption) | Sensitivity Labels |
| SYSTEM & INFORMATION INTEGRITY (SI) | ||
| SI.L2-3.14.1 (Flaw Remediation) | Intune (Windows Autopatch/Updates) | Mobile & Endpoint Security |
| SI.L2-3.14.2 (Malicious Code) | Defender Antivirus | Threat Defense |
| SI.L2-3.14.4 (Malicious Code Protection Updates) | MDE platform and signature updates managed by Microsoft — no separate update infrastructure required | Defender for Endpoint |
| SI.L2-3.14.7 (Identify Unauthorized Use) | MDE behavioral analytics and anomaly detection — surfaces unexpected process execution, lateral movement, and data exfiltration patterns | Defender for Endpoint |
NIST SP 800-171 Rev. 3 Controls
This matrix maps commercial Microsoft 365 capabilities to NIST SP 800-171 Rev. 3 security requirements. Organizations may voluntarily align to this framework for structured security program management. Control identifiers follow the Rev. 3 numbering; verify against NIST SP 800-171 Rev. 3 for the authoritative text.
| NIST SP 800-171 Rev. 3 Requirement | Microsoft 365 Technology | Book Reference |
|---|---|---|
| ACCESS CONTROL (AC) | ||
| 3.1.1 (Authorized Access) | Entra ID (Conditional Access) | Conditional Access Policies |
| 3.1.2 (Transaction Recovery) | Entra ID (Logs), Purview Audit | Audit Readiness |
| 3.1.3 (Information Flow Control) | Teams (Private Channels), Exchange Online | Secure Collaboration |
| 3.1.5 (Least Privilege) | Entra ID PIM (Just-in-Time Access) | Access Governance |
| 3.1.14 (Remote Access) | Azure Virtual Desktop or Conditional Access with compliant-device requirement | Scenario: Azure Virtual Desktop |
| 3.1.15 (Privileged Remote Access) | Entra PIM with phishing-resistant MFA; Azure Bastion or AVD Virtual Machine Administrator Login | Scenario: Azure Virtual Desktop |
| 3.1.16 (Wireless Access) | Intune (Wi-Fi Configuration Profiles) | Mobile & Endpoint Security |
| 3.1.18 (Mobile Devices) | Intune (MAM/MDM) | Mobile & Endpoint Security |
| AWARENESS & TRAINING (AT) | ||
| 3.2.2 (Insider Threat Awareness) | Defender for Office 365 (Attack Simulation Training) | Threat Defense |
| AUDIT & ACCOUNTABILITY (AU) | ||
| 3.3.1 (System Auditing) | Microsoft Sentinel, Purview Audit | SIEM Strategy |
| 3.3.2 (User Accountability) | Entra ID (Sign-in Logs) | Identity Foundation |
| 3.3.5 (Audit Analysis) | Microsoft Sentinel (Analytics Rules) | SIEM Strategy |
| 3.3.7 (Audit Retention) | Azure Storage (Diagnostic Settings) | Audit Readiness |
| CONFIGURATION MANAGEMENT (CM) | ||
| 3.4.1 (Baseline Configuration) | Intune (Device Compliance Policies) | Mobile & Endpoint Security |
| 3.4.6 (Least Functionality) | MDE Attack Surface Reduction (ASR) Rules — blocks execution of unnecessary system features and living-off-the-land binaries | Defender for Endpoint |
| 3.4.7 (Unauthorized Software) | Defender for Endpoint (Software Inventory) | Threat Defense |
| 3.4.9 (User-Installed Software) | Intune (Endpoint Privilege Management) | Mobile & Endpoint Security |
| IDENTIFICATION & AUTHENTICATION (IA) | ||
| 3.5.1 (Identification) | Entra ID (User Accounts) | Identity Foundation |
| 3.5.3 (Multifactor Authentication) | Entra ID (Conditional Access) | Conditional Access Policies |
| 3.5.7 (Password Complexity) | Entra ID (Password Protection, banned-password list) | Identity Foundation |
| 3.5.12 (Replay-Resistant Authentication) | Windows Hello for Business (TPM-bound, phishing-resistant credential — added in Rev. 3) | Phishing-Resistant Authentication |
| INCIDENT RESPONSE (IR) | ||
| 3.6.1 (Incident Handling) | Microsoft Sentinel (Incident Management); MDE automated investigation and response | SIEM Strategy, Defender for Endpoint |
| 3.6.2 (Incident Reporting) | Defender XDR (Alerts and incident timeline) | Threat Defense, Defender for Endpoint |
| MAINTENANCE (MA) | ||
| 3.7.5 (Remote Maintenance MFA) | Entra PIM with Conditional Access requiring phishing-resistant MFA for privileged remote sessions | Identity Foundation |
| MEDIA PROTECTION (MP) | ||
| 3.8.1 (Media Protection) | BitLocker (Intune Policy) | Mobile & Endpoint Security |
| 3.8.7 (Portable Storage Devices) | Defender for Endpoint (Device Control) | Threat Defense |
| PERSONNEL SECURITY (PS) | ||
| 3.9.2 (Personnel Termination) | Entra ID (Account disable, token revocation, access package removal) | Identity Foundation |
| PHYSICAL PROTECTION (PE) | ||
| 3.10.1 (Physical Access to Systems) | Microsoft Azure datacenter physical controls (SOC 2 Type II, ISO 27001 certified facilities) | Virtual Desktop Strategy |
| RISK ASSESSMENT (RA) | ||
| 3.11.2 (Vulnerability Scanning) | Defender Vulnerability Management | Threat Defense |
| SECURITY ASSESSMENT (CA) | ||
| 3.12.1 (Security Controls Assessment) | Compliance Manager / Secure Score | Audit Readiness |
| 3.12.3 (Continuous Monitoring) | Microsoft Sentinel; MDE Secure Score and device health reports | SIEM Strategy, Defender for Endpoint |
| SYSTEM & COMMUNICATIONS PROTECTION (SC) | ||
| 3.13.1 (Network Boundary Protection) | Azure Firewall or NSG with deny-all default; FQDN-based egress filtering for workloads | Threat Defense |
| 3.13.5 (Subnetworks) | Azure Virtual Network with private endpoints; no public IP exposure for internal workloads | Scenario: Azure Virtual Desktop |
| 3.13.8 (Cryptographic Protection in Transit) | TLS 1.2+ enforced by Microsoft 365 defaults; Conditional Access blocks legacy authentication | Secure Collaboration |
| 3.13.11 (FIPS Cryptography) | Intune (BitLocker AES-256, FIPS-validated cryptographic module policy) | Mobile & Endpoint Security |
| 3.13.16 (Confidentiality at Rest) | Purview Information Protection (sensitivity label-based encryption) | Sensitivity Labels |
| SYSTEM & INFORMATION INTEGRITY (SI) | ||
| 3.14.1 (Flaw Remediation) | Intune (Windows Update / Autopatch rings) | Mobile & Endpoint Security |
| 3.14.2 (Malicious Code Protection) | Microsoft Defender Antivirus | Threat Defense |
| 3.14.4 (Malicious Code Updates) | MDE platform and signature updates managed by Microsoft — no separate update infrastructure required | Defender for Endpoint |
| 3.14.7 (Identify Unauthorized Use) | MDE behavioral analytics and anomaly detection — surfaces unexpected process execution, lateral movement, and data exfiltration patterns | Defender for Endpoint |
📩 Don't Miss the Next Solution
Join the list to see the real-time solutions I'm delivering to my GCC High clients.