Compliance Manager Assessment

Purview Compliance Manager provides assessment templates that map Microsoft 365 configuration actions to specific compliance framework controls. Each assessment identifies Microsoft-managed controls (Microsoft's responsibility as the cloud provider) and customer-managed controls (your organization's responsibility as the tenant administrator).

Navigate to Purview Compliance Portal > Compliance Manager > Assessments and create a new assessment using the template for your framework.

GCC High
Commercial

CMMC Level 2 Assessment

Create a new assessment using the CMMC Level 2 template.

Assessment scope

The CMMC Level 2 assessment in Compliance Manager maps to NIST SP 800-171 Rev. 2 controls — consistent with the DoD CMMC Final Rule mandate. It does not constitute a formal CMMC assessment or C3PAO audit, but serves as an internal readiness measurement tool and evidence repository for your SSP.

Priority Customer-Managed Actions: Data Protection — CMMC Level 2

The following are the highest-priority customer-managed action items in the CMMC Level 2 assessment addressed by Purview configuration, corresponding to the controls in Section 11-1: Data Protection Requirements.

Action Item	CMMC Control	Purview Implementation	Evidence
Implement data classification and labeling	AC.L2-3.1.3	Sensitivity labels with CUI scope published to users and applied via auto-labeling policies in SharePoint, OneDrive, and Exchange	Purview Content Explorer — labeled item count by label; Activity Explorer — label-applied events
Encrypt CUI at rest	SC.L2-3.13.16	Sensitivity labels (CUI, SP-CTI, SP-EXPT) configured with AES-256 encryption restricting access to tenant-internal identities	Compliance Manager improvement action status; Purview Activity Explorer — protection-applied events
Enforce FIPS-validated cryptography	SC.L2-3.13.11	Microsoft's FIPS 140-2 validated cryptographic modules underpin sensitivity label encryption in GCC High — no additional configuration required	Reference Microsoft's FIPS 140-2 cryptographic module validation certificates in your SSP
Implement data loss prevention for CUI	AC.L2-3.1.3	DLP policies in Exchange, Teams, SharePoint, and OneDrive blocking external sharing of CUI-labeled or CUI-matching content	DLP policy match reports; Purview DLP Alerts — override and incident review
Control removable media for CUI	MP.L2-3.8.1, MP.L2-3.8.7	Intune Device Control XML (Chapter 10) restricts USB write access; Purview Endpoint DLP policy blocks copy of labeled content to removable media	MDE Device Control events (Advanced Hunting); Purview Endpoint DLP alerts

Classify & Protect: Setup Steps — CMMC

[ ] Create the label taxonomy from Section 11-1: Public, Internal, CUI, CUI // SP-CTI, CUI // SP-EXPT.
[ ] Configure encryption on CUI, SP-CTI, and SP-EXPT labels. Restrict decryption to your tenant's Entra ID groups representing CUI-authorized personnel.
[ ] Publish labels to all users with a default label policy. Set Internal as the document default; require justification to downgrade from CUI.
[ ] Enable auto-labeling for Exchange and SharePoint using built-in Sensitive Information Types for CUI categories (e.g., U.S. export-controlled content, DoD contract numbers).
[ ] Enable container labels on SharePoint sites and Teams used for CUI — enforce private membership, external sharing off, and unmanaged device restrictions.

Detect & Enforce: DLP Setup Steps — CMMC

[ ] Create DLP policies for Exchange, SharePoint, OneDrive, and Teams:
- Block or encrypt external sharing of CUI-labeled content.
- Require business justification + manager approval for overrides.
- Show policy tips in-client; notify the security team on incidents.
[ ] Enable Endpoint DLP on managed Windows devices:
- Control copy-to-USB, print, clipboard, and browser upload when content matches CUI labels or Sensitive Information Types.
- Block sync to personal cloud storage (consumer OneDrive, Google Drive, Dropbox).

Improvement Score Expectations — CMMC Level 2

A newly provisioned GCC High M365 tenant typically scores 30–40% on the CMMC Level 2 assessment before customer configuration — the Microsoft-managed controls (datacenter physical security, platform encryption, service availability) are already credited. After deploying the configurations in this book (Conditional Access, Intune baselines, Defender, and Purview labels/DLP), expect 60–75% score. The remaining gap is typically administrative controls — policy documentation, physical security attestations, and personnel security actions — that Compliance Manager cannot verify programmatically and must be manually attested.

NIST SP 800-171 Assessment

Create a new assessment using the NIST 800-171 template.

Assessment template version

Compliance Manager includes a NIST SP 800-171 assessment template. If the template reflects Rev. 2, the control mappings are substantively the same as Rev. 3 for the Purview data protection domain covered in this chapter — the customer action items apply to both revisions. Verify the template version in the assessment detail view and note the revision in your security plan documentation.

Priority Customer-Managed Actions: Data Protection — NIST SP 800-171

The following are the highest-priority customer-managed action items in the NIST 800-171 assessment addressed by Purview configuration, corresponding to the controls in Section 11-1: Data Protection Requirements.

Action Item	NIST SP 800-171 Rev. 3 Requirement	Purview Implementation	Evidence
Implement data classification and labeling	3.1.3 (Information Flow Control)	Sensitivity labels published to all users and applied via auto-labeling policies in SharePoint, OneDrive, and Exchange	Purview Content Explorer — labeled item count by label; Activity Explorer — label-applied events
Encrypt sensitive data at rest	3.13.16 (Confidentiality at Rest)	Confidential and Highly Confidential labels configured with AES-256 encryption restricting access to tenant-internal identities	Compliance Manager improvement action status; Activity Explorer — protection-applied events
Use FIPS-validated cryptography	3.13.11 (FIPS Cryptography)	Microsoft's FIPS 140-2 validated cryptographic modules underpin sensitivity label encryption by default in Microsoft 365	Reference Microsoft's FIPS 140-2 cryptographic module validation certificates in your security plan
Implement data loss prevention	3.1.3 (Information Flow Control)	DLP policies in Exchange, Teams, SharePoint, and OneDrive blocking external sharing of Highly Confidential-labeled or sensitive content	DLP policy match reports; Purview DLP Alerts — override and incident review
Control removable media	3.8.1, 3.8.7 (Media Protection)	Intune Device Control restricts USB write access; Purview Endpoint DLP blocks copy of sensitive labeled content to removable storage	MDE Device Control events (Advanced Hunting); Purview Endpoint DLP alerts

Classify & Protect: Setup Steps — NIST

[ ] Create the label taxonomy from Section 11-1: Public, General, Confidential, Highly Confidential.
[ ] Configure encryption on the Highly Confidential label. Restrict decryption to your tenant's Entra ID groups. Optionally enable encryption on Confidential for content shared externally.
[ ] Publish labels to all users with a default label policy. Set General as the document default; require justification to downgrade from Confidential.
[ ] Enable auto-labeling for Exchange and SharePoint using built-in Sensitive Information Types (credit card numbers, SSNs, passport numbers, health record patterns) and any custom patterns relevant to your business.
[ ] Enable container labels on SharePoint sites and Teams used for Highly Confidential content — enforce private membership and disable external sharing.

Detect & Enforce: DLP Setup Steps — NIST

[ ] Create DLP policies for Exchange, SharePoint, OneDrive, and Teams:
- Block or encrypt external sharing of Highly Confidential content.
- Require business justification for overrides on Confidential content sent externally.
- Show policy tips in-client; notify the security team on incidents involving high-confidence sensitive information type matches.
[ ] Enable Endpoint DLP on managed Windows devices:
- Audit or block copy-to-USB and browser upload when content matches Highly Confidential labels.
- Block sync to personal cloud storage (consumer OneDrive, Google Drive, Dropbox).

Improvement Score Expectations — NIST SP 800-171

A newly provisioned commercial M365 tenant typically scores 40–50% on the NIST 800-171 assessment before customer configuration — higher than a new GCC High tenant because several commercial defaults align with NIST requirements. After deploying the configurations in this book (Conditional Access, Intune baselines, Defender, and Purview labels/DLP), expect 65–80% score. The remaining gap is typically administrative and physical controls — policy documentation and personnel security actions — that require attestation rather than technical configuration.

📩 Don't Miss the Next Solution

Join the list to see the real-time solutions I'm delivering to my GCC High clients.

CMMC Level 2 Assessment​

Priority Customer-Managed Actions: Data Protection — CMMC Level 2​

Classify & Protect: Setup Steps — CMMC​

Detect & Enforce: DLP Setup Steps — CMMC​

Improvement Score Expectations — CMMC Level 2​

NIST SP 800-171 Assessment​

Priority Customer-Managed Actions: Data Protection — NIST SP 800-171​

Classify & Protect: Setup Steps — NIST​

Detect & Enforce: DLP Setup Steps — NIST​

Improvement Score Expectations — NIST SP 800-171​