Working with the Department of Defense? You’ll need to get certified.

Discover how Microsoft provides the most trusted and comprehensive platform to help you get CMMC certified, irrespective of the requirement, from Level 1 to Level 3

Download the Microsoft Product Placemat for CMMC
Professionals working on a laptop

overview

Cybersecurity Maturity Model Certification (CMMC)

What is CMMC?

A US DoD unified standard for implementing cybersecurity establishing three certification levels reflecting the maturity and reliability of a company's cybersecurity infrastructure to safeguard sensitive government information.

Why CMMC?

Enhance the protection of unclassified information within the supply chain to strengthen the security and resiliency of the Defense Industrial Base (DIB) sector from any cyberattacks.

Who needs to be certified?

All customers and prospects in the entire DIB supply chain of commercial contractors. The CMMC standard and certification will be a DoD contractual requirement and a condition for award.

Why Microsoft?

The most trusted and comprehensive cloud for compliance and innovation

Most Trusted Cloud

    100+ Compliance offerings – most coverage of any cloud service provider, along with dedicated advanced infrastructure for US government.

Comprehensive

    AI-powered solutions across cloud, business applications, and productivity, combined with world-class security and seamless scalability.

End-to-end protection

    Integrated and most comprehensive security and compliance capabilities across apps, endpoints, e-mail, identity, data, and cloud.

Our offerings

Microsoft cloud service offerings

Microsoft 365

Microsoft 365 for Enterprise

Get the power of a secure, comprehensive, AI-powered cloud solution to run your business from anywhere. Complies with CMMC Level 1 and FedRAMP High for some services.

Learn more
Microsoft 365

Microsoft 365 GCC

Achieve compliance with FedRAMP High, Defense Federal Acquisition Regulations Supplement (DFARS) and DISA Cloud Computing Security Requirement Guide (CC SRG) Impact Level 2.

Learn more
Microsoft 365

Microsoft 365 GCC High and DoD

Achieve compliance with CMMC Level 2 and 3, FedRAMP High, Defense Federal Acquisition Regulations Supplement (DFARS), DISA Cloud Computing Security Requirement Guide (CC SRG) Impact Level 4, and International Traffic in Arms Regulations (ITAR).

Learn more

True end-to-end protection for your CMMC compliance requirements

Multi-cloud
AWSCloudAlphabet
Microsoft Defender
Multi-platform
RobotAppleDuckWindowsBrowser
Defend against cyberthreats and safeguard business dataDefend against phishing and ransomware across apps and devices, and protect confidential business information.
Protect identities and secure remote accessGrant secure access to apps and data over any network., protect and verify each identity, and right-size permissions.
Manage work data on personal and company-owned devicesStreamline onboarding and manage phones, tablets, and computers that connect to your business data.
Enable data security, governance, and complianceConfidently understand your data, secure it wherever it leaves, and enable ease of investigation.

Microsoft Product Placement for CMMC

Discover how Microsoft cloud products and services satisfy requirements for CMMC practices

Download the Microsoft Product Placement for CMMC
Professionals working on a laptop

Partner Offers

Take the next step with our partner offerings

Accelerate your journey with proven strategy, extensive assessment, and rapid deployment capabilities of our partners

Summit 7 Systems, Inc logo

CMMC Implementation for Microsoft 365 (8 Wk Proj)

Summit 7 Systems, Inc

Learn more
KMicro Tech, Inc. logo

Microsoft 365 CMMC: 4-Wk Workshop

KMicro Tech, Inc.

Learn more
KAMIND IT, Inc logo

Microsoft 365 E5 CMMC L3 8 Week Implementation

KAMIND IT, Inc

Learn more
RSM logo

CMMC Advisory Workshop

RSM

Learn more
Insight logo

CMMC Compliance with Microsoft 365: 4 wk impl.

Insight

Learn more
Sirius Computer Solutions logo

CMMC Compliance: 4 week Workshop

Sirius Computer Solutions

Learn more
Agile IT logo

AgileAscend: Microsoft 365 GCC High Implementation for CMMC Compliance

Agile IT

Learn more
Coretek Services logo

CMMC Workshop: 2-Hour Free Discovery Workshop

Coretek Services

Learn more
Explore all offers

Resources

Check our resources

Accelerating CMMC compliance for Microsoft cloud
Blog

Accelerating CMMC compliance for Microsoft cloud

Read the blog
Microsoft CMMC Acceleration Program Update
Blog

Microsoft CMMC Acceleration Program Update

Read the blog
History of Microsoft Cloud Service Offerings leading to the US Sovereign Cloud for Government
Blog

History of Microsoft Cloud Service Offerings leading to the US Sovereign Cloud for Government

Read the blog
Understanding Compliance Between Microsoft 365 Commercial, GCC, GCC-High and DoD Offerings
Blog

Understanding Compliance Between Microsoft 365 Commercial, GCC, GCC-High and DoD Offerings

Read the blog
The Microsoft 365 Government GCC High Conundrum - DIB Data Enclave vs. Going All in
Blog

The Microsoft 365 Government GCC High Conundrum - DIB Data Enclave vs. Going All in

Read the blog
Microsoft expands qualification of contractors for government cloud offerings
Blog

Microsoft expands qualification of contractors for government cloud offerings

Read the blog
Lessons learned from a joint surveillance voluntary assessment for CMMC
Blog

Lessons learned from a joint surveillance voluntary assessment for CMMC

Read the blog

FAQ

Frequently asked questions

1.

I can just stay on-premises. Why do I need to move to the cloud?

This approach anchors on your confidence in achieving compliance while remaining on-premises (e.g., keep email, file servers, etc.) and demonstrating it at a cost that is reasonable. Consider if you need users to access data from anywhere. We find that the cost is astronomical, and complexity to manage and operate is likely too burdensome to stay on-prem while scaling business.​

2.

Microsoft 365 GCC is good enough, why do I need Microsoft 365 GCC High?

CMMC compliance can be expensive, and Microsoft has a purpose-built platform in GCC High to help organizations achieve requirements from the DoD. GCC is not suitable to hold CUI Specified (e.g., ITAR, Nuclear, etc.). This type of data requires US sovereignty, which is only offered by GCC High.​

3.

Microsft 365 GCC High/GCC lacks feature parity with Commercial. Should I still invest in Microsoft 365 GCC High?

Federal, State, and Local US Government agencies, as well as commercial companies, holding Controlled Unclassified Information (CUI), Criminal Justice Information (CJIS), and export-controlled data (ITAR/EAR) find that the Microsoft 365 Government Cloud offers the most robust set of capabilities while meeting necessary regulatory controls. Some of the parity items are by design because you need to apply concepts like zero trust from the start.

4.

I don't work with the government or Department of Defense. Do I still need CMMC certification?

Not working with government or DoD contracts doesn’t necessarily mean that you don’t need CMMC compliance. The basic principles of CMMC compliance relate to proactive and consistent security best practices. In addition, CMMC might still apply because you might provide a service to companies that need to comply with CMMC. This means they will flow down the requirements to you.

5.

I have existing in-house products (non-Microsoft). Why should I invest in Microsoft products?

We find a lot of organizations use a variety of security and collaboration products. But managing that system/compliance boundary is difficult and increases risk. The G3 and G5 package already includes security and compliance capabilities that natively integrate across the Microsoft platform. ​

6.

How do I migrate from a commercial cloud to a Government cloud?

The migration process would be similar to migration from any other cloud/on-premises. It is suggested that you allocate at least 3 months for the migration phase and leverage tools to facilitate the process.​

7.

I have multiple business units with respective compliance requirements. How should I manage my solution and architecture?

If you have multiple business units, the suggestion is to put all of them in one cloud environment with GCC High. This gives you the high bar of security requirement, irrespective of the specific compliance requirements of that business unit and the information you are controlling.

8.

Should I build a data enclave or should I go all in?

A data enclave might seem to be a quick and easy to deploy, and often maps 1:1 with a data enclave that is on-premises today. It may also considered to be much less expensive than alternative approaches that place more users and workloads into GCC High.​

However, we have seen with organizations that the most common spillage happens through personal storage, especially in e-mail. If your Personal Data solutions are not hitting the high bar for compliance, or worse, if they are hosted in a Commercial cloud, you have much more scope outside the accreditation boundary than where your Shared Data resides. Check the blog for more details: The Microsoft 365 Government (GCC High) Conundrum - DIB Data Enclave vs Going All In

Contact us

Person typing on laptop

Find a Partner

Get in Touch

Microsoft Services

Get in Touch

Microsoft Technology Centers

Get in Touch

Contract Vehicles

Get in Touch

This site is developed and maintained by HSV Digital, authorized by Microsoft.

For official Microsoft resources, visit microsoft.com.