Solutions
Integration & Consulting
Help you move, operate, innovate and thrive within the Microsoft clouds.
Application Development
Data & Analytics
Artificial Intelligence (AI)
Business Applications
Security & Compliance
Digital Workplace
Infrastructure
Product Development
Technology
Explore the full list of technologies that our expert consultants can support.
Microsoft Purview
Azure Virtual Desktop
Azure
Microsoft Teams
Microsoft 365
Power Platform
Dynamics 365
Power BI
Microsoft Copilot
Power Apps
Microsoft Fabric
Sharepoint
Azure OpenAI
Microsoft Sentinel
Azure Synapse
Windows
SQL Server
ERP Technologies
System Center
Microsoft Viva
Business Needs
Departmental solutions to ensure cloud and technology enablement across every area of your business.
Sales & Marketing
Operations
Human Resources
Finance & Accounting
Customer Service
Localization Services
Help you translate software so you can capture new business worldwide.
Language Engineering & NLP
Translations & Localization
Licensing
Experts in Microsoft cloud licensing and optimizing costs for your business.
Cloud Solutions Provider (CSP)
Products
MazikCare
Embrace patient-centered, collaborative care with our suite of real-time health solutions.
Care Path
Care Provider Link
Care Supply
Payer Matrix
Data Fusion
EmPerform
Provide people managers with flexible employee performance management software.
ShopFloor
Empower production managers with cutting-edge manufacturing process management.
Velocity Insights
Monitor, analyze, and prioritize .NET, JavaScript or Node JS errors – all on one dashboard.
PowerGov
Engage citizens with a community development app for city maintenance and management.
Managed Services
Azure Management Services
Deliver on your cloud strategy with a team that continuously monitors, improves, and optimizes your Azure environment.
Digital Workplace Program
Optimize Microsoft 365 security, usage and user adoption with our digital workplace experts.
AI Operations Services
Support for your AI technologies & ongoing strategic coaching to take your AI initiatives to the next level.
App Dev Program
Ongoing enhancements, app security, DevOps and reporting for apps running in Azure.
Managed IT Security
Take a proactive, continuous approach to optimizing your security environment and strategy.
Data & Analytics Program
Operational support for running, monitoring and managing services for the Azure Data Platform.
Managed Detection & Response
Get around-the-clock threat monitoring, detection, and rapid response to security breaches.
Dynamics Program
Ensure the health of your Dynamics environments, optimize usage and encourage user adoption.
Power Platform Program
Get an extension of your team that ensures the health of your Power Platform.
Microsoft Support Services
Flexible, routine support and environment management for critical Microsoft systems.
Industries
Manufacturing
Education
Public Sector
Financial Services
Healthcare
Energy
Retail
Software
Resources
Blogs
Case Studies
Library
On-Demand Videos
Events
News
Learning Channels
About
Our Partners
Our Story
Locations
Awards & Recognition
Leadership
Microsoft
Our Approach
Careers
Support
Contact us
Solutions
Back
Solutions
Integration & Consulting
Application Development
Data & Analytics
Artificial Intelligence (AI)
Business Applications
Security & Compliance
Digital Workplace
Infrastructure
Product Development
Technology
Microsoft Purview
Azure OpenAI
Microsoft Copilot
Microsoft Fabric
Azure
Azure Synapse
Azure Virtual Desktop
System Center
SQL Server
Microsoft Sentinel
Microsoft 365
Sharepoint
Microsoft Teams
Microsoft Viva
Windows
Power Platform
Power BI
Power Apps
Dynamics 365
ERP Technologies
Business Needs
Sales & Marketing
Operations
Human Resources
Finance & Accounting
Customer Service
Localization Services
Language Engineering & NLP
Translations & Localization
Licensing
Cloud Solutions Provider (CSP)
Products
Back
Products
EmPerform
MazikCare
Care Path
Care Provider Link
Care Supply
Payer Matrix
Data Fusion
ShopFloor
Velocity Insights
PowerGov
Managed Services
Back
Managed Services
Azure Management Services
AI Operations Services
Managed IT Security
Managed Detection & Response
App Dev Program
Microsoft Support Services
Data & Analytics Program
Digital Workplace Program
Dynamics Program
Power Platform Program
Industries
Back
Industries
Manufacturing
Healthcare
Education
Energy
Public Sector
Retail
Financial Services
Software
Resources
Back
Resources
On-Demand Videos
Blogs
Events
Case Studies
News
Library
Learning Channels
Contact us
About
Back
About
Locations
Our Story
Microsoft
Leadership
Our Partners
Awards & Recognition
Our Approach
Careers
Support
Search
Back
Terms of use
Privacy policy
General Quisitive gradient background
Preparing Your Business for CMMC 2.0 Compliance While Safeguarding Your Sensitive Assets
August 15, 2025
Christophe Foulon
Learn the key steps to achieve CMMC 2.0 compliance and protect your business while staying ready for DoD contract requirements.
Preparing Your Business for CMMC 2.0 Compliance

The cybersecurity landscape for Defense Industrial Base (DIB) contractors continues to evolve as threats become more sophisticated. The Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) 2.0 framework represents a critical step in safeguarding sensitive information across the defense supply chain. This blog post provides a comprehensive overview of CMMC 2.0, its focus on protecting Controlled Unclassified Information (CUI), and how it compares to other security standards that cloud service providers must implement.

What is CMMC 2.0?

CMMC 2.0 is the Department of Defense’s framework for verifying that contractors and subcontractors implement appropriate cybersecurity practices to protect sensitive information. Released in 2021, CMMC 2.0 streamlined the previous five-level model to three distinct levels, each building upon the foundation of the previous level.

The primary purpose of CMMC 2.0 is to ensure the protection of two types of information:

  • Federal Contract Information (FCI): Basic information provided by or generated for the government under contract
  • Controlled Unclassified Information (CUI): Information that requires protection or dissemination controls by law, regulation, or government-wide policy

CMMC 2.0 consists of security requirements derived from established standards, primarily NIST SP 800-171 Rev 2 and a subset of NIST SP 800-172. These requirements are organized into domains that address different aspects of cybersecurity, creating a comprehensive framework for protecting sensitive information.

AspectNIST SP 800-171CMMC 2.0
Primary FocusCUI protectionCUI + Federal Contract Information (FCI)
Contract CoverageAll federal contractorsDoD contractors only
Maturity ModelNoneTiered levels (1-3) with progressive controls

Contractors must ensure compliance with NIST SP 800-171 by conducting internal audits and submitting their scores via SPRS. For critical contracts under CMMC 2.0 (Level 2 Advanced and Level 3 Expert), third-party assessments by Certified Third-Party Assessment Organizations (C3PAOs) are required, while non-critical CUI contracts can be managed through self-assessments.

Understanding the Three Levels of CMMC 2.0

The protection of sensitive information has become paramount, especially for organizations involved in federal contracting and The Cybersecurity Maturity Model Certification (CMMC) 2.0 is designed to ensure that contractors implement adequate cybersecurity measures to safeguard Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). The maturity tiering approach of CMMC 2.0 introduces a structured framework with tiered levels of security requirements, progressively strengthening the defenses against cyber threats.

The model comprises three distinct levels:

Level 1 (Foundational)

Level 1 focuses on the protection of Federal Contract Information (FCI) and encompasses the basic safeguarding requirements specified in FAR Clause 52.204-21. This level establishes fundamental cyber hygiene practices that all contractors must implement.

Key characteristics of Level 1:

Level 2 (Advanced)

Level 2 significantly increases security requirements, focusing specifically on the protection of Controlled Unclassified Information (CUI). This level aligns with NIST SP 800-171 Rev 2 and requires more robust cybersecurity practices.

Key characteristics of Level 2:

Level 3 (Expert)

Level 3 represents the highest tier of the CMMC framework, designed to protect CUI from advanced persistent threats (APTs). This level incorporates additional requirements beyond NIST SP 800-171.

Key characteristics of Level 3:

  • All 110 practices from Level 2 plus additional requirements from NIST SP 800-172
  • Triennial government-led assessment by the Defense Contract Management Agency’s (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC)
  • Enhanced security measures for the most sensitive contracts
  • Full details still under development

It is important to understand as you might have contractual requirements to comply with CMMC 2.0 Levels 2 and Level 3 you will need to work with a CMMC 3rd party assessor to complete the needed audit and certification.

CMMC 2.0’s Focus on Protecting CUI

Controlled Unclassified Information (CUI) represents a critical category of information that, while not classified, still requires protection from unauthorized access and dissemination. CUI includes various categories of sensitive information such as:

  • Technical information related to defense articles
  • Personally identifiable information (PII)
  • Financial information
  • Export-controlled technology
  • Sensitive infrastructure data
  • Patent applications and related information

Oftentimes contractors can obtain this type of data through their work, requests for proposals, and they might not have any of the National Archive recommended markings, and it is up to the contractors to be able to identify and apply the needed protections to these documents as they are in their possession.

CMMC Level 2 specifically addresses the protection of CUI through its alignment with NIST SP 800-171, which was designed specifically for CUI protection in non-federal systems. The 110 controls at this level create a comprehensive security framework covering 15 domains including:

  • Access Control (22 controls)
  • Audit and Accountability (9 controls)
  • Awareness and Training (3 controls)
  • Configuration Management (9 controls)
  • Identification and Authentication (11 controls)
  • Incident Response (3 controls)
  • Maintenance (6 controls)
  • Media Protection (9 controls)
  • Personnel Security (2 controls)
  • Physical Protection (6 controls)
  • Recovery (2 controls)
  • Risk Management (3 controls)
  • Security Assessment (4 controls)
  • System and Communications Protection (16 controls)
  • System and Information Integrity (7 controls)

These controls implement technical and administrative safeguards such as encryption, access control, configuration management, and incident response to protect CUI throughout its lifecycle within contractor systems.

Comparing CMMC 2.0 with Other Security Standards

While CMMC 2.0 specifically targets DoD contractors, several other security frameworks address similar security concerns for government information. Understanding how these standards relate to one another is essential for contractors navigating multiple compliance requirements.

DoD Impact Levels (IL)

The Department of Defense Cloud Computing Security Requirements Guide (CC SRG) defines Impact Levels (IL) that determine the security requirements for cloud service offerings based on the sensitivity of information:

  • IL2: Suitable for low confidentiality, unclassified information and public data
  • IL4: Required for CUI and controlled mission data requiring higher protection
  • IL5: For non-public, unclassified National Security System (NSS) data

These impact levels directly influence cloud service provider offerings like Microsoft’s Government Community Cloud (GCC) and GCC High environments.

FedRAMP

The Federal Risk and Authorization Management Program (FedRAMP) provides a standardized approach to security assessment and authorization for cloud services used by federal agencies. FedRAMP has three impact levels:

  • FedRAMP Low: For cloud services where a security breach would have limited adverse effects
  • FedRAMP Moderate: For cloud services where a security breach could have serious adverse effects
  • FedRAMP High: For cloud services managing highly sensitive federal data where a breach could have severe or catastrophic adverse effects

FedRAMP High includes rigorous requirements across system security planning, encryption, incident response, access controls, and continuous monitoring. These requirements often align with and complement CMMC requirements for contractors using cloud services.

Cloud Service Provider Considerations: Microsoft GCC High

For contractors handling CUI, choosing the right cloud service environment is critical to meeting CMMC requirements. Microsoft offers specialized government cloud environments that address different security and compliance needs.

Microsoft GCC vs. GCC High: Key Differences

The primary distinction between these environments lies in where and how data is stored:

  • Microsoft GCC (Government Community Cloud):
    • Compliant up to DoD CC SRG Level IL2
    • Not with International Traffic in Arms Regulations (ITAR)
    • Compliant up to DoD CC SRG Level IL2
    • Can be accessed by Microsoft’s worldwide personnel
  • Microsoft GCC High:
    • Compliant up to DoD CC SRG Level IL4 and ITAR
    • Uses Microsoft’s US Sovereign Cloud located exclusively in the United States
    • Can only be accessed by U.S. citizens with special clearances
    • Designed specifically for contractors handling CUI and ITAR-controlled data

Microsoft officially recommends that organizations planning to meet CMMC 2.0 Level 2 and Level 3 should deploy to Microsoft 365 GCC High. This recommendation aligns with the requirements for protecting CUI at these higher CMMC levels.

Compliance Features of GCC High

GCC High includes several features that support CMMC compliance:

  • Logical segregation of customer content from commercial Office 365 services
  • Data storage exclusively within the United States
  • Restricted access to screened Microsoft personnel who are U.S. citizens
  • Compliance with certifications required for U.S. Public Sector customers
  • Enhanced security controls aligned with NIST SP 800-171 requirements

It’s important to note that while GCC High provides a compliant infrastructure, contractors are still responsible for properly configuring their environment and implementing appropriate security controls to meet all CMMC requirements.

Practical Considerations for Contractors

As you navigate CMMC 2.0 compliance, consider these practical steps:

  1. Determine your CMMC level requirement: Review your contracts and the type of information you handle to identify which CMMC level applies to your organization.
  2. Assess your current cybersecurity posture: Conduct a gap assessment against the requirements of your target CMMC level.
  3. Develop a System Security Plan (SSP): Document your system boundaries, security controls, and implementation details as required by NIST SP 800-171 and CMMC.
  4. Consider cloud environment implications: If you use cloud services, ensure your provider offers a compliant environment suitable for your CMMC level requirements.
  5. Implement security controls: Address gaps identified in your assessment by implementing required technical and administrative controls.
  6. Prepare for assessment: Gather evidence demonstrating your compliance with all applicable requirements for your CMMC level.
  7. Maintain continuous compliance: Security is not a one-time effort; establish processes to maintain compliance over time.

Quisitive’s Spyglass Security Services and Azure Management Services can help you with getting your environment into compliance and working with you to help you protect the sensitive information in your environment and applying the needed controls in a risk appropriate manner for the business to function effectively.

Conclusion

CMMC 2.0 represents a significant evolution in how the Department of Defense ensures its contractors protect sensitive information. By focusing on the protection of CUI through standardized cybersecurity practices, the framework aims to strengthen the entire defense industrial base against increasingly sophisticated threats.

For contractors, understanding not only CMMC requirements but also how they relate to other security standards—particularly for cloud environments like Microsoft GCC High—is essential for successful compliance. While these requirements may seem complex, they ultimately serve a critical purpose: protecting the information that is vital to our national security.

By taking a proactive approach to CMMC compliance, contractors can not only meet their contractual obligations but also enhance their overall security posture, positioning themselves as trusted partners in the defense supply chain.

To learn more about how Quisitive’s Spyglass Security Services and Azure Management Services can safeguard your business today, visit our website or contact us for more information.

Related posts
|
Read more
Broadcom’s VMware Changes: What It Means for Your IT Strategy
Azure Managed Services
Broadcom’s VMware Changes: What It Means for Your IT Strategy
Read more
Hands typing on a keyboard with the lock and log-in form in the middle.
Azure Managed Services
10 Cloud Network Security Best Practices to Protect Your Business
Read more
Featured Image - EverWatch
Azure Managed Services
​​​Inside the Cockpit: How Quisitive Operates the EverWatch Tie Fighter​
Read more