CMMC, NIST SP 800-171, Microsoft 365

Is Your Microsoft 365 Tenant Configured for NIST SP 800-171 & CMMC Compliance?

More than likely, you haven’t configured your Microsoft 365 tenant to actually meet your DFARS NIST SP 800-171 & CMMC requirements.

Join our newsletter:

You are Responsible for Compliance, Not Microsoft

Microsoft 365 is a great service that has become the backbone of many businesses including those with DFARS requirements surrounding controlled unclassified information. Microsoft takes security seriously, that’s why they include top of the line encryption with their services, have strict data center security, and their Microsoft 365 comes with a wide range of configurable settings. Microsoft has done what it can for you, but it isn’t responsible for completely hardening your Micrsoft 365 environment nor is it responsible for your compliance with NIST SP 800-171 7 CMMC related requirements. You are.

What You Need to Do

Within Microsoft 365, there are dozens of security settings surrounding email security, Azure AD, SharePoint security, OneDrive security, teams' security, and other Microsoft 365 security settings. Here are some questions you should ask yourself?
Here are some questions you should ask yourself?
  • Have we sufficiently restricted SharePoint and OneDrive sharing settings?
  • Have we implemented the appropriate DNS configurations (DKIM, DMARC)?
  • Have we configured audit logging and are we periodically reviewing the appropriate logs?
  • Have we configured the appropriate collaboration settings in Microsoft Teams?
  • Have we configured the necessary setting surrounding the use of third-party applications?
  • Have we configured the necessary settings to ensure that modern authentication is used to protect CUI?
  • Do we have labelling policies in place?
  • Do we have multi-factor authentication setup?
  • Have we reviewed our user account list?
  • Have we reviewed our security groups?
This is not an exhaustive list, rather these are the basics you should be concerned about when trying to meet your NIST SP 800-171 & CMMC requirements. A good baseline you can use for hardening your Microsoft 365 tenant, is the Center for Internet Security’s baseline, available on their website.

How We Can Help

Lake Ridge has supported hundreds of companies in meeting their DFARS NIST SP 800-171 and CMMC related requirements. This includes implementing the full set of security configuration requirements necessary for making your Microsoft 365 environment compliant with NIST SP 800-171 requirements. If you would like to receive the same help, you may contact us at

Discover Our NIST SP 800-171 & CMMC 2.0 Solutions:


Compliance Accelerator

Power through compliance. Meet and maintain your NIST SP 800-171 & CMMC 2.0 compliance requirements.

Quantum Assessor

Transform your business. Create new revenue streams and provide scalability for your NIST SP 800-171 and CMMC 2.0 services.

Supply Chain Verifier

Trust is everything. Verify, monitor, and support subcontactor compliance.