CMMC Framework
Prepare for Cybersecurity Maturity Model Certification (CMMC) 2.0 assessments by mapping Microsoft 365 tenant configurations to CMMC practices and maturity levels. OpsPilot365 Trust Center supports MSPs managing tenants for Department of Defense (DoD) contractors and subcontractors requiring CMMC compliance.
Note: CMMC compliance mapping is part of the Trust Center add-on. It covers CMMC 2.0 Levels 1 through 3, with automated practice assessments for M365-related controls, assessment preparation tools, and Plan of Action and Milestones (POA&M) tracking designed for defense industrial base MSPs.
CMMC 2.0 Maturity Levels
- Level 1 — Foundational: Basic safeguarding of Federal Contract Information (FCI). Self-assessment allowed. 17 practices from FAR 52.204-21. Annual self-assessment. No POA&M allowed. Applies to all DoD contractors handling FCI.
- Level 2 — Advanced: Protection of Controlled Unclassified Information (CUI). Third-party assessment required for critical programs. 110 practices from NIST SP 800-171 Rev 2. Triennial C3PAO assessment (or self for select programs). Limited POA&M allowed.
- Level 3 — Expert: Enhanced protection against Advanced Persistent Threats (APTs). Government-led assessment. 110+ practices from NIST SP 800-172. Government-led assessment by DIBCAC. Highest-priority DoD programs.
Practice Mapping to Microsoft 365
| Domain | Practices | Key M365 Controls | Auto-Assessed |
|---|---|---|---|
| Access Control (AC) | 22 | Conditional Access, RBAC, PIM, session controls | 18/22 |
| Awareness & Training (AT) | 3 | Attack simulation training, security awareness | 1/3 |
| Audit & Accountability (AU) | 9 | Unified Audit Log, sign-in logs, alert policies | 8/9 |
| Configuration Mgmt (CM) | 9 | Baseline configurations, change tracking, app controls | 7/9 |
| Identification & Auth (IA) | 11 | MFA, passwordless, Entra ID identity management | 10/11 |
| Incident Response (IR) | 3 | Defender incidents, automated investigation, alerting | 2/3 |
| Media Protection (MP) | 9 | BitLocker, DLP, sensitivity labels, Intune policies | 6/9 |
| Personnel Security (PS) | 2 | User onboarding/offboarding, access deprovisioning | 2/2 |
| Risk Assessment (RA) | 3 | Secure Score, vulnerability scans, threat detection | 3/3 |
| Security Assessment (CA) | 4 | Compliance assessments, POA&M tracking, continuous monitoring | 3/4 |
| System & Comm Protection (SC) | 16 | TLS, encryption, information barriers, network controls | 12/16 |
| System & Info Integrity (SI) | 7 | Defender anti-malware, Safe Links/Attachments, patching | 6/7 |
Assessment Preparation
- System Security Plan (SSP) — Auto-generated SSP based on M365 tenant configuration, system boundary documentation from M365 service inventory, control implementation descriptions per practice, and interconnection diagrams for M365 service relationships.
- Plan of Action & Milestones (POA&M) — Auto-populated from failing practice assessments, milestone tracking with target completion dates, resource estimation for each remediation item, and progress monitoring with automatic status updates.
- SPRS Score Calculation — Supplier Performance Risk System (SPRS) score calculation, weighted scoring based on NIST SP 800-171 DoD Assessment, score range tracking (-203 to 110), and score improvement projections based on POA&M completion.
- Evidence Packages — Evidence artifacts organized by practice and domain, configuration screenshots and API output captures, policy documentation with implementation proof, and auditor-ready export formats (PDF, CSV, JSON).
DoD Compliance Requirements
Note: DoD contractors handling CUI often require Microsoft 365 Government Community Cloud (GCC) or GCC High environments. OpsPilot365 supports assessment of both commercial and GCC/GCC High tenants, flagging when a commercial tenant is being used for CUI processing and recommending migration to an appropriate government cloud environment.
| Requirement | Description | OpsPilot365 Assessment |
|---|---|---|
| DFARS 252.204-7012 | Safeguarding Covered Defense Information | Verifies NIST 800-171 controls are implemented in M365 |
| DFARS 252.204-7019 | NIST SP 800-171 DoD Assessment | Calculates SPRS score based on M365 control status |
| DFARS 252.204-7021 | CMMC Requirements | Assesses M365 against required CMMC level practices |
| FedRAMP Moderate | Cloud service authorization baseline | Verifies tenant uses FedRAMP-authorized M365 environment |
| ITAR / EAR Controls | Export-controlled data handling | Assesses data residency and access restrictions for ITAR data |
Compliance Status
| Level | Name | Readiness | Practices Met |
|---|---|---|---|
| Level 1 | Foundational | 94% | 16/17 |
| Level 2 | Advanced | 72% | 79/110 |
| Level 3 | Expert | 45% | Assessment in progress |
Note: For defense contractor clients, begin with a CMMC Level 1 self-assessment to establish a baseline. If the client handles CUI (most DoD subcontractors do), immediately plan for Level 2 by mapping their M365 tenant against all 110 NIST SP 800-171 practices. Use the SPRS score calculator to determine current scoring and prioritize remediation items that provide the greatest score improvement. Consider recommending M365 GCC High for clients handling CUI to simplify compliance.
API Reference
GET /api/addons/trust-center/frameworks/cmmc/status— Get CMMC compliance status summary by maturity levelGET /api/addons/trust-center/frameworks/cmmc/practices— List all CMMC practices with assessment results by domainGET /api/addons/trust-center/frameworks/cmmc/sprs-score— Calculate current SPRS score based on practice assessmentGET /api/addons/trust-center/frameworks/cmmc/poam— Get Plan of Action and Milestones for failing practicesGET /api/addons/trust-center/frameworks/cmmc/ssp— Generate System Security Plan based on M365 configurationPOST /api/addons/trust-center/frameworks/cmmc/scan— Trigger a CMMC practice assessment scanGET /api/addons/trust-center/frameworks/cmmc/evidence— Export evidence package for CMMC assessment preparation