Menu Categories
Cart To use Cart please install WooCommerce plugin

Microsoft 365 for CMMC Level 1

A Small Defense Contractor's Guide to Self-Assessment
Stop Guessing, Start Documenting: Your M365 CMMC Compliance Roadmap
Last Updated: January 2025

The Small GovCon Dilemma

You're a small defense subcontractor. Your prime just informed you that CMMC Level 1 compliance is now mandatory for your contract renewal. You've got 15 employees, most working remotely or on-site at the prime's facility using their laptops. Your "IT infrastructure" consists of Microsoft 365 subscriptions, a few company laptops, and that one employee who "knows computers."

Sound familiar?

Here's the good news: You probably already have most of the technical tools you need. Microsoft 365 includes robust security features that can satisfy many CMMC Level 1 requirements.

Here's the bad news: Having the tools isn't enough. You need to prove you're using them correctly, and that means documentation—lots of it.

This guide will show you exactly what you need to document in your Microsoft 365 environment to pass a CMMC Level 1 self-assessment and prepare for a formal audit.

Not sure where you stand? Get clarity in 30 minutes.

Start Free Assessment Schedule Free Consultation

Understanding the Real Challenge

Let's be clear about what CMMC Level 1 actually requires:

  • Not CUI: Level 1 is for Federal Contract Information (FCI) only—basic contract data like payment schedules, delivery dates, and terms
  • 17 Practices: As many as 142 required artifacts
  • Self-Assessment: For now, you can self-assess, but you need documented proof
  • The Kicker: Documentation without evidence is worthless

Most small contractors fail not because they lack security controls, but because they can't prove those controls exist and work.

Overwhelmed already? Overwatch Tools provides 140+ pre-built artifact templates that tell you exactly what documentation you need and how to collect it.

Explore Our Toolkit ($1,495/year) Get Expert Help ($2,495 - 4 Weeks to Compliance)

What You Actually Need to Document in M365

The Foundation: System Security Plan (SSP)

Before diving into technical evidence, you need a System Security Plan (not required at L1 but you should use it as a tool) that defines your scope. For M365-dependent contractors, this typically includes:

In-Scope Systems:

  • Microsoft 365 tenant (Exchange Online, OneDrive, SharePoint, Teams)
  • Company-owned laptops accessing M365
  • Your office network (if you have one)
  • Employee home networks (if remote work)

Out-of-Scope Systems:

  • Prime contractor-provided laptops (they're responsible for those)
  • Systems at government facilities you don't control
  • Personal devices (which should be prohibited from FCI access)

Example SSP Language:

System Name: Company A Federal Contract Information Environment

Primary Components:
- Microsoft 365 Business Premium (Tenant ID: xxxxx)
  - Exchange Online for email communication
  - OneDrive for Business for file storage
  - SharePoint Online for collaboration
  - Microsoft Teams for internal communication

- Endpoint Devices:
  - 5x Dell Latitude laptops (company-owned)
  - Windows 11 Pro with BitLocker enabled
  - Managed through Microsoft Intune

FCI Storage Locations:
- SharePoint Site: "Contract Documents" (restricted access)
- OneDrive folders: "FCI" designation required
- Email: @companya.com domain only

M365 Evidence Collection: The Required Seven

Don't want to figure this out alone? Our Consultant-Guided Program walks you through each evidence item with personalized support.

Schedule Free Consultation Start Free Assessment

Evidence Item #1: User Account Configuration

What CMMC Practice This Addresses:

  • AC.L1-3.1.1 (Authorized access control)
  • IA.L1-3.5.1 (User identification)

What You Need: An export proving every user has a unique account—no shared logins.

How to Collect:

  1. Sign in to Microsoft 365 Admin Center (admin.microsoft.com)
  2. Navigate to Users → Active Users
  3. Click Export users or take a screenshot
  4. Verify list shows each employee's name, unique email address, assigned roles, and last sign-in date

What to Look For:

  • Every employee has firstname.lastname@yourcompany.com or some similar variation
  • No generic accounts like admin@, info@, shared@
  • No duplicate accounts for same person
  • Terminated employees have been disabled

File This As: M365-Config_Active-Users_2025-01-15.csv

Red Flags:

  • Guest accounts still active
  • Users with "Admin" or "Shared" in the name
  • Employees who left months ago still showing "active"

Evidence Item #2: Multi-Factor Authentication Status

What CMMC Practice This Addresses:

  • IA.L1-3.5.3 (Multi-factor authentication)

The Requirement: MFA is mandatory for all M365 accounts—no exceptions.

How to Collect:

  1. Microsoft 365 Admin Center → Users → Active Users
  2. Click Multi-factor authentication (may be under "More" menu)
  3. Export the MFA status report
  4. Verify every single user shows "Enabled" or "Enforced"

What Your Export Should Show:

User Name            | MFA Status | Default Method
---------------------|------------|----------------
john.smith@co.com    | Enforced   | Authenticator App
jane.doe@co.com      | Enforced   | Authenticator App
bob.jones@co.com     | Enforced   | Phone Call

File This As: M365-Config_MFA-Status_2025-01-15.csv

Common Mistakes:

  • Leaving the CEO exempt "because it's inconvenient"
  • Allowing new users to delay MFA setup
  • Not verifying contractors have MFA enabled
  • Thinking Conditional Access is enough (it's not—MFA must be on)

Pro Tip: If you see "Disabled" for anyone, fix it immediately. This is an automatic CMMC failure.

Evidence Item #3: Password Policy Configuration

What CMMC Practice This Addresses:

  • IA.L1-3.5.2 (User authentication)

How to Collect:

  1. Microsoft 365 Admin Center → Settings → Org Settings
  2. Click Security & Privacy → Password expiration policy
  3. Screenshot the settings showing minimum password length, complexity requirements, and password expiration

Example Compliant Configuration:

  • Require users to change passwords every 90 days
  • Notify users 14 days before password expires
  • Password length minimum: 12 characters
  • Complexity requirements: Enabled (default)

File This As: M365-Config_Password-Policy_2025-01-15.png

Modern Approach Note: Microsoft now recommends not forcing regular password changes unless there's evidence of compromise. Either approach works for CMMC L1, but you need to document your chosen policy.

Evidence Item #4: External Sharing Controls

What CMMC Practice This Addresses:

  • AC.L1-3.1.20 (Control external connections)

The Risk: Accidentally sharing FCI via public SharePoint links is one of the most common security failures.

How to Collect:

  1. SharePoint Admin Center (yourcompany-admin.sharepoint.com)
  2. Policies → Sharing
  3. Screenshot showing external sharing settings
  4. Verify setting is "Only people in your organization" for sites containing FCI

What Auditors Want to See:

SharePoint Sharing Settings:
- External sharing: Most permissive = "Only people in your organization"
- Default sharing link type: "People in your organization with the link"
- Guest access: Disabled for FCI sites

File This As: M365-Config_External-Sharing-Settings_2025-01-15.png

Evidence Item #5: Audit Logging Status

What CMMC Practice This Addresses:

  • AU.L1-3.3.1 (System audit logs)—technically Level 2, but smart to implement

How to Collect:

  1. Microsoft Purview Compliance Portal (compliance.microsoft.com)
  2. Solutions → Audit
  3. Verify "Start recording user and admin activity" is ON
  4. Screenshot the audit log search interface
  5. Run a sample search to prove logs are being captured (All activities, Last 7 days)
  6. Export sample results

What This Proves:

  • You're capturing who accesses what files
  • You're logging admin changes
  • You can investigate incidents
  • You're maintaining accountability

File This As:

  • M365-Config_Audit-Log-Status_2025-01-15.png
  • M365-Sample-Audit-Log_2025-01-15.csv

Evidence Item #6: Sign-In Activity Logs

What CMMC Practice This Addresses:

  • AC.L1-3.1.12 (Monitor remote access sessions)
  • Detection of unauthorized access

How to Collect:

  1. Microsoft Entra Admin Center (entra.microsoft.com)
  2. Users → Sign-in logs
  3. Set date range: Last 30 days
  4. Export logs showing username, date/time, application, IP address, location, status, and MFA status

What to Review For:

  • Failed login attempts (potential attacks)
  • Unusual geographic locations
  • After-hours access (may be legitimate, but verify)
  • Signs of compromised accounts

File This As: M365-Sign-In-Logs_Last-30-Days_2025-01-15.csv

Monthly Review Requirement:

You must review these logs at least monthly and document that review. Create a simple log review checklist:

Log Review - January 2025

Reviewed by: [Name]
Date reviewed: [Date]

Findings:
☑ All sign-ins from expected locations
☑ No unusual failed login patterns
☑ MFA used on all authentications
☐ 3 failed logins for user J.Smith - Password forgotten (resolved)
☐ 1 sign-in from Denver, CO - User traveling (verified)

Actions taken: [None / See below]

Next review due: February 15, 2025

Evidence Item #7: M365 Security Score

What CMMC Practice This Addresses:

  • Overall security posture demonstration
  • Continuous improvement evidence

How to Collect:

  1. Microsoft 365 Defender portal (security.microsoft.com)
  2. Reports → Secure Score
  3. Screenshot showing your current score, score trend, top improvement actions, and completed actions

What This Shows Auditors:

  • You're proactively managing security
  • You're monitoring Microsoft's recommendations
  • You're improving over time
  • You're not ignoring security alerts

File This As: M365-Secure-Score_2025-01-15.png

Realistic Expectations:

  • Don't worry about achieving a "perfect" score
  • Focus on completing high-impact items
  • Document why you're not implementing certain recommendations (if applicable)
  • Show improvement trend over time

The Device Side: What You Need From Company Laptops

M365 is only half the equation. You also need evidence from company-owned endpoints:

Laptop Evidence Checklist

For each company laptop (or a representative sample of 2-3), collect:

1. BitLocker Encryption Status

  • Screenshot: Control Panel → BitLocker Drive Encryption
  • Verify: "BitLocker on" for C: drive
  • File As: Laptop-[Name]_BitLocker-Status_2025-01-15.png

2. Windows Defender Status

  • Screenshot: Windows Security → Virus & threat protection
  • Verify: Real-time protection ON, definitions current
  • File As: Laptop-[Name]_Defender-Status_2025-01-15.png

3. Windows Update Status

  • Screenshot: Settings → Windows Update
  • Verify: "You're up to date" or recent updates installed
  • File As: Laptop-[Name]_Update-Status_2025-01-15.png

4. Screen Lock Configuration

  • Screenshot: Settings → Accounts → Sign-in options
  • Verify: Screen timeout ≤ 15 minutes
  • File As: Laptop-[Name]_Screen-Lock_2025-01-15.png

5. User Account Type

  • Screenshot: Settings → Accounts → Family & other users
  • Verify: User has "Standard user" account (not administrator)
  • Verify: No guest accounts enabled
  • File As: Laptop-[Name]_User-Accounts_2025-01-15.png

Pro Tip: Our Self-Paced Toolkit includes device evidence collection checklists with screenshot examples so you know exactly what auditors expect to see.

View Toolkit Features

The 30-Day Sprint: Your CMMC L1 Roadmap

If you're starting from scratch, here's a realistic timeline:

Week 1: Assessment & Planning

  • Day 1-2: Identify where FCI is stored
  • Day 3-4: Conduct initial self-assessment (use free tools)
  • Day 5: Create prioritized gap list

Week 2: Quick Wins & M365 Configuration

  • Day 6-7: Enable MFA for all users (top priority)
  • Day 8-9: Configure password policy, external sharing restrictions
  • Day 10: Enable audit logging
  • Day 11: Collect M365 configuration evidence
  • Day 12: Create user access and review logs

Week 3: Endpoint Compliance & Documentation

  • Day 13-15: Verify/enable BitLocker on all company laptops
  • Day 16-17: Verify Windows Defender and Updates current
  • Day 18: Collect laptop evidence (screenshots)
  • Day 19: Write System Security Plan

Week 4: Policies, Procedures & Final Review

  • Day 20-22: Document policies (access control, incident response, etc.)
  • Day 23-24: Create training materials, conduct security awareness training
  • Day 25-26: Organize evidence binder
  • Day 27-28: Conduct final self-assessment
  • Day 29: Executive review and sign-off
  • Day 30: Schedule formal assessment (if required)

Reality Check: This is aggressive but achievable for a small team. Budget 2-3 hours per day for the person managing this effort.

Want to Fast-Track Your Compliance?

Our Consultant-Guided Program gets you compliant in 4 weeks with weekly check-ins, evidence validation, and mock assessments.

Schedule Free Consultation Learn About Our 4-Week Program

Common M365 Pitfalls That Fail Audits

Learn from others' mistakes. Our compliance consultants have seen these pitfalls hundreds of times and know exactly how to avoid them.

Talk to a Compliance Expert

Pitfall #1: The "Provisional" MFA Account

The Mistake: "We enabled MFA for everyone except Bob in Accounting because he's 'not technical' and we'll do it next month."

Why It Fails: CMMC requires MFA for all accounts with no exceptions. One non-compliant account fails the entire practice.

The Fix: Enable MFA for Bob today. Help him set up Microsoft Authenticator. There's no acceptable reason for delay.

Pitfall #2: The Forgotten Guest Accounts

The Mistake: You invited a consultant to SharePoint 8 months ago. They finished the project, but their guest account is still active with access to FCI.

Why It Fails: AC.L1-3.1.1 requires access limited to authorized users. Stale accounts prove you're not managing access properly.

The Fix:

  1. Run a report of all guest accounts
  2. Disable any inactive for >30 days
  3. Implement quarterly guest account reviews
  4. Document the review in your Access Review Log

Pitfall #3: The "But It's Encrypted!" Defense

The Mistake: "We share FCI via public SharePoint links, but it's fine because Microsoft encrypts everything."

Why It Fails: Encryption in transit doesn't prevent unauthorized access via a shared link. Anyone with the link can access the file.

The Fix:

  • Disable external sharing for FCI sites
  • Train users to share via "People in your organization" links only
  • Implement Data Loss Prevention (DLP) policies if available
  • Document sharing restrictions in your SSP

Pitfall #4: The Evidence Time-Bomb

The Mistake: You collected all your evidence in January 2024. It's now December 2024, and you're scheduling your assessment.

Why It Fails: Auditors expect current evidence. Screenshots from 11 months ago don't prove current compliance.

The Fix:

  • Refresh all evidence within 60-90 days of assessment
  • Set quarterly reminders to update evidence
  • Version control your evidence files (include dates in filenames)
  • Maintain the logs continuously, not just before audits

Pitfall #5: The "We Don't Use That Feature" Gap

The Mistake: "We turned off audit logging because it was using storage space and we don't review the logs anyway."

Why It Fails: Even if not strictly required for Level 1, audit logs demonstrate good security practice and help with incident response.

The Fix:

  • Enable audit logging (it's often free in M365 licenses)
  • Review logs monthly (even briefly)
  • Document your log reviews
  • Understand that "we don't use that" isn't a valid compliance strategy

Real Talk: The Costs You Need to Budget For

Let's be transparent about what CMMC Level 1 actually costs a small business:

One-Time Costs

  • Initial compliance effort: 60-120 hours internal time
  • Policy development: $500-3,000 (templates vs. custom)
  • Training program: $200-1,000 (off-the-shelf vs. custom)
  • Consultant (if used): $3,000-15,000 depending on scope

Ongoing Costs

  • M365 licensing: $20-35/user/month (you're probably already paying this)
  • Compliance maintenance: 4-8 hours/quarter internal time
  • Annual training: $100-500
  • Toolkit/tools: $0-200/month
  • Assessment fee (when required): $3,000-10,000

Hidden Costs (That Catch People Off-Guard)

  • Lost productivity during implementation: 10-20% for 4 weeks
  • Tool subscriptions you didn't know you needed: $50-200/month
  • Evidence storage: Minimal if using M365, but needs organization
  • The "Oh crap, we need to fix this" surprises: Budget $2,000-5,000

Total First-Year Cost for Typical 10-Person Company:

Approach Cost Range Details
DIY Route $5,000-10,000 Mostly internal time
With Templates/Tools $8,000-12,000 Faster, less risk
With Consultant $12,000-20,000 Highest confidence

ROI Consideration: If CMMC compliance enables you to bid on contracts worth $100,000+, this is a small investment in market access.

Want a fixed-price, transparent solution?

Our Consultant-Guided Program is $2,495 all-in. No hourly rates, no surprises, no ongoing fees beyond annual maintenance.

Schedule Free Consultation Compare Our Plans

When DIY Isn't Enough: Getting Help

Let's be honest: You're running a business, not an IT consulting firm. Sometimes the smartest move is getting expert help.

Signs You Need Professional Assistance

You should consider outside help if:

  • You've read this guide twice and still feel lost
  • Your "IT person" is actually your Office Manager who once fixed the printer
  • You're 90 days from a contract deadline and haven't started
  • You attempted self-assessment and found 12+ gaps
  • Your prime contractor is pressuring you for proof of compliance
  • You tried to collect evidence and got overwhelmed by M365's admin portals

The Overwatch Tools Solution

The Problem We Solve: You know what CMMC requires (sort of), but you don't know:

  • What evidence to collect
  • Where to find it in M365
  • How to organize it
  • How to maintain it over time
  • Whether what you've done is actually compliant

Our Three-Tier Approach at Overwatch Tools:

1. Free Self-Assessment Tool

Start here to understand your current state:

  • Guided questionnaire covering all 17 Level 1 practices
  • Instant gap analysis
  • Prioritized remediation roadmap
  • No credit card, no commitment

2. Self-Paced Toolkit ($1,495/year)

For the motivated DIYer who needs structure:

  • 140+ pre-built artifacts telling you what you need to do
  • Organized evidence collection checklists
  • Secure document storage with version control
  • SPRS readiness and compliance reports
  • Quarterly compliance reminders
  • Access to knowledge base and tutorials

3. Consultant-Guided Program ($2,495 - Compliance in 4 Weeks or less)

For those who want expert help:

  • Everything in the Toolkit
  • Personal compliance consultant assigned to your account
  • Weekly check-in calls
  • Evidence review and validation
  • 140+ artifact templates pre-customized for your environment
  • Mock assessment before the real thing
  • Direct support during formal assessment

What You Get:

  • An expert who's done this 100's of times
  • Confidence that you're not missing anything
  • Fast-tracked compliance (4 weeks vs. 6+ months DIY)
  • Someone to answer "Is this right?" questions
  • Peace of mind

The Bottom Line: What Success Looks Like

You'll know you're ready for a CMMC Level 1 assessment when:

  • You can answer these questions instantly: "Show me your MFA status report from last week," "How do you provision new user accounts?", "Where is your FCI stored?", "When was your last access review?", "What happens if a laptop is stolen?"
  • You have organized evidence for all 17 practices
  • Your evidence is current (within 60-90 days)
  • You can demonstrate continuous compliance, not point-in-time
  • Someone other than you could find your documentation (the "hit by a bus" test)
  • You've conducted a mock assessment and passed

Getting Started Today

If you're feeling overwhelmed, start here:

The Absolute Minimum Viable Compliance (Week 1)

  1. Enable MFA for all M365 accounts (2 hours)
  2. Export your user list (15 minutes)
  3. Export MFA status report (15 minutes)
  4. Create a simple FCI inventory (1 hour)
  5. Enable audit logging (30 minutes)

That's it for Week 1. Those five items address your highest risks and demonstrate to auditors (and your prime) that you're taking this seriously.

Week 2: Build on the Foundation

  1. Lock down external sharing settings
  2. Verify BitLocker on company laptops
  3. Start your access review log
  4. Document where you've stored this evidence

Week 3 and Beyond

Continue systematically through the remaining practices, using the roadmap in this guide.

Ready to Get Started?

Take our free 30-minute self-assessment to see exactly where you stand and what you need to fix first.

Start Free Assessment Now

Or speak with a compliance expert about getting compliant in 4 weeks:

Schedule Free 30 Min Consultation

Take the First Step: Free Self-Assessment

Stop guessing where you stand. Use Overwatch Tools' free self-assessment to get a personalized gap analysis in 30 minutes.

What you'll get:

  • Practice-by-practice assessment of your current state
  • Prioritized list of what to fix first
  • Time estimates for each remediation task
  • Evidence collection checklist customized to your gaps

No credit card required. No sales pressure. Just clarity.

Start Your Free Assessment Now

Still Have Questions?

Common questions from small GovCons:

Q: "My prime handles all the IT. Do I still need to do this?"

A: If you have FCI on your systems (email, file storage), yes. Your prime is responsible for their systems; you're responsible for yours.

Q: "Can't I just say I'm compliant and figure it out later?"

A: Falsely claiming CMMC compliance is a federal offense. Don't risk contract termination or legal liability.

Q: "How long does CMMC Level 1 certification last?"

A: Currently, self-assessments are valid for 1 year. Maintain your evidence and update quarterly.

Q: "What if I find gaps during self-assessment?"

A: That's the point! Better to find them now and fix them than during a prime contractor audit or contract loss.

Q: "Is M365 E3/E5 required for CMMC?"

A: No. M365 Business Premium has sufficient features for Level 1. But you must configure and document them correctly.

Resources & Next Steps

Overwatch Tools Solutions

  • Free Self-Assessment Tool - Know where you stand in 30 minutes
  • Self-Paced Toolkit - 140+ templates + organized evidence management
  • Consultant-Guided Program - Compliant in 4 weeks with expert guidance

Connect With Us

  • Email: support@overwatchtools.com
  • Schedule 30 Min Consultation: Schedule Now
  • Office Hours: Live Q&A every Thursday at 2 PM EST

Final Thoughts: You Can Do This

CMMC Level 1 compliance feels overwhelming because it's unfamiliar, not because it's impossible.

You already have most of the tools. You already have the technical capability. What you need is:

  • Clarity on what's actually required (this guide)
  • Structure to organize your evidence (templates help)
  • Consistency to maintain compliance (quarterly checklists)

Thousands of small defense contractors just like you have achieved CMMC Level 1 compliance. Most of them started with the same question you're asking now: "Where do I even begin?"

The answer: Begin with documentation. Begin with evidence. Begin today.

Your contracts—and your business—depend on it.

About Overwatch Tools

We built Overwatch Tools specifically for small defense contractors who are tired of compliance feeling like a full-time job. Our founders spent over 20 years in GovCon IT and got fed up watching small businesses struggle with documentation that should be straightforward.

We believe:

  • Compliance shouldn't cost more than the contract is worth
  • Templates shouldn't require a PhD to customize
  • Small businesses deserve tools built for their reality, not enterprise assumptions

Our mission: Make CMMC compliance achievable for every defense contractor, regardless of size or technical resources.

This guide is current as of January 2025. CMMC requirements may change. Always verify current requirements at cyberab.org. This guide provides general information and does not constitute legal or professional compliance advice.

Overwatch Tools, Inc. | Making CMMC Compliance Achievable | © 2025

Add comment

Your email address will not be published. Required fields are marked

Home
Shop
Contact us
More
More