CMMC and GCC for Microsoft 365: how the pieces fit

Defense and government work runs on different Microsoft clouds and answers to different rules. This page explains CMMC, the Microsoft 365 Government environments (GCC, GCC High, and DoD), and how they tie together, so you can see the landscape clearly.

Informational, for now. Senserva runs against commercial Microsoft 365 today. It does not yet support Microsoft 365 Government (GCC, GCC High, or DoD) and does not provide CMMC assessment or any Federal authorization. We are working toward Federal support and will announce it as soon as Government cloud access is in place. This page is a primer on the landscape, not a statement of current coverage.

What CMMC is

The Cybersecurity Maturity Model Certification (CMMC) is the US Department of Defense program that verifies defense contractors protect sensitive information. It applies across the Defense Industrial Base (DIB), and the level required depends on the data you handle.

Level What it covers
Level 1 (Foundational)Basic safeguarding of Federal Contract Information (FCI). Annual self-assessment.
Level 2 (Advanced)Protection of Controlled Unclassified Information (CUI), aligned to the NIST SP 800-171 controls. Self or third-party assessment depending on the contract.
Level 3 (Expert)The highest tier, adding controls from NIST SP 800-172 for the most sensitive programs.

In short: FCI points you toward Level 1, CUI toward Level 2 and its NIST SP 800-171 control set, and the most sensitive work toward Level 3. The data you hold drives the level you need.

The Microsoft 365 Government clouds

Microsoft runs separate government clouds so regulated data stays in the right boundary. Choosing the right one is a prerequisite for meeting CUI and DoD obligations.

GCC
Government Community Cloud, for state, local, and many federal needs. US-based, with controls beyond commercial, but not designed for the strictest CUI or ITAR cases.
GCC High
Built to support CUI, DFARS, and ITAR, with screened US-person operations and FedRAMP High alignment. The common target for CMMC Level 2 in the defense base.
DoD
The Department of Defense cloud, for DoD mission owners and the most sensitive impact levels.

Microsoft also publishes which services and certifications apply in each environment, and a shared-responsibility model: Microsoft secures the platform, and the customer is responsible for how identity, devices, data, and access are configured on top of it.

How it ties together

CMMC says what you must protect and to what standard. The Microsoft 365 Government clouds give you a boundary built for that data. The tenant configuration on top, identity, Conditional Access, device compliance in Intune, Defender, and Purview information protection, is where most of the NIST SP 800-171 control families are actually satisfied or missed.

  • Pick the cloud that matches your data: FCI may fit GCC, CUI and ITAR generally point to GCC High.
  • Map your CMMC level to the NIST control set: Level 2 to 800-171, Level 3 adds 800-172.
  • Configure and prove the technical controls in the tenant, then keep evidence that they stay in place.

Where Senserva is headed

Senserva already brings deep Microsoft 365, Intune, Defender, Entra ID, and Purview analysis to commercial tenants: ranked findings, automated and validated approve-before-apply remediation, and Senserva Trustworthy AI that keeps every answer grounded and every change reviewed. It complements the tools you already run rather than replacing them.

When Government cloud access is in place, the plan is to bring that same depth to GCC and GCC High, with the configuration evidence and remediation that map to the NIST SP 800-171 and 800-172 control families behind CMMC. This page is the warm-up. We will update it with specifics the moment Federal support is live.

Nothing here is a claim of current Federal support, CMMC certification, or Government cloud coverage. It is a primer plus our direction.

AI governance belongs in the Federal conversation

As AI and Copilot enter government and defense work, AI governance becomes part of the same compliance picture. The standards below are the most relevant to Federal and regulated programs, and Senserva already audits the Microsoft AI surface they care about: agent identities, the permissions agents inherit, and high-risk Graph scopes. That coverage is available on commercial Microsoft 365 today and is part of the same roadmap toward Government cloud support.

NIST AI RMF
The US framework (Govern, Map, Measure, Manage). The natural AI companion to NIST 800-171 and 800-172 thinking.
ISO/IEC 42001
The international AI management system standard. A structured way to govern AI risk, impact, and lifecycle.
Microsoft AI security
What Senserva audits today: Copilot and AI agent identities, inherited permissions, and high-risk Graph scopes.

See the full AI Governance coverage for how these map to Senserva.

Talk to us about Federal

If CMMC and GCC are on your roadmap, tell us. We will let you know the moment Senserva Federal support is available. In the meantime, see how the same control thinking already works on commercial Microsoft 365.

Talk to us about Federal Compliance and frameworks Security checks catalog

Explore the AI Enhanced suite

Agentic AI for Microsoft 365 security, end to end. Each piece works with the AI of your choice.

Works with any AIChatGPT, Claude, Gemini, Copilot, or a local model, with a built-in prompt builder. Claude & MCPRun Microsoft 365 security agentically from Claude through the Senserva MCP. AI security reportsSix AI-enhanced report types generated from one scan. AI remediationValidated, approve-before-apply fixes for every finding. AI complianceMap and close gaps against CISA SCuBA, MCSB, and more.