CMMC 2.0: what it demands, and what your tenant can already prove

The Cybersecurity Maturity Model Certification is now phasing into Department of Defense contracts. If you handle Federal Contract Information or Controlled Unclassified Information, directly or as a subcontractor, a CMMC level will appear in your contracts, and an assessor will ask for evidence, not intentions. This guide covers the levels, the 14 domains, and the part most guides skip: which Microsoft 365, Intune, and Defender settings become that evidence. Senserva scans produce dated, audit-ready reports for many Level 2 requirements today, with full per-requirement CMMC mapping arriving in the next Siemserva release.

CMMC & GCC solutions 672 security checks Compliance & audits Senserva patching CISA SCuBA

The three levels

Level 1: Foundational
FCI, annual self-assessment
15 basic safeguarding requirements from FAR 52.204-21: access control, media handling, physical protection, basic system protection.
Self-assessed annually, affirmed in SPRS by a company official.
Level 2: Advanced
CUI, mostly C3PAO-assessed
The 110 security requirements of NIST SP 800-171 across 14 domains. This is where most defense contractors land.
Assessed every three years, by an accredited C3PAO for most CUI contracts; limited POA&M items must close within 180 days.
Level 3: Expert
Highest-risk programs
Level 2 plus selected enhanced requirements from NIST SP 800-172, aimed at advanced persistent threats.
Assessed by the government (DIBCAC), on top of a passing Level 2.

Cloud reality: CUI handling usually points contractors to Microsoft 365 GCC or GCC High, and export-controlled (ITAR) data effectively requires GCC High. The tenant misconfigurations that fail a commercial audit fail a CMMC assessment too, which is why the evidence question below matters more than the paperwork.

The 14 domains, and what your tenant can prove today

Level 2's 110 requirements group into 14 domains. For each, an assessor wants operating evidence: configuration state, logs, and dated reports. Senserva's 672 Microsoft 365, Intune, Defender, and Entra ID checks and its patch intelligence already generate that evidence for the domains marked below; the rest arrive with the per-requirement CMMC mapping in the next Siemserva release.

Access Control (AC)EVIDENCE TODAY
Conditional Access enforcement, least privilege and PIM, guest and legacy-auth lockdown, session controls. Senserva's largest check area.
Identification & Authentication (IA)EVIDENCE TODAY
MFA coverage per user, authentication method strengths, FIDO2 and Windows Hello for Business posture, password policy.
Audit & Accountability (AU)EVIDENCE TODAY
Unified audit log health, sign-in and directory log coverage, retention state: the logging an assessor asks to see first.
Configuration Management (CM)EVIDENCE TODAY
Intune compliance policies, configuration profiles, baseline coverage, attack surface reduction, app control, drift over time.
Risk Assessment (RA)EVIDENCE TODAY
Vulnerability identification per device: missing updates joined to CVEs, ranked by CISA KEV and EPSS. Dated patch reports are direct RA evidence.
System & Information Integrity (SI)EVIDENCE TODAY
Flaw remediation in a timely manner: per-device patch state from Defender, antivirus posture, email protections (anti-phishing, Safe Links).
System & Communications Protection (SC)EVIDENCE TODAY
Encryption state (BitLocker), email and Teams protections, network security checks.
Incident Response (IR)EVIDENCE TODAY
Security alert visibility and log health that incident response depends on; response process evidence remains yours.
Media Protection (MP)NEXT RELEASE
Partially: disk encryption and DLP-adjacent settings; physical media handling remains a process control.
Awareness & Training (AT)NEXT RELEASE
Process domain: training records live outside the tenant. The mapping release will mark these explicitly out of scan scope.
Maintenance (MA)NEXT RELEASE
Partially: update rings, deferrals, and Autopatch deployment health cover system maintenance; physical maintenance is process.
Personnel Security (PS)NEXT RELEASE
Process domain: screening and offboarding procedures, with offboarding hygiene (stale accounts, orphaned access) scan-checkable.
Physical Protection (PE)NEXT RELEASE
Process domain: facility controls sit outside the tenant.
Security Assessment (CA)EVIDENCE TODAY
The recurring Senserva scan itself is a security assessment artifact: dated, repeatable, and diffable between runs.

EVIDENCE TODAY means Senserva reports already produce assessor-ready artifacts for requirements in that domain. NEXT RELEASE means the per-requirement mapping, arriving in the next Siemserva release, will state exactly which requirements are covered, partially covered, or out of scan scope.

What is coming in the next release

CMMC support is in active development for the next Siemserva release: every check mapped to the Level 2 requirements it evidences, a CMMC view in reports so an assessor sees findings organized by requirement, and gap output that reads like a POA&M starting point. The 672 checks and the patch intelligence above are the foundation; the release adds the CMMC lens over them.

Preparing now is not wasted work: every misconfiguration fixed and every patch gap closed today is a requirement you will not fail later.

CMMC & GCC with Senserva Get Going with Senserva Talk to us about CMMC

CMMC questions, answered

What is CMMC 2.0?

The Cybersecurity Maturity Model Certification is the Department of Defense's framework for verifying that contractors protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). It is now phasing into DoD contracts: if you sell to the DoD, directly or as a subcontractor, a CMMC level will appear in your contracts.

What are the three CMMC levels?

Level 1 covers 15 basic safeguarding requirements from FAR 52.204-21 for FCI, verified by annual self-assessment. Level 2 is the 110 security requirements of NIST SP 800-171 for CUI, verified every three years, by a C3PAO third-party assessment for most contracts. Level 3 adds selected requirements from NIST SP 800-172 for the highest-risk programs, assessed by the government.

Do I need GCC or GCC High for CMMC?

CMMC itself does not mandate a cloud, but CUI handling usually points defense contractors to Microsoft 365 GCC or GCC High, and export-controlled data (ITAR) effectively requires GCC High. The same tenant misconfigurations that fail commercial audits fail CMMC assessments too.

What counts as evidence in a CMMC assessment?

Assessors want proof that a requirement is implemented and operating: configuration state, screenshots or reports of settings, audit logs, and vulnerability and patch records. A dated, repeatable report showing MFA enforcement, audit log health, or patch state on every device is exactly the artifact an assessor asks for.

Can Senserva data be used as CMMC evidence today?

Yes, for many Level 2 requirements. Senserva's 672 checks and patch intelligence already produce dated, audit-ready reports covering access control, identification and authentication, audit and accountability, configuration management, risk assessment, and system and information integrity. Per-requirement CMMC mapping ships in the next Siemserva release.