Back

How to Maintain NIST 800-171 Compliance in Microsoft 365

Ifyoure an organizationspellingthat supports the Department of Defense DoD you no doubt understand the importance of protecting information...

5 min read
Published on Jan 13, 2022
How to Maintain NIST 800-171 Compliance in Microsoft 365

If you’re an organization that supports the Department of Defense (DoD), you no doubt understand the importance of protecting information across your IT systems. The federal government recognizes this need as well, which is why they’ve implemented standards that federal contractors must maintain and adhere to, particularly when it comes to controlled unclassified information (CUI). According to Microsoft, the US National Institute of Standards and Technology (NIST) maintains these standards and provides guidance to organizations on how to maintain compliance. In 2015 they published NIST 800-171 compliance: Protecting Unclassified Information in Nonfederal Information Systems and Organizations. This outlines what nonfederal organizations supporting the government need to do to keep their CUI safe.

Many DoD supporting organizations use Microsoft 365 for their business solutions. If you’re in that camp, you want to know if it’s NIST 800-171 compliant. In this post, we’ll discuss the following:

  • Is Microsoft 365 NIST 800-171 compliant?
  • What licensing will you need for NIST 800-171 compliance in Microsoft 365?
  • Aligning Microsoft 365 to NIST 800-171
  • Where you can locate Microsoft’s audit reports for an assessment or audit?
  • What are the risks of non-compliance?

First, let’s answer the question of Microsoft 365’s overall level of NIST 800-171 compliance.

Is Microsoft 365 NIST 800-171 Compliant?

The short answer? Yes, it is. Microsoft 365 Commercial, GCC, and GCC High all have the capability to meet the appropriate controls needed for NIST 800-171 without the usage or assistance of third-party software.  The longer answer: yes, but there are limits. The intent of NIST 800-171 was to protect Controlled Unclassified Information (CUI. Microsoft 365 Commercial does not have the ability to protect CUI with additional requirements explained in the Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012 and 7021.

Some organizations - outside the Department of Defense, and its contractors - use NIST 800-171 as a cybersecurity framework without having to adhere to DFARS. For these organizations, Microsoft 365 is suitable to meet all the needed controls.

Remember: configuration is always needed once you turn on your environment - no environment is automatically configured. To meet the needed controls and maintain NIST 800-171 compliance, configure your environment before you begin work.

What Licensing Will You Need for Nist 800-171 Compliance in Microsoft 365?

The answer here varies according to the roles and responsibilities needed by your individual team members. Licensing can vary by role, with limited roles for some with expanded access for others. To meet all NIST 800-171 controls in Microsoft 365, the user must have specific licenses. There should also be specific licensing in place for those controls to protect the end-users.

Agile IT advises administrators (and other VIP/active users who might classify themselves as “high impact”) to obtain the Microsoft 365 E5 license. This enables additional features across the tenant, including advanced detection and response capabilities. This empowers the user to enable a more secure environment.

Anyone classified as an information worker should have a minimum license of Office 365 E3 and Enterprise Mobility E3. This equips them with the right level of protection as well as the ability to prevent data loss. If any of your users don’t need access to Office apps, an Office 365 F3 with EMS E3 license will prove suitable.

Aligning Microsoft 365 to NIST 800-171

Once you’ve determined the right licensing needed across your organization, you’ll then want to map out how to align your systems with NIST controls. How you align Microsoft 365 to NIST controls will vary depending on the complexity of your environment. The simplest method to use Microsoft’s Compliance Manager tool. This allows you to map NIST 800-171 controls to your Microsoft 365 features, with full documentation of the specific steps you’ll need to take to do so. Microsoft also provides the actions your customers will need to take to meet each control.

You’ll need to purchase a premium add-on to enable this. Adding the NIST 800-171 template will cost $2,500 on a monthly basis. If you have GCC High, the Compliance Manager’s templates for NIST 800-171 (as well as Cybersecurity Maturity Model Certification) come as part of the Microsoft E5 licensing package.

Where Can You Locate Microsoft’s Audit Reports for an Assessment or Audit?

working on a computer with NIST 800-171 Compliance If you’re looking for Microsoft’s audit reports, you’re in luck. They make them all available in one central location. All audit reports are located within Microsoft’s Service Trust Portal. They’re free, but you’ll need an active Microsoft account to access them. You can find the documents listed below that you’ll need within the portal as well:

  • Office 365 MT FedRAMP Control Implementation Summary
  • Office 365 MT  FedRAMP System Security Plan (SSP)
  • Microsoft Azure Commercial System Security Plan (SSP)
  • Office 365 Attestation of Compliance with Defense Federal Acquisition Standard
  • Lastly, Office 365 DFARS NIST 800-171 Attestation Letter

The Service Trust Portal also has other compliance documents you may need, such as documentation about SOC 2 and HITRUST.

What Are the Risks of Non-Compliance?

Now that you understand what you’ll need to do to gain and maintain NIST 800-171 compliance in Microsoft 365, it’s important to also understand what the risks of non-compliance are.  When CMMC 2.0 launched in November of last year, the self-attestation component struck many contractors as a free pass. What many didn’t realize, however, is that one month prior the Department of Justice unveiled their Civil Cyber-Fraud initiative. This enabled the government to take much more aggressive actions against government contractors. In short, willful negligence - or even mistakes - could prove both dangerous and costly.

Microsoft 365 is a powerful tool. It’s also complex and can be hard to navigate without having the right knowledge or background.  In order to assure that you are properly implementing your environment for a CMMC assessment, be it self-attested, performed by a CMMC C3PAO or by the Defense Contract Management Agency’s (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), it is critical to partner with a Microsoft Security Partner who also understands the nuances and impact of CMMC.

Learn More About NIST 800-171 Compliance in Microsoft 365

Agile IT is that partner. We’ve guided organizations through the complicated process of Microsoft 365 compliance. To find out how we can lend our expertise to help you maintain compliance, request a consultation today.

This post has matured and its content may no longer be relevant beyond historical reference. To see the most current information on a given topic, click on the associated category or tag.

Related Posts

CMMC Documentation Requirements: Avoid Assessment Failure

GIGO: Garbage In, Garbage Out: Why Documentation Can Make or Break Your CMMC Success

Strong documentation is critical to CMMC success. Learn the key evidence assessors expect and how to avoid common documentation failures.

Jul 24, 2025
5 min read
Fast-Track CMMC Certification for Urgent Contracts

How to Fast-Track CMMC Certification for Urgent Contracts with AgileThrive JumpStart

Need urgent CMMC certification? AgileThrive JumpStart accelerates compliance for DoD contractors with fast-track assessments, gap analysis, and rapid audit readiness.

Jul 21, 2025
5 min read
Defending Against Email Compromise

Defending Against Email Compromise: Safeguarding Accounting & Procurement

Discover how to defend accounting and procurement teams from email compromise in the Defense Industrial Base. Learn CMMC-aligned best practices using Microsoft 365.

Jul 15, 2025
4 min read
Technical vs. Process Controls in CMMC Compliance

Understanding Technical vs. Process Controls for CMMC Compliance

Understand the difference between technical and process controls in CMMC compliance. Learn how both work together to protect FCI and CUI data effectively.

Jul 14, 2025
4 min read
20 Essential Questions to Ask a Managed Service Provider

Top Questions to Ask Your Managed Service Provider (MSP)

Looking for a new MSP? Stay ahead with the top questions to ask—from security and scalability to pricing and offboarding. Vet your provider with confidence.

Jul 12, 2025
5 min read
Overview of CMMC 2.0 and Its Levels: DoD Compliance Guide

CMMC 2.0 Explained: Levels, Compliance Requirements, and Key Changes

CMMC 2.0 simplifies cybersecurity requirements for DoD contractors. Explore an overview of its levels, key changes from CMMC 1.0, and what each level means for compliance.

Jul 11, 2025
6 min read

Ready to Secure and Defend Your Data
So Your Business Can Thrive?

Fill out the form to see how we can protect your data and help your business grow.

Loading...
Secure. Defend. Thrive.

Let's start a conversation

Discover more about Agile IT's range of services by reaching out.

Don't want to wait for us to get back to you?

Schedule a Free Consultation

Location

Agile IT Headquarters
4660 La Jolla Village Drive #100
San Diego, CA 92122

Secure. Defend. Thrive.

Don't want to wait for us to get back to you?

Discover more about Agile IT's range of services by reaching out

Schedule a Free Consultation