How to Maintain NIST 800-171 Compliance in Microsoft 365

If you’re an organization that supports the Department of Defense (DoD), you no doubt understand the importance of protecting information across your IT systems. The federal government recognizes this need as well, which is why they’ve implemented standards that federal contractors must maintain and adhere to, particularly when it comes to controlled unclassified information (CUI). According to Microsoft, the US National Institute of Standards and Technology (NIST) maintains these standards and provides guidance to organizations on how to maintain compliance. In 2015 they published NIST 800-171 compliance: Protecting Unclassified Information in Nonfederal Information Systems and Organizations. This outlines what nonfederal organizations supporting the government need to do to keep their CUI safe.

Many DoD supporting organizations use Microsoft 365 for their business solutions. If you’re in that camp, you want to know if it’s NIST 800-171 compliant. In this post, we’ll discuss the following:

• Is Microsoft 365 NIST 800-171 compliant?
• What licensing will you need for NIST 800-171 compliance in Microsoft 365?
• Aligning Microsoft 365 to NIST 800-171
• Where you can locate Microsoft’s audit reports for an assessment or audit?
• What are the risks of non-compliance?

First, let’s answer the question of Microsoft 365’s overall level of NIST 800-171 compliance.

Is Microsoft 365 NIST 800-171 Compliant?

The short answer? Yes, it is. Microsoft 365 Commercial, GCC, and GCC High all have the capability to meet the appropriate controls needed for NIST 800-171 without the usage or assistance of third-party software.  The longer answer: yes, but there are limits. The intent of NIST 800-171 was to protect Controlled Unclassified Information (CUI. Microsoft 365 Commercial does not have the ability to protect CUI with additional requirements explained in the Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012 and 7021.

Some organizations - outside the Department of Defense, and its contractors - use NIST 800-171 as a cybersecurity framework without having to adhere to DFARS. For these organizations, Microsoft 365 is suitable to meet all the needed controls.

Remember: configuration is always needed once you turn on your environment - no environment is automatically configured. To meet the needed controls and maintain NIST 800-171 compliance, configure your environment before you begin work.

What Licensing Will You Need for Nist 800-171 Compliance in Microsoft 365?

The answer here varies according to the roles and responsibilities needed by your individual team members. Licensing can vary by role, with limited roles for some with expanded access for others. To meet all NIST 800-171 controls in Microsoft 365, the user must have specific licenses. There should also be specific licensing in place for those controls to protect the end-users.

Agile IT advises administrators (and other VIP/active users who might classify themselves as “high impact”) to obtain the Microsoft 365 E5 license. This enables additional features across the tenant, including advanced detection and response capabilities. This empowers the user to enable a more secure environment.

Anyone classified as an information worker should have a minimum license of Office 365 E3 and Enterprise Mobility E3. This equips them with the right level of protection as well as the ability to prevent data loss. If any of your users don’t need access to Office apps, an Office 365 F3 with EMS E3 license will prove suitable.

Aligning Microsoft 365 to NIST 800-171

Once you’ve determined the right licensing needed across your organization, you’ll then want to map out how to align your systems with NIST controls. How you align Microsoft 365 to NIST controls will vary depending on the complexity of your environment. The simplest method to use Microsoft’s Compliance Manager tool. This allows you to map NIST 800-171 controls to your Microsoft 365 features, with full documentation of the specific steps you’ll need to take to do so. Microsoft also provides the actions your customers will need to take to meet each control.

You’ll need to purchase a premium add-on to enable this. Adding the NIST 800-171 template will cost $2,500 on a monthly basis. If you have GCC High, the Compliance Manager’s templates for NIST 800-171 (as well as Cybersecurity Maturity Model Certification) come as part of the Microsoft E5 licensing package.

Where Can You Locate Microsoft’s Audit Reports for an Assessment or Audit?

If you’re looking for Microsoft’s audit reports, you’re in luck. They make them all available in one central location. All audit reports are located within Microsoft’s Service Trust Portal. They’re free, but you’ll need an active Microsoft account to access them. You can find the documents listed below that you’ll need within the portal as well:

• Office 365 MT FedRAMP Control Implementation Summary
• Office 365 MT  FedRAMP System Security Plan (SSP)
• Microsoft Azure Commercial System Security Plan (SSP)
• Office 365 Attestation of Compliance with Defense Federal Acquisition Standard
• Lastly, Office 365 DFARS NIST 800-171 Attestation Letter

The Service Trust Portal also has other compliance documents you may need, such as documentation about SOC 2 and HITRUST.

What Are the Risks of Non-Compliance?

Now that you understand what you’ll need to do to gain and maintain NIST 800-171 compliance in Microsoft 365, it’s important to also understand what the risks of non-compliance are.  When CMMC 2.0 launched in November of last year, the self-attestation component struck many contractors as a free pass. What many didn’t realize, however, is that one month prior the Department of Justice unveiled their Civil Cyber-Fraud initiative. This enabled the government to take much more aggressive actions against government contractors. In short, willful negligence - or even mistakes - could prove both dangerous and costly.

Microsoft 365 is a powerful tool. It’s also complex and can be hard to navigate without having the right knowledge or background.  In order to assure that you are properly implementing your environment for a CMMC assessment, be it self-attested, performed by a CMMC C3PAO or by the Defense Contract Management Agency’s (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), it is critical to partner with a Microsoft Security Partner who also understands the nuances and impact of CMMC.

Learn More About NIST 800-171 Compliance in Microsoft 365

Agile IT is that partner. We’ve guided organizations through the complicated process of Microsoft 365 compliance. To find out how we can lend our expertise to help you maintain compliance, request a consultation today.