Back

How to Maintain NIST 800-171 Compliance in Microsoft 365

Ifyoure an organizationspellingthat supports the Department of Defense DoD you no doubt understand the importance of protecting information...

5 min read
Published on Jan 13, 2022
maintain-nist-800-171-compliance-microsoft-365

If you’re an organization that supports the Department of Defense (DoD), you no doubt understand the importance of protecting information across your IT systems. The federal government recognizes this need as well, which is why they’ve implemented standards that federal contractors must maintain and adhere to, particularly when it comes to controlled unclassified information (CUI). According to Microsoft, the US National Institute of Standards and Technology (NIST) maintains these standards and provides guidance to organizations on how to maintain compliance. In 2015 they published NIST 800-171 compliance: Protecting Unclassified Information in Nonfederal Information Systems and Organizations. This outlines what nonfederal organizations supporting the government need to do to keep their CUI safe.

Many DoD supporting organizations use Microsoft 365 for their business solutions. If you’re in that camp, you want to know if it’s NIST 800-171 compliant. In this post, we’ll discuss the following:

  • Is Microsoft 365 NIST 800-171 compliant?
  • What licensing will you need for NIST 800-171 compliance in Microsoft 365?
  • Aligning Microsoft 365 to NIST 800-171
  • Where you can locate Microsoft’s audit reports for an assessment or audit?
  • What are the risks of non-compliance?

First, let’s answer the question of Microsoft 365’s overall level of NIST 800-171 compliance.

Is Microsoft 365 NIST 800-171 Compliant?

The short answer? Yes, it is. Microsoft 365 Commercial, GCC, and GCC High all have the capability to meet the appropriate controls needed for NIST 800-171 without the usage or assistance of third-party software.  The longer answer: yes, but there are limits. The intent of NIST 800-171 was to protect Controlled Unclassified Information (CUI. Microsoft 365 Commercial does not have the ability to protect CUI with additional requirements explained in the Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012 and 7021.

Some organizations - outside the Department of Defense, and its contractors - use NIST 800-171 as a cybersecurity framework without having to adhere to DFARS. For these organizations, Microsoft 365 is suitable to meet all the needed controls.

Remember: configuration is always needed once you turn on your environment - no environment is automatically configured. To meet the needed controls and maintain NIST 800-171 compliance, configure your environment before you begin work.

What Licensing Will You Need for Nist 800-171 Compliance in Microsoft 365?

The answer here varies according to the roles and responsibilities needed by your individual team members. Licensing can vary by role, with limited roles for some with expanded access for others. To meet all NIST 800-171 controls in Microsoft 365, the user must have specific licenses. There should also be specific licensing in place for those controls to protect the end-users.

Agile IT advises administrators (and other VIP/active users who might classify themselves as “high impact”) to obtain the Microsoft 365 E5 license. This enables additional features across the tenant, including advanced detection and response capabilities. This empowers the user to enable a more secure environment.

Anyone classified as an information worker should have a minimum license of Office 365 E3 and Enterprise Mobility E3. This equips them with the right level of protection as well as the ability to prevent data loss. If any of your users don’t need access to Office apps, an Office 365 F3 with EMS E3 license will prove suitable.

Aligning Microsoft 365 to NIST 800-171

Once you’ve determined the right licensing needed across your organization, you’ll then want to map out how to align your systems with NIST controls. How you align Microsoft 365 to NIST controls will vary depending on the complexity of your environment. The simplest method to use Microsoft’s Compliance Manager tool. This allows you to map NIST 800-171 controls to your Microsoft 365 features, with full documentation of the specific steps you’ll need to take to do so. Microsoft also provides the actions your customers will need to take to meet each control.

You’ll need to purchase a premium add-on to enable this. Adding the NIST 800-171 template will cost $2,500 on a monthly basis. If you have GCC High, the Compliance Manager’s templates for NIST 800-171 (as well as Cybersecurity Maturity Model Certification) come as part of the Microsoft E5 licensing package.

Where Can You Locate Microsoft’s Audit Reports for an Assessment or Audit?

working on a computer with NIST 800-171 Compliance If you’re looking for Microsoft’s audit reports, you’re in luck. They make them all available in one central location. All audit reports are located within Microsoft’s Service Trust Portal. They’re free, but you’ll need an active Microsoft account to access them. You can find the documents listed below that you’ll need within the portal as well:

  • Office 365 MT FedRAMP Control Implementation Summary
  • Office 365 MT  FedRAMP System Security Plan (SSP)
  • Microsoft Azure Commercial System Security Plan (SSP)
  • Office 365 Attestation of Compliance with Defense Federal Acquisition Standard
  • Lastly, Office 365 DFARS NIST 800-171 Attestation Letter

The Service Trust Portal also has other compliance documents you may need, such as documentation about SOC 2 and HITRUST.

What Are the Risks of Non-Compliance?

Now that you understand what you’ll need to do to gain and maintain NIST 800-171 compliance in Microsoft 365, it’s important to also understand what the risks of non-compliance are.  When CMMC 2.0 launched in November of last year, the self-attestation component struck many contractors as a free pass. What many didn’t realize, however, is that one month prior the Department of Justice unveiled their Civil Cyber-Fraud initiative. This enabled the government to take much more aggressive actions against government contractors. In short, willful negligence - or even mistakes - could prove both dangerous and costly.

Microsoft 365 is a powerful tool. It’s also complex and can be hard to navigate without having the right knowledge or background.  In order to assure that you are properly implementing your environment for a CMMC assessment, be it self-attested, performed by a CMMC C3PAO or by the Defense Contract Management Agency’s (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), it is critical to partner with a Microsoft Security Partner who also understands the nuances and impact of CMMC.

Learn More About NIST 800-171 Compliance in Microsoft 365

Agile IT is that partner. We’ve guided organizations through the complicated process of Microsoft 365 compliance. To find out how we can lend our expertise to help you maintain compliance, request a consultation today.

This post has matured and its content may no longer be relevant beyond historical reference. To see the most current information on a given topic, click on the associated category or tag.

Related Posts

DFARS Compliance in Office 365

DFARS Compliance in Office 365

Learn how Microsoft Office 365 GCC High and Azure Government help DOD contractors meet DFARS compliance. Discover the steps to protect CUI and ensure regulatory compliance with Agile IT's expertise.

Feb 13, 2025
7 min read
Top 10 Reasons to Partner with an MSP for Security and Compliance

Top 10 Reasons to Partner with an MSP for Security and Compliance

Discover why partnering with an MSP for security and compliance is critical for organizations navigating FAR CUI and CMMC requirements.

Feb 10, 2025
8 min read
Understanding DFARS Compliance

DFARS Compliance: A Guide to Federal Cybersecurity Requirements

Learn about DFARS compliance and how it ensures the security of federal data. Explore key requirements, NIST 800-171 alignment, and tips for achieving compliance.

Feb 3, 2025
7 min read
Office 365 License Comparison: Business Plans Vs. E5, E3 and E1

Master Microsoft & CIS Benchmark Best Practices to Secure Your Environment

Discover how to implement Microsoft & CIS Benchmark best practices to strengthen your business security and protect your environment from evolving threats with expert guidance.

Jan 28, 2025
7 min read
Screen Capture Protection in Windows 365

How to Enable Screen Capture Protection in Windows 365 for Enhanced Security

Learn how to enable and use screen capture protection in Windows 365 to secure sensitive information and prevent unauthorized captures, enhancing your organization's data security.

Jan 21, 2025
7 min read
Office 365 Collaboration Tools

Office 365 Collaboration Tools: Are They Right for Your Organization?

Explore how Office 365's collaboration tools can enhance your organization's productivity and security.

Jan 12, 2025
6 min read

Ready to Secure and Defend Your Data
So Your Business Can Thrive?

Fill out the form to see how we can protect your data and help your business grow.

Loading...
Secure. Defend. Thrive.

Let's start a conversation

Discover more about Agile IT's range of services by reaching out.

Don't want to wait for us to get back to you?

Schedule a Free Consultation

Location

Agile IT Headquarters
4660 La Jolla Village Drive #100
San Diego, CA 92122

Secure. Defend. Thrive.

Don't want to wait for us to get back to you?

Discover more about Agile IT's range of services by reaching out

Schedule a Free Consultation