One of the most critical and often misunderstood steps in achieving Cybersecurity Maturity Model Certification (CMMC) compliance is defining what is “in scope.” Accurately identifying and scoping systems determines not only the boundaries of your compliance obligations but also the costs, complexity, and required level of certification.
For organizations using Microsoft 365 and Azure, scoping can be both simplified and enhanced. These platforms inherently support secure segmentation, identity controls, and compliance monitoring—making them well-suited to handle Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).
Understanding how to define, isolate, and manage your CMMC-relevant systems within Microsoft’s cloud ecosystem is the foundation of a successful and sustainable compliance program.
Understanding CMMC Scope
Scoping involves identifying which systems, users, applications, and data flows are within the CMMC assessment boundary. It is guided by the CMMC Scoping Guides published by the Department of Defense, which categorize assets into different types, such as:
- CUI Assets – Systems that process, store, or transmit Controlled Unclassified Information.
- Security Protection Assets – Tools and systems that protect CUI assets (for example, monitoring, firewalls, or endpoint protection).
- Contractor Risk Managed Assets – Systems indirectly connected but managed through organizational risk decisions.
- Out-of-Scope Assets – Systems completely isolated from CUI environments.
Defining these boundaries ensures that assessment efforts focus on systems where CUI and FCI actually reside, preventing unnecessary costs and complexity.
For Microsoft 365 and Azure users, this means understanding which tenant, subscription, or workload directly or indirectly interacts with CUI data.
Why Scoping Matters
Scoping is not merely an administrative step; it determines the entire architecture of your CMMC compliance strategy.
- Assessment Impact: Incorrect scoping leads to incomplete assessments or unnecessary inclusion of low-risk assets.
- Cost and Time: A broader scope increases audit time and infrastructure costs.
- Security Integrity: Narrow or inaccurate scoping may expose sensitive data outside protected boundaries.
Proper scoping provides clarity. It helps you define which NIST SP 800-171 controls must be met and which environments fall under DFARS 252.204-7012 obligations.
Scoping in the Microsoft 365 Environment
Microsoft 365 offers several deployment models (Commercial, GCC, and GCC High) that support different levels of government and defense compliance.
When scoping for CMMC, start by asking: Where does CUI or FCI live within my Microsoft 365 tenant?
1. Identify Data Repositories
CUI often resides in one or more of the following:
- SharePoint Online sites used for document collaboration.
- Teams channels containing project communications and shared files.
- Exchange Online mailboxes that transmit or store contract-related information.
- OneDrive for Business folders containing deliverables or subcontractor documentation.
These repositories should be considered in scope if they contain or interact with CUI.
2. Map User Access and Roles
Use Microsoft Entra ID (Azure Active Directory) to identify which users, groups, and guest accounts can access CUI resources.
Define roles using Role-Based Access Control (RBAC) and implement Conditional Access to enforce access policies (e.g., requiring MFA for sensitive locations).
3. Define Boundary Controls
Use Microsoft Information Protection (MIP) and Sensitivity Labels to mark and restrict data flow. Configure Data Loss Prevention (DLP) to prevent accidental sharing of CUI outside of approved channels.
These tools create digital “walls” that help enforce your CMMC assessment boundaries within Microsoft 365.
Scoping in Azure
For many contractors, sensitive workloads extend beyond Microsoft 365 into Azure-hosted applications, virtual machines, and storage accounts.
The process of defining scope in Azure follows the same principle: determine which systems store, process, or transmit CUI or FCI.
Identify Azure Subscriptions
Start by inventorying Azure subscriptions and identifying which host workloads interact with CUI data. If possible, separate production workloads (CUI systems) from general business systems through isolated subscriptions or resource groups.
Tag and Classify Assets
Use Azure Policy and Resource Tagging to classify assets based on CUI interaction. For example:
DataType=CUIComplianceScope=CMMC-Level2Environment=Production
This tagging helps ensure consistent governance and makes it easier to identify in-scope systems during audits.
Network Segmentation
Implement Azure Virtual Networks (VNets) and Network Security Groups (NSGs) to separate CUI-handling resources from other workloads. Ensure secure access using Private Endpoints and Azure Firewall, and prohibit direct internet exposure for sensitive workloads.
Identity and Access
Centralize identity with Entra ID and enforce least-privilege principles with Privileged Identity Management (PIM). Restrict administrative access using Just-In-Time (JIT) elevation and ensure all administrative activity is logged through Azure Monitor and Microsoft Sentinel.
Data Protection and Encryption
Enable Azure Disk Encryption, Storage Service Encryption, and Azure Key Vault for encryption key management. All CUI data should be encrypted at rest and in transit, in accordance with CMMC AC.L2-3.1.19 and SC.L2-3.13.8.
The Role of Boundary Documentation
An essential part of scoping is creating documentation that defines your assessment boundary.
This includes:
- A System Security Plan (SSP) describes in-scope assets and their protection mechanisms.
- Network diagrams illustrating system interconnections and data flow.
- A list of users, roles, and administrative accounts with access to CUI.
- Policies defining CUI handling procedures across Microsoft 365 and Azure.
Microsoft provides tools such as Compliance Manager and Microsoft Purview to automate control mapping and documentation. By using these, contractors can maintain living documentation that evolves as their environment changes—reducing audit preparation time.
Minimizing the Compliance Boundary
A common mistake is to include the entire enterprise environment in scope. This significantly increases the complexity and cost of certification. Instead, organizations should seek to minimize the compliance boundary through logical and technical segmentation.
Within Microsoft 365, this might mean:
- Creating a dedicated SharePoint site collection for defense contracts.
- Restricting Teams collaboration to authorized internal users only.
- Isolating email communications related to DoD work in a specific Exchange mail domain.
Within Azure, it might involve:
- Establishing dedicated subscriptions for CUI workloads.
- Using Azure Landing Zones to isolate defense workloads from corporate IT systems.
- Applying network segmentation and conditional access to restrict lateral movement.
The narrower your scope, the more focused and cost-efficient your compliance program becomes.
Using Microsoft Compliance Manager for Scoping Validation
Microsoft Compliance Manager, part of the Microsoft Purview suite, provides a unified interface to assess readiness against CMMC, NIST 800-171, and related frameworks.
It enables organizations to:
- Map technical and documentation controls directly to CMMC requirements.
- Assign ownership and implementation status.
- Upload evidence (such as configuration exports or screenshots).
- Track overall progress through a compliance score.
For scoping specifically, Compliance Manager helps confirm whether identified systems and services have control coverage. It also highlights any missing policies or configurations that could expand or reduce your defined boundary.
Automation and Continuous Scope Validation
Scope management is not a one-time exercise. System changes, new integrations, and user onboarding can unexpectedly expand or alter your boundary.
Tools like Microsoft Defender for Cloud and Azure Policy can continuously evaluate configurations against baseline compliance rules. They automatically detect when:
- A non-compliant virtual machine is deployed.
- A storage account lacks encryption.
- An identity is added to a privileged group.
Integrating these findings into your Security Information and Event Management (SIEM) system, such as Microsoft Sentinel, provides automated visibility into boundary drift and control degradation.
Practical Example: Scoping a Microsoft 365 and Azure Environment
Scenario:
A mid-sized defense contractor uses Microsoft 365 for collaboration and Azure for hosting internal web applications that support DoD contract work.
Step 1: Identify where CUI resides (SharePoint site for project documents, Azure SQL database containing contract records).
Step 2: Define scope (Microsoft 365 GCC tenant and one Azure subscription for the CUI app).
Step 3: Isolate access (Conditional Access policies, DLP rules, and network segmentation).
Step 4: Map controls (Using Microsoft Compliance Manager and Purview).
Step 5: Document boundaries (SSP, network diagram, and control ownership list).
Result: The organization maintains a transparent and auditable CUI environment without bringing unrelated systems into scope.
Conclusion
Identifying and scoping systems correctly is the foundation of any successful CMMC compliance strategy. For organizations using Microsoft 365 and Azure, the process becomes both more precise and more manageable through built-in compliance, security, and automation tools.
A well-defined scope ensures that assessment efforts target only relevant assets, minimizes certification costs, and strengthens your overall cybersecurity posture.
By leveraging Microsoft’s secure government-ready cloud platforms, organizations can confidently protect sensitive defense information, maintain compliance alignment with NIST SP 800-171, and demonstrate to the Department of Defense that their operations are resilient, trustworthy, and audit-ready.
CMMC success begins with understanding where your critical data lives, and Microsoft’s cloud provides the tools to protect it at every step.