Appendix A: Compliance Control Matrix

Estimated reading: 1 minute

The table below identifies which plane satisfies each compliance requirement and which components are in-scope (“Assessed”) for CMMC Level 1 and CMMC Level 2.

“Assessed” refers specifically to which layers are evaluated during a CMMC assessment.
The Execution Plane supports the full NIST SP 800-171 control set but remains out of scope for CMMC Level 2 because it does not store, process, or transmit CUI.

A.1 Compliance Control Matrix

Compliance Area Identity Plane

Entra ID

 Execution Plane

R3 GovCloud Workplace

 Document Control Plane

M365 GCC / GCC High
CMMC Level 1 (FCI) — Assessed
CMMC Level 2 (CUI) — Assessed ✔ (identity controls only)
DFARS 252.204-7012 ✔ (identity) ✔ (CUI CSP)
NIST SP 800-171 Controls
FedRAMP High (Inherited 800-53) ✔ (GCC High only)
DoD SRG IL4 / IL5 (Inherited Alignment) ✔ (GCC High only)
ITAR (U.S. Persons Only)
Least Privilege / RBAC

 

Note on GCC vs. GCC High

Microsoft GCC is suitable for CMMC Level 1 (FCI) but does not meet requirements for:

  • CMMC Level 2 (CUI), except CUI Basic
  • DFARS 252.204-7012
  • ITAR / EAR export controls

Organizations handling CUI for DOD or export-controlled data must use Microsoft 365 GCC High for the Document Control Plane.

Appendix A: Compliance Control Matrix - Previous 10. Customer Control Narrative Next - Appendix A: Compliance Control Matrix Appendix B: Business Authorization and Least Privilege