Industries / Defense Contractors
GCC High, CMMC, and NIST 800-171.
Engineered for the Nov 2026 deadline.
Mid-market defense contractors and DoD suppliers. We assess your CUI exposure, recommend the right tenant (commercial / GCC moderate / GCC High / hybrid enclave), and migrate or harden against NIST 800-171 — without partner-badge incentives bending the recommendation.
CMMC 2.0 Phase 2 begins Nov 10, 2026 — DoD contracting officers begin requiring L2 self-assessment for CUI contracts. Phase 3 (one year later) extends to L2 C3PAO third-party assessment. The window to be ready is closing.
The Phase 2 deadline
Nov 10, 2026 — and what happens after.
CMMC 2.0 final rule (32 CFR Part 170) was published in October 2024. The implementation rolls out in four phases over three years. Most mid-market defense contractors will be inside the requirement window during Phase 2 (Nov 2026) and fully assessed under Phase 3 (Nov 2027).
Phase 1 (now): contracting officers may include CMMC requirements at L1 / L2 self-assessment. Phase 2 (Nov 10, 2026): CMMC L2 self-assessment required in CUI-handling solicitations. Phase 3 (~Nov 2027): C3PAO third-party assessment required for L2. Phase 4 (~Nov 2028): full CMMC requirements in all applicable contracts.
The practical math: if your firm bids CUI work after Phase 2 starts and your tenant isn't L2-ready, you either disqualify yourself or deliver a CMMC compliance commitment you can't actually meet. Both are bad outcomes. The lead time on a clean GCC High migration plus L2 readiness for a 100–300-user shop is 6–12 months — backwards from Nov 10, 2026, that means the projects starting now are the ones on schedule.
The framework on this page is for buyers who already know they need to act. The goal is not to convince you the deadline matters — it's to map your environment to the right tenant strategy, the right control framework scope, and a defensible remediation plan.
CMMC levels
L1, L2, L3 — and which one is yours.
Most mid-market defense contractors land at L2. L1 applies if you only handle FCI (no CUI). L3 is reserved for top-tier suppliers on the highest-priority programs.
| Level | Applies to | Controls | Assessment | Typical audience |
|---|---|---|---|---|
| Level 1 | FCI only | 17 practices | Annual self-assessment | Subcontractors handling Federal Contract Information without CUI |
| Level 2 | CUI | 110 NIST SP 800-171 controls | Self or C3PAO third-party (program-dependent, eventually C3PAO for all) | Most mid-market defense contractors and prime suppliers |
| Level 3 | CUI on highest-priority programs | 110 + ~24 NIST 800-172 enhanced practices | Government-led (DIBCAC) | Top-tier defense suppliers and DIB-priority programs |
Tenant decision
Commercial / GCC / GCC High / hybrid.
The tenant decision drives the entire migration. Wrong tenant choice in either direction is expensive: GCC High you didn't need (over-licensed, feature-limited) or commercial when you needed GCC High (compliance failure, contract risk).
M365 Commercial
Fits when
FCI-only contractors. CUI-free environments. Self-attesting Level 1 customers.
Breaks when
Any CUI that triggers ITAR / EAR. Any contract that requires GCC High flow-down. Any prime that requires GCC High.
GCC (Moderate)
Fits when
CUI-handling contractors whose CUI does not include ITAR-controlled items. Some federal civilian work.
Breaks when
ITAR-controlled CUI. Non-US-citizen administrative access. EAR-restricted technology data.
GCC High
Fits when
ITAR-controlled CUI. EAR-restricted data. Primes that require GCC High flow-down. The conservative answer when classification is ambiguous.
Breaks when
Cost-sensitive shops with no actual ITAR/EAR exposure. Customers that need full Microsoft 365 feature parity (some commercial features lag in GCC High).
Hybrid (commercial + GCC High enclave)
Fits when
Larger orgs where most of the business is non-CUI but a specific division or program handles CUI. Keeps cost down on the non-CUI side.
Breaks when
Operational complexity is high — two tenants, two sets of identity, two licensing models, careful data-flow controls. Not a fit for shops without dedicated IT capacity.
The control framework
NIST SP 800-171 — 14 control families.
The 110 controls in 800-171 organize into 14 families. The implementation work in M365 is uneven — some families are 90% configuration (Access Control, Audit, I&A); some are 90% process and documentation (Awareness, Personnel, Risk Assessment). 800-172 (24 enhanced practices for L3) adds 'advanced persistent threat' protections on top.
3.1
Access Control
Conditional Access, MFA enforcement, privileged-access model, role separation
3.2
Awareness & Training
Documented role-based training cadence, evidence retention
3.3
Audit & Accountability
Tenant audit logging, Sentinel ingestion, retention policy alignment
3.4
Configuration Management
Baseline configuration documentation, change management evidence
3.5
Identification & Authentication
Phishing-resistant MFA (FIDO2 / hardware tokens for privileged accounts)
3.6
Incident Response
IR plan, tabletop exercises, evidence of dry runs
3.7
Maintenance
Maintenance logging, remote-maintenance controls, patch management evidence
3.8
Media Protection
Removable-media controls, sanitization documentation
3.9
Personnel Security
Background screening evidence for CUI access, separation procedures
3.10
Physical Protection
Facility access controls, visitor logs (mostly out-of-scope for cloud, in-scope for any on-prem)
3.11
Risk Assessment
Vulnerability scanning evidence, risk-register maintenance
3.12
Security Assessment
Self-assessment, POAM (Plan of Actions and Milestones)
3.13
System & Comm Protection
Encryption-at-rest and in-transit, FIPS 140-2 modules where required, network segmentation
3.14
System & Information Integrity
Defender / EDR coverage, vulnerability remediation cycle, monitoring
Recent defense references
Anonymized engagement profiles.
No client names. Sector + size + scope. The full engagement notes are on /work/.
100-user precision-machining defense supplier
Commercial → GCC High migration. ITAR-tagged file shares, CUI scoped to engineering and quality. 14-week project.
220-seat aerospace components supplier
GCC High migration + CMMC L2 readiness. Hardware MFA tokens, accounting integration, file-share dual-track.
300-user systems integrator (defense + federal civilian)
Hybrid tenant strategy. Federal civilian work in GCC moderate, defense CUI work in a GCC High enclave. POAM-driven remediation.
60-staff engineering firm, FCI-only
Stayed on M365 commercial. CMMC L1 self-assessment readiness — Conditional Access, audit logging, baseline hardening.
Why labor-only matters in govcon
No license overselling. No partner-badge bias on the tenant decision.
Most GCC High migrations are sold by firms that earn margin on the licenses. That's not inherently wrong — but the tenant decision is the highest-leverage decision in the project. Asking a license-resale firm whether you need GCC High is asking the wrong person. We don't carry that incentive.
We've moved customers to GCC High and we've kept customers off GCC High when their data classification didn't actually require it. Both are correct calls in the right context. The wrong incentives push every customer toward the higher SKU regardless. Labor-only is the alignment.
Licensing flows through your existing Microsoft contracting — CSP, EA, MCA-E, or Microsoft Direct. We do the engineering work. The license invoices come from someone else. That separation is the point.
Where to go next
Read the related work.
Service
GCC High & CMMC
The full GCC High migration and CMMC L2 readiness service. Scope, timeline, deliverables.
Read more
Field notes
GCC High before CMMC Phase 2
What defense contractors need before Nov 10, 2026 — realistic timelines, common mistakes, the Microsoft tenant SLAs nobody warns you about.
Read more
Field notes
AD Tier-0 in 90 days: mid-market edition
The four primary controls and 12-week plan that close 80% of the AD Tier-0 gap at mid-market scale. Maps directly to NIST 800-171 access-control requirements.
Read more
FAQ
Common questions from defense buyers.
What does CMMC Phase 2 (Nov 10, 2026) actually require?
CMMC 2.0 implementation rolls out in four phases. Phase 2 (begins Nov 10, 2026) is when DoD contracting officers begin including CMMC L2 self-assessment requirements in solicitations for contracts that handle CUI. By Phase 3 (one year later), L2 third-party (C3PAO) assessments are required for the same contracts. The practical implication: if you bid CUI work after Nov 10, 2026 and your tenant is not L2-ready, you don't bid that contract. The window to be ready is now.
Do we have to move to GCC High?
Not always. GCC High is required when you handle CUI that falls under ITAR, certain export-controlled categories, or when your prime requires it contractually. For some FCI-only contractors and some CUI-handling firms whose data does not trigger ITAR / EAR, M365 commercial with appropriate hardening can support CMMC L2 — but the bar is high and the audit trail is tighter. We assess the data classification first, then recommend the tenant. The wrong answer (GCC High you didn't need, or commercial when you needed GCC High) is costly in opposite directions.
What about CMMC Level 1 vs Level 2 vs Level 3?
Level 1 (17 practices) applies to contractors handling FCI only — no CUI. Self-assessment annually. Level 2 (110 NIST 800-171 controls) applies to contractors handling CUI. Self-assessment for some contracts, third-party (C3PAO) assessment for others, eventually for all CUI contracts. Level 3 (110 + ~24 NIST 800-172 enhanced practices) applies to the highest-priority programs — DIB-Top, certain prime suppliers. Government-led assessment. The vast majority of mid-market defense contractors are L2.
How long does GCC High migration take for a 100–300-user shop?
Typical: 12–18 weeks for a 100-user shop, 16–22 weeks for 300 users. Drivers: tenant provisioning timeline (Microsoft has its own SLAs in GCC High that aren't in commercial), ITAR/EAR personnel screening, file-share migration with PHI-equivalent CUI tagging, on-prem AD-to-Entra hybrid, and the standard tenant-to-tenant migration carve-outs. The hardest part is rarely technical — it's the governance work around what's actually CUI vs FCI vs neither.
Are you a Microsoft GCC High partner?
We're labor-only. We don't carry a partner badge for GCC High and we don't resell GCC High licensing. The licensing flows through your existing Microsoft contracting (CSP, EA, MCA-E) or Microsoft Direct. We engineer the migration and the configuration. No license-overselling incentive on our side — including no incentive to push a customer toward GCC High when GCC moderate or commercial would actually meet their CMMC requirement.
What if our prime is asking for CMMC compliance now, not Nov 2026?
Common. Many primes are flowing down CMMC requirements in their own contracts well ahead of the federal phasing — they want assessed suppliers in their pipeline before they need them. The work is the same regardless of what triggered it. We assess your current state against 800-171, deliver a gap remediation plan, and either remediate ourselves or hand the plan to your internal team. We don't do the C3PAO assessment ourselves — that's a separate firm — but we get you ready for one.
Working backwards from Nov 10, 2026?
Tell us your seat count, your prime, and your CUI exposure. We'll come back inside two business days with a tenant recommendation and remediation timeline.