Most small DoD contractors do not need to build a new security stack for Level 1. They need to make the Microsoft 365 stack they already pay for behave like a controlled FCI workspace. This checklist is intentionally practical: what to turn on, what to avoid, and what proof to keep.
The short answer
- Use named Microsoft 365 accounts for everyone who touches FCI.
- Enable MFA through Security Defaults or Conditional Access.
- Put FCI in a controlled SharePoint/OneDrive location, not personal email or random file shares.
- Restrict public and anonymous links for FCI folders.
- Keep device, Defender, and patch evidence for endpoints that access FCI.
Which Microsoft 365 plan?
Start with the data type, not the product catalog. CMMC Level 1 is for FCI. It does not automatically require GCC or GCC High. If your contract, prime, or data owner requires a government cloud tenant, follow that requirement. If you handle CUI, this article is no longer your stopping point. You need a Level 2 conversation.
The practical checklist
| Area | What to do in Microsoft 365 | Level 1 requirement supported |
|---|---|---|
| Identity | Use named user accounts. Disable shared mailboxes or shared logins for FCI work. | AC.1, IA.1 |
| MFA | Enable Security Defaults or Conditional Access requiring MFA for users/admins. | IA.2 |
| Admins | Limit Global Admin and other admin roles to a small number of named users. Use separate admin accounts where practical. | AC.2 |
| FCI storage | Create a dedicated SharePoint site or folder for FCI. Restrict access to named users. | AC.1, AC.2 |
| External sharing | Turn off anonymous/public links for the FCI location. Review guest users. | AC.3, AC.4 |
| Email forwarding | Block automatic forwarding to personal/external email for accounts handling FCI. | AC.3 |
| Devices | Keep an inventory of laptops/desktops that access FCI. Prefer company-managed devices. | IA.1, AC.3 |
| Endpoint protection | Confirm Microsoft Defender Antivirus or another AV/EDR is enabled and current on in-scope Windows devices. | SI.2, SI.3, SI.4 |
| Patching | Keep Windows, Office apps, browsers, and firmware updated on in-scope devices. | SI.1 |
| Public content | Review company website, LinkedIn, Teams guest access, and shared links so FCI is not posted publicly. | AC.4 |
SharePoint and OneDrive
The cleanest M365 pattern for Level 1 is one controlled FCI workspace: a SharePoint site, Teams-backed document library, or dedicated folder where contract documents live. Keep access small. Use named groups. Avoid "anyone with the link." Review guest users on a schedule.
What you are trying to avoid is sprawl: FCI attachments living in personal OneDrive folders, downloaded to unmanaged laptops, forwarded to personal email, or shared with public links. Sprawl makes the Level 1 boundary expensive because everything that touches FCI comes into scope.
Devices, Defender, and patching
Microsoft Defender Antivirus is built into supported Windows versions, and Microsoft describes it as part of next-generation protection for Windows endpoints. For Level 1, the question is not whether the logo exists in the taskbar. The question is whether protection is enabled, current, and covering the endpoints that touch FCI.
- Save Defender status for one representative device or your device group.
- Save update status for Windows and Office apps.
- Document any Macs or non-Windows devices separately.
- Do not allow unmanaged personal laptops to become invisible FCI storage.
Evidence to save
- Security Defaults enabled or Conditional Access MFA policy screenshots.
- User export showing named accounts for FCI users.
- Admin role export showing limited privileged accounts.
- SharePoint/OneDrive permissions screenshot for the FCI folder or site.
- External sharing and guest-user review screenshot.
- Device inventory for endpoints that access FCI.
- Defender/AV status and update status for in-scope devices.
- Short written policy: where FCI lives, who can access it, and how sharing is approved.
Sources
- Microsoft Learn - Security defaults in Microsoft Entra ID: MFA registration, admin MFA, legacy authentication blocking, and Security Defaults setup.
- Microsoft Learn - Conditional Access overview: MFA, device, location, and application access policies.
- Microsoft Learn - Microsoft Defender Antivirus in Windows: Defender availability and endpoint protection overview.
- FAR 52.204-21: the 15 Level 1 safeguarding requirements.
FAQ
Can Microsoft 365 support CMMC Level 1?
Yes. Microsoft 365 can support many CMMC Level 1 requirements when it is configured correctly: named accounts, MFA, controlled SharePoint/OneDrive access, external sharing limits, audit-friendly user lists, endpoint protection, and patching evidence. The subscription itself is not enough; the tenant configuration and operating process matter.
Is Microsoft 365 GCC required for CMMC Level 1?
No. CMMC Level 1 protects FCI, not CUI. GCC or GCC High may be required by contract, by customer policy, or for CUI workloads, but Level 1 itself does not automatically require GCC. Confirm your contract and data type before buying a government cloud tenant.
Is MFA required for CMMC Level 1 in Microsoft 365?
FAR 52.204-21 does not use the word MFA, but it requires authentication before access. For Microsoft 365, MFA is the practical baseline for showing strong authentication, especially for email, admin accounts, and remote access to FCI.
Is Microsoft Defender enough for CMMC Level 1?
Microsoft Defender Antivirus is built into supported Windows versions and can satisfy the Level 1 malicious-code protection requirements when it is enabled, current, and covering the devices that touch FCI. Some contractors choose a managed EDR for visibility, but Level 1 does not require a specific product.
What Microsoft 365 evidence should I save for Level 1?
Save MFA/security defaults or Conditional Access screenshots, user and admin exports, SharePoint/OneDrive FCI-folder permissions, external sharing settings, device inventory, Defender status, update status, and a short policy explaining how FCI is stored and shared.