Start Compliant.
Stay Compliant.
Building a net-new environment for a defense contract is your one chance to do it right from the ground up. This guide walks through deploying Microsoft Azure GCC-High and Windows 365 Government with every configuration decision mapped to the CMMC controls your assessor will verify.
Why Azure GCC-High
Is the Right Start
Azure GCC-High is Microsoft's sovereign cloud environment purpose-built for US defense contractors and government agencies. It holds a FedRAMP High authorization and is specifically designed to handle Controlled Unclassified Information (CUI) under DFARS clause 252.204-7012 and CMMC 2.0 requirements.
Windows 365 Government extends that sovereign boundary to the endpoint layer — giving your users a fully managed, cloud-hosted Windows PC that lives inside the GCC-High compliance boundary. Every session, every file, every audit log stays within the authorized perimeter from day one.
Starting greenfield on this stack means you are not retrofitting compliance onto an environment that was never designed for it. You are building the compliance architecture into the foundation while the concrete is still wet.
The highest federal cloud authorization level. Required for systems that process, store, or transmit CUI under DFARS 252.204-7012.
Data is stored and processed exclusively in US data centers by US-based Microsoft personnel with appropriate clearances.
Cloud PCs provisioned and managed within the GCC-High boundary. No on-premises VDI hardware, no endpoint CUI stranded outside the perimeter.
Microsoft Purview Compliance Manager includes pre-built NIST SP 800-171 assessment templates to track control implementation status.
Six Phases to a
Compliant Environment
Each phase addresses a distinct layer of the compliance architecture. CMMC Companion guides your IT team through every step, mapping each configuration decision to the specific CMMC practices it satisfies.
Tenant Provisioning
Stand up your Azure GCC-High and Microsoft 365 GCC-High tenants. Configure tenant-level security defaults, domain verification, and establish the compliance boundary boundary before any users or data are onboarded.
Identity & Access Management
Configure Microsoft Entra ID with phishing-resistant MFA, Conditional Access policies, Privileged Identity Management (PIM), and role-based access control. Establish least-privilege access for all users and service accounts from the start.
Endpoint Management
Deploy Microsoft Intune as your MDM/MAM platform for all devices. Provision Windows 365 Government cloud PCs within the GCC-High boundary. Configure Defender for Endpoint, device compliance policies, application allow-listing, and configuration baselines.
Data Protection & CUI Handling
Implement Microsoft Purview Information Protection with sensitivity labels for CUI categories. Configure data loss prevention (DLP) policies, retention labels, and SharePoint/Teams governance to enforce CUI handling requirements across the organization.
Security Operations
Deploy Microsoft Sentinel as your SIEM/SOAR platform. Connect Defender XDR, Entra ID, Intune, and Azure diagnostic logs. Build incident response playbooks, configure alerting thresholds, and establish audit log retention policies to satisfy CMMC audit and accountability requirements.
Compliance & Evidence
Activate Microsoft Purview Compliance Manager for NIST SP 800-171 control tracking. Layer in CMMC Companion to manage evidence artifacts, document SSP narratives, run gap assessments, and maintain POA&Ms. This is where configuration becomes certification.
work. That person is the
IT administrator.
CMMC compliance is not an executive strategy exercise. It is thousands of individual configuration decisions, log exports, policy documents, and evidence screenshots — most of them owned by the IT administrator who is also running the help desk, managing the device fleet, and keeping the lights on.
CMMC Companion was built by IT administrators who have lived exactly that reality in the U.S. Intelligence Community and Department of Defense. Not consultants who assessed environments from the outside — engineers who held the keyboard.
The IT admin owns the evidence. The assessor will ask for screenshots, logs, configuration exports, policy documents, and narrated SSP statements for each of the 110 NIST SP 800-171 practices. Every single one of those artifacts is produced by the IT administrator.
What CMMC Companion takes off your plate
- Tracking which controls are implemented vs. not met
- Storing and organizing evidence artifacts by practice
- Writing SSP control narrative statements
- Exporting Intune compliance and configuration reports
- Managing POA&M items and 180-day closeout deadlines
- Producing SPRS-ready assessment scores
- Running monthly gap reviews as configurations change
- Preparing domain-level readiness reports for the C3PAO
The Platform Behind
Your GCC-High Buildout
As you work through each deployment phase, CMMC Companion keeps your compliance posture synchronized with your technical progress — so nothing falls through the cracks between the ticketing system and the assessment binder.
GCC-High Control Mapping
Every Entra ID policy, Intune configuration profile, and Sentinel alert rule is pre-mapped to the specific CMMC practices it satisfies. Configure once, evidence automatically.
Evidence Capture & Organization
Attach screenshots, export configuration reports, and upload policy documents directly to the relevant CMMC practice. CMMC Companion structures your evidence binder the way a C3PAO assessor expects to see it.
Phase-Aligned Gap Analysis
Know exactly which CMMC practices are satisfied at each deployment phase and which are still open. No surprises when the assessor arrives — every gap is visible and tracked from day one.
SSP Authoring Assistance
Generate System Security Plan control narratives from your actual GCC-High configuration state. Write once, update continuously. Stop rewriting SSP sections from scratch after every environment change.
POA&M Management
For every control not yet fully implemented during your buildout, create a POA&M item with owner, remediation target, and 180-day deadline tracking built in. Stay ahead of conditional certification expiry.
Drift Detection
Configuration drift is the silent killer of CMMC certifications. CMMC Companion provides continuous visibility so that when a Conditional Access policy changes or a device falls out of compliance, you know before your annual affirmation is due.
Ready to Build It Right?
Whether you are provisioning your first GCC-High tenant or preparing an existing environment for C3PAO assessment, CMMC Companion meets you where you are.