Microsoft 365 Commercial no longer complies with FedRAMP and CMMC

If you're a contractor or subcontractor to the U.S. Department of Defense (DoD), you have several options for storing your CUI: retention on systems in your local network, or in the Cloud.

The US Government requires that CUI only be stored in FedRAMP (or FedRAMP equivalent) authorized Clouds. This requirement also applies to CMMC.

If you wish to use the Cloud to store your CUI, you should be aware that Microsoft 365 Commercial is no longer recognized as FedRAMP “equivalent”. Consequently, any storage of CUI in Microsoft 365 Commercial will be considered as a non-compliance of CUI protection, which will prevent you from obtaining your CMMC certification.

As a reminder, the use of CUI requires CMMC Level 2 certification as a minimum, or Level 3 in specific cases.

So now what?
As Microsoft 365 Commercial is not FedRAMP compliant, sharing CUI via any tool included in this environment is considered non-compliant.

If you want to stay on the Microsoft Cloud, to be able to continue using your CUI, you need to migrate to Microsoft 365 Government (Microsoft 365 GCC, Microsoft 365 GCC HIGH or Microsoft 365 DoD) which is FedRamp compliant. Our recommendation is to use Microsoft 365 GCC HIGH (which complies with CMMC and ITAR).

Any question about CMMC? We've got the answer.

Streamscan is a CMMC Registered Provider Organization (RPO) and is officially authorized to assist organizations in their CMMC process.