Microsoft Teams CMMC Compliance: Can Teams Handle FCI or CUI?
By The Defense Compliance Report Editorial Team · Last verified: July 17, 2026
Microsoft Teams CMMC compliance isn’t a setting you switch on or a license you buy — it’s a property of your whole system, and Teams is just one moving part of it. Bottom line up front: Teams by itself is never “CMMC certified.” What actually decides compliance is the Microsoft 365 environment Teams runs in — Commercial, GCC, or GCC High — plus how you configure it, where your data lands, which connected systems and devices touch it, and what your contract requires you to protect.
The part most vendors won’t say out loud is whichof those applies to you — and the wrong call is expensive. Below is the source-checked map we built: which Microsoft environment fits your data, where a Teams chat or meeting recording actually goes, which features quietly pull CUI into scope, and what to have ready before a prime or an assessor asks.
| Best for | Not for | The one qualifier that changes everything |
|---|---|---|
| DIB contractors deciding whether Teams can handle their FCI or CUI, and which Microsoft environment to run. | Anyone hunting for a “Microsoft CMMC certified” seal or a single setting that guarantees compliance. | Your contract sets the required CMMC level and assessment type; your actual data flow sets the system boundary. Neither is decided by a product name. |
Your situation, in one glance:
| If this is you | The starting answer |
|---|---|
| FCI only / Level 1 | Commercial or GCC can work — if you implement and evidence all 15 basic safeguarding requirements. |
| CUI Basic / Level 2 | Evaluate GCC, GCC High, or a separate CUI enclave based on your contract, CUI category, export status, and who needs access. |
| CUI that is export-controlled (ITAR/EAR) | Microsoft says GCC is not suitable for export-controlled data; GCC High (or another defensible boundary) usually deserves evaluation. |
| Want to keep CUI out of Teams entirely | Commercial Teams can stay out of scope — but only if your architecture and habits actually stop CUI from landing in it, and Teams isn't providing security for the CUI environment. |
Sources: 32 CFR Part 170 §§ 170.14–170.19 (the CMMC Program rule); Microsoft’s NIST SP 800-171 and CMMC documentation.
Is Microsoft Teams CMMC compliant?
No product — Teams included — is “CMMC compliant” on its own. CMMC (Cybersecurity Maturity Model Certification) assesses your organization’s information system against a security standard; it does not certify individual apps. Microsoft supplies government cloud environments (GCC and GCC High) that can host CUI inside a compliant boundary, but whether youare compliant depends on your tenant, your configuration, your endpoints, your procedures, and your evidence — not the app’s name.
We lead with this because it’s the single most expensive misunderstanding in the Defense Industrial Base. A contractor hears “we’re on GCC High,” assumes the box is checked, and moves on. It isn’t checked. GCC High is a platform. CMMC is an outcome your whole organization has to produce and prove.
There’s a second reason “Is Teams compliant?” is the wrong question: Teams is not one thing.It looks like a single app, but under the hood it’s a front end to several Microsoft services — SharePoint, OneDrive, Exchange, and Microsoft Entra ID (identity) — each holding different pieces of what your people type, share, and record. You can’t document “Teams” as one asset and stop. We map exactly where each piece goes further down, because that map is where scope is won or lost.
Here’s our one hard truth:GCC High does not make you compliant. Plenty of contractors buy it — or get sold it — before anyone confirms their data actually requires it, when standard GCC or a smaller CUI enclave would have covered the same data with materially less cost and disruption. And even after a full migration, they’re still missing the controls, configuration, and evidence that CMMC actually evaluates.
The good news: the right decision starts with two straightforward questions — what does my contract require, and is any of my CUI export-controlled?— not with a migration quote. Answer those and the fog lifts.
The five questions that actually decide the answer:
- What does the solicitation or contract require — Level 1, Level 2, or Level 3?
- Is the information FCI, CUI Basic, or CUI Specified — and, separately, is it export-controlled?
- Which Microsoft environment are you on — Commercial, GCC, or GCC High?
- Which Teams-connected services, security tools, and endpoints actually touch that data?
- Can you produce evidence that your controls operate — not just that a box was ticked once?
Commercial vs GCC vs GCC High: which Microsoft environment do you need?
Microsoft 365 Commercial, Office 365 GCC, GCC High, and Microsoft 365 DoD are not interchangeable, and the right one depends on your data and contract — not your preference. Microsoft’s current NIST SP 800-171 offering includes Teams in GCC, GCC High, and DoD, but excludes Office 365 Commercial from that third-party audit scope.
Quick definitions. GCC(Government Community Cloud) is a government-focused Microsoft 365 environment running on Microsoft’s commercial Azure infrastructure in a segregated partition. GCC Highis a separate environment built on Azure Government, with U.S. data residency and support access restricted to screened U.S.-person personnel — built for the DIB and for export-controlled technical information. Microsoft 365 DoDis restricted to eligible Department entities — not a purchasable “upgrade” for a contractor.
Two separate determinations drive the choice — collapsing them is where contractors overspend or under-protect:
- Is the information CUI Basic or CUI Specified? That’s set by the CUI category and its authority in the NARA CUI Registry, not by your gut.
- Separately, is it export-controlled (ITAR or EAR) or otherwise restricted to U.S. persons? Export status can attach to CUI Basic or CUI Specified, and it’s the access-and-sovereignty restriction — not the “Specified” label — that most often points to GCC High.
Note the deliberate absence of the word “compliant” in any single row. No environment is compliant by itself.
| Teams environment | Where it fits | What Microsoft says | The catch | What it means for your CMMC scope |
|---|---|---|---|---|
| Microsoft 365 Commercial | FCI-only work at Level 1; ordinary business collaboration kept outside the CUI boundary. | Office 365 Commercial is excluded from Microsoft’s NIST SP 800-171 audit scope, and Microsoft’s compliance documentation shows it as not supporting DFARS 7012. | Don’t treat the license name as evidence you can hold CUI. If CUI lands here, you have a problem, not a plan. | The moment a user puts CUI in Commercial Teams, the connected services, endpoints, and security tools pull into scope — on a platform excluded from the relevant audit scope. |
| Office 365 GCC | A candidate for some CUI Basic where the contract, CUI category, and sovereignty needs fit. | Microsoft includes Teams, SharePoint, OneDrive, and Exchange in GCC in its NIST SP 800-171 offering. | Microsoft states GCC is not suitable for CUI Specified, including export-controlled data such as ITAR-controlled technical information. | The GCC label doesn’t finish the job — your identity, endpoint, external-access, app, and evidence work is still yours. |
| Office 365 GCC High | In-scope CUI environments, especially export-controlled (ITAR/EAR) data or where the contract demands stronger sovereignty. | Microsoft states GCC High can support Level 2 and Level 3 environments when correctly configured. | GCC High does not classify your data, configure your controls, secure your laptops, write your SSP, or generate your evidence. Collaboration and feature availability also differ from Commercial. | Platform boundary strength is real — but a migration without the controls, evidence, and operational discipline is a very expensive, very incomplete compliance program. |
| Microsoft 365 DoD | Eligible Department entities only. | Microsoft restricts this environment to eligible DoD organizations. | It is not a purchasable “upgrade” for a contractor just because you work for the government. | Not a normal DIB architecture choice — disqualify yourself from this path. |
| Commercial Teams + a separate CUI enclave | Keep familiar Commercial Teams for most staff while confining CUI to a separately governed system. | 32 CFR § 170.19 permits assets to stay out of scope only under the rule’s actual data-flow and separation conditions. | Links, file previews, filenames, notifications, copy-paste, downloads, and screenshots can quietly collapse the boundary. An enclave you can’t operate cleanly is worse than no enclave. | Scope narrows only when you can actually enforce it — which requires real technical controls, not a “do not put CUI in Teams” policy. |
A few defensible non-Microsoft paths satisfy the same underlying cloud requirement — but authorization attaches to a specific offering and boundary, not a whole brand. Confirm the exact offering and its authorization status on the FedRAMP Marketplace before you rely on it.
This matrix is a decision aid, not a compliance verdict. It reflects current regulation and Microsoft’s own documentation. It does not determine contract applicability, certify an environment, or replace scope review by a qualified practitioner or federal-contracts attorney.
Not sure where your setup lands? Use The Defense Compliance Report’s routing tool to map your situation to the right provider category before you request quotes.
What changed after the July 2026 CMMC Phase 2 suspension?
On July 13, 2026, the Department suspended advancement to CMMC Phase II — the planned expansion that would have made broader Level 2 third-party assessment a condition of award — but Phase I self-assessment requirements and DFARS 252.204-7012 duties remain in force. The pause changes the near-term rollout of new assessment mandates; it does not erase your existing obligations to safeguard CUI, report incidents, or meet current contract terms.
What’s paused: the planned move into Phase II, which would have layered broader Level 2 third-party assessment requirements into contract awards on the old November 10, 2026 timeline. Treat that date as history.
What remains fully in effect:
- Level 1 (Self) and Level 2 (Self) self-assessment requirements — solicitations still designate these.
- DFARS 252.204-7012, the clause requiring you to safeguard covered defense information, ensure a cloud that meets FedRAMP Moderate-equivalent security when an external provider handles that information, report cyber incidents rapidly, and preserve relevant media.
- Your existing FCI/CUI safeguarding duties, prime flow-downs, and any current contract requirement.
- SPRS postings and the senior-official affirmation that goes with them.
And here’s the part that matters most for this page: the reason your Microsoft environment choice survives the pause is that it never depended on CMMC in the first place. DFARS 252.204-7012 has been in effect since 2016, with implementation of the NIST SP 800-171 security requirements required no later than December 31, 2017. Suspend the verification, and the underlying obligation is untouched. That’s why “we’ll just wait for CMMC to settle” is not a strategy if CUI is sitting in your Teams tenant today.
| Date | What happened | What it means now |
|---|---|---|
| Dec 31, 2017 | DFARS 252.204-7012 NIST SP 800-171 implementation deadline | The safeguarding baseline for covered defense information. Still in force. |
| Dec 16, 2024 | 32 CFR Part 170 (the CMMC Program rule) took effect | The controlling CMMC regulatory structure. |
| Nov 10, 2025 – Nov 9, 2026 | Original codified Phase 1 window; Phase 2 was set to begin one year after Phase 1 | Phase I self-assessment requirements remain. |
| Jul 13, 2026 | Advancement to Phase II suspended; 60-day review launched | No current Phase II transition date. DFARS 7012 and Phase I unaffected. |
| Future | Reform outcome unknown | Re-verify against the Department's official CMMC and acquisition sources. |
One caution: a Level 1 or Level 2 self-assessment is still a federal attestation a senior official signs. A knowinglyfalse cybersecurity representation can create False Claims Act exposure — the Department of Justice’s Civil Cyber-Fraud Initiative exists to pursue exactly those cases. The suspension lowered the near-term assessment pressure. It did not lower the stakes of signing your name to a score your evidence can’t back up.
Which FAR and DFARS clause numbers apply after the 2026 overhaul?
As of February 1, 2026, a Department class deviation under the “Revolutionary FAR Overhaul” renumbered the cybersecurity clauses — but it’s a reorganization, not a rollback, and the core CMMC clauses did not change. FAR 52.204-21 moved to FAR 52.240-93; DFARS 252.204-7019 was eliminated; DFARS 252.204-7020 moved to DFARS 252.240-7997; and DFARS 252.204-7012, -7021, and -7025 are unchanged. Because this was done by class deviation ahead of formal rulemaking, both old and new numbers can appear depending on your contract.
| What it governs | Legacy number | Current deviation number | Status |
|---|---|---|---|
| Basic safeguarding of FCI (the 15 requirements) | FAR 52.204-21 | FAR 52.240-93 | Renumbered; text and 15 requirements unchanged. CMMC Level 1 still references 52.204-21. |
| Safeguarding CUI + cyber-incident reporting + external-cloud rules | DFARS 252.204-7012 | DFARS 252.204-7012 | Unchanged. |
| CMMC compliance requirement | DFARS 252.204-7021 | DFARS 252.204-7021 | Unchanged. |
| Notice of required CMMC level | DFARS 252.204-7025 | DFARS 252.204-7025 | Unchanged. |
| "Basic" NIST 800-171 self-assessment provision | DFARS 252.204-7019 | (eliminated) | The standalone "Basic" self-assessment provision no longer exists as a separate clause. |
| NIST 800-171 DoD assessment requirements | DFARS 252.204-7020 | DFARS 252.240-7997 | Moved to new DFARS Part 240. |
If you handle CUI, the self-assessment and SPRS obligations now sit under the CMMC clause, DFARS 252.204-7021. This crosswalk was implemented under Class Deviation 2026-O0025, and formal rulemaking (FAR Case 2026-001) is still in progress, so the numbering could change again. When it does, we update this table. For a deeper dive on the clause history, see our FAR 52.204-21 explained guide.
Where does CUI actually go inside Microsoft Teams?
Teams is an interface across several Microsoft services, not a single container. Chats live in the Teams messaging service with compliance copies in Exchange; channel files live in SharePoint; files shared in chats live in the sender’s OneDrive; recordings live in OneDrive or SharePoint depending on the meeting; and voicemail and calendar data live in Exchange. If you want to scope Teams for CUI, you have to scope all of that.
The Microsoft Teams surface & boundary matrix(v1.0 — verified July 2026 against Microsoft documentation)
| Teams surface | Where the data actually lands | Why it matters for CMMC scope | Likely NIST 800-171 families* | Common failure mode |
|---|---|---|---|---|
| 1:1, group & meeting chat | Teams chat service, with compliance copies in Exchange mailboxes | CUI typed or pasted into chat pulls the messaging service, identities, endpoints, retention, and monitoring into scope | AC, AU, IA, SC, SI | Treating chat as "temporary" and overlooking retained copies |
| Channel posts & replies | Teams chat service + associated compliance storage | Channel conversations can carry CUI independently of channel files | AC, AU, IA, SC, SI | Governing files while ignoring the text conversation |
| Standard-channel files | The team's parent SharePoint site (Documents library, folder per channel) | SharePoint permissions, external sharing, sync, and retention all enter the analysis | AC, AU, CM, MP, SC | Assuming Teams membership and SharePoint permissions always stay aligned |
| Private-channel files | A separate, dedicated SharePoint site with its own permissions | Each private-channel site must appear in your inventory and evidence set when it holds CUI | AC, AU, CM, MP, SC | Missing the separate sites during inventory or offboarding |
| Shared-channel files | A separate, dedicated SharePoint site for the shared channel (Teams Connect) | Cross-organization members extend your identity and authorization analysis beyond your tenant | AC, AU, IA, PS, SC | Assuming the channel name tells you who can reach the SharePoint site |
| Files shared in chat | The sender's OneDrive for Business ("Microsoft Teams Chat Files") | OneDrive permissions, link-sharing, endpoint sync, and account offboarding all matter | AC, AU, MP, SC, SI | Deleting a chat while the underlying OneDrive file stays shared |
| Live meeting audio, video & screen share | Processed and transmitted through Teams and participant endpoints; not retained unless a feature creates an artifact | A live meeting can process or transmit CUI even when nothing is recorded | AC, IA, PE, SC, SI | Assuming "not recorded" means "outside scope" |
| Recordings & transcripts | Depends on the meeting — OneDrive or SharePoint depending on meeting type | A recording or transcript of a CUI discussion becomes a durable CUI artifact with its own permissions and retention | AC, AU, MP, SC, SI | Auto-enabling recording or transcription without reviewing the artifacts it creates |
| Voicemail, calendar & contacts | Exchange services | Voicemail text, meeting subjects, or attachments can expose CUI or program details | AC, AU, IA, SC | Excluding voicemail and calendars because they appear inside the Teams window |
| Guests & external access | The same underlying services — but identities and endpoints extend beyond your tenant | Authorization, identity proofing, access review, and offboarding need explicit treatment | AC, IA, PS, SC | Permanent or stale guest accounts, or treating a known email domain as authorization |
| Anonymous / PSTN dial-in participants | The meeting/calling path plus participant endpoints and telephony components | You must know who's authorized to receive the information and whether the meeting suits CUI at all | AC, IA, SC | Discussing CUI before all participants are authenticated and authorized |
| Apps, bots, connectors & meeting assistants | Possibly Microsoft services, external services, or both — third-party processing can sit outside Microsoft's commitments | Every integration needs its own data-flow, authorization, and vendor review | AC, AU, CA, CM, RA, SC, SI | Allowing an app because it appears in Teams without reviewing where its data goes |
| Desktop & mobile endpoints | Data is displayed, cached, synced, or downloaded onto your devices | Any device that handles CUI can itself become a CUI asset in the boundary | AC, CM, IA, MP, SC, SI | Governing the cloud tenant while allowing unmanaged devices or local downloads |
| Retention, legal hold & eDiscovery copies | Exchange, SharePoint, OneDrive, and Microsoft compliance services | Retained copies can still contain CUI after a user "deleted" the original | AU, MP, SC, SI | Treating user deletion as complete data disposition |
*The family column is our editorial planning map — it flags which control families a surface tends to implicate. It is not a claim that a Teams feature satisfies or fails any specific requirement. The storage facts come from Microsoft; the scope consequences are our inferences from 32 CFR § 170.19.
The lesson isn’t “Teams is dangerous.” It’s that your CMMC boundary follows your CUI and your security-protection functions — not the Teams logo. Two companies on the identical GCC High tenant can have completely different scopes depending on which of these surfaces their people actually use.
Can Teams-connected security tools be in scope even if they never store CUI?
Yes. Under 32 CFR § 170.19, an asset can be in scope because it provides security protectionfor your CUI environment — even if no CUI file is ever stored on it. These are Security Protection Assets, and the data they generate is Security Protection Data (SPD). For a Teams environment, that catches the systems most contractors forget to inventory.
Think about what actually secures a Teams-plus-CUI setup: Microsoft Entra ID (identity and Conditional Access), Microsoft Intune (device management), Microsoft Defender (endpoint and threat protection), Microsoft Purview (labeling and data loss prevention), and any SIEM or managed-security tooling watching the logs. None of those is where a user drops a CUI file. All of them can be in scope because they protect the CUI environment. Their configuration, access, and logs become part of your assessment story.
The practical takeaway: when you scope Teams, don’t just chase the repository where CUI lives. Map the tools that protectit too — and if a cloud or external provider runs any of those functions, document how responsibility is split.
The Customer Responsibility Matrix (CRM).When a cloud service provider (CSP) or external service provider (ESP) handles part of a control, the split between what Microsoft (or your MSP) does and what you do must be documented or referenced in your SSP. Microsoft publishes customer-responsibility material for its services; your job is to capture, per requirement, who’s responsible, what the evidence is, and where it lives. A CRM is how “GCC High handles the platform” turns into a defensible, requirement-by-requirement record instead of a hopeful assumption.
Can Commercial Microsoft Teams support CMMC Level 1?
Potentially yes — because CMMC Level 1 protects FCI through 15 basic safeguarding requirements from FAR 52.204-21(b)(1), and does not automatically require GCC or GCC High. Commercial Teams is not a Level 1 certificate, though. You still have to implement, self-assess, evidence, and annually affirm those safeguards across the actual system that touches FCI.
A number worth clearing up: CMMC Level 1 has 15 requirements, not 17. The current rule — 32 CFR § 170.14(c)(2) — defines 15 Level 1 requirements, incorporating the ones in FAR 52.204-21(b)(1). The “17” figure comes from the 2021 CMMC 2.0 model, which split requirement (ix) into three separate items; the rule itself now treats it as 15. If a page still says 17, it hasn’t been reconciled with the controlling regulation. See our basic safeguarding requirements FCI guide for all 15 with evidence guidance.
Commercial Teams is a plausible Level 1 home when:
- You handle FCI only — no CUI anywhere in the environment.
- Your contract requires Level 1 (look for FAR 52.204-21 in older contracts; FAR 52.240-93 in newer deviation-path solicitations).
- You’ve actually implemented the safeguards across all six families: Access Control, Identification and Authentication, Media Protection, Physical Protection, System and Communications Protection, and System and Information Integrity.
- You can produce evidence and handle the annual senior-official affirmation in SPRS.
- You’ve reviewed any third-party services touching FCI.
You might still choose GCC even at Level 1 — for interoperability, a future CUI transition, or a prime’s preference — but that’s a business and architecture decision, not a Level 1 mandate. Don’t let anyone tell you Level 1 requiresGCC. It doesn’t.
The classic, expensive mistake at this tier: a machine shop or services firm assumes “we’re small, we’re Level 1” while a customer drawing marked CUI sits in someone’s inbox. If you’re not certain you’re CUI-free, resolve thatfirst — it changes everything downstream, including which environment you need. Work through our FCI basic safeguarding requirements guide before you sign the affirmation — the signature is a federal attestation, and it’s only as strong as the evidence behind it.
Can Microsoft Teams support CMMC Level 2?
Yes, Teams can be part of a Level 2 system — but Level 2 is an organization-and-system outcome against all 110 NIST SP 800-171 Revision 2 security requirements, not a Teams configuration. When Teams handles CUI, its cloud services, identities, endpoints, external providers, security tools, incident duties, and evidence all have to be addressed inside your actual assessment scope.
It’s 110 security requirements across 14 control families — and Revision 2 is the version that controls, for both CMMC and your contract. 32 CFR Part 170 incorporates Revision 2 for CMMC Level 2. On the contract side, DFARS 252.204-7012 is pinned to Revision 2 under Class Deviation 2024-O0013. NIST did publish Revision 3 (May 14, 2024), but it is notthe controlling version for CMMC or for 7012 today. Build to Revision 2 — and be skeptical of anyone designing your program to Revision 3 as if it already governs.
Level 2 (Self) and Level 2 (C3PAO) are two different paths — and the suspension matters here. During the current suspension period, solicitations designate Level 1 (Self) or Level 2 (Self); the broader expansion of Level 2 (C3PAO) requirements as a condition of award is exactly what Phase II would have driven, and Phase II is paused. So do not assume every Level 2 obligation currently demands a C3PAO. Check your specific solicitation, contract, amendment, and prime direction.
When Teams (or any cloud) handles CUI on your behalf, DFARS 252.204-7012 adds concrete obligations. If you use an external cloud service provider to store, process, or transmit covered defense information in performing the contract, you must require and ensure that provider meets security requirements equivalent to the FedRAMP Moderate baselineand complies with the clause’s cyber-incident provisions — including rapidly reporting a cyber incident within 72 hours of discovery and preserving images of affected systems and relevant monitoring or packet-capture data for at least 90 daysfrom submission of the incident report. GCC High carries Microsoft’s DFARS 7012 flow-down commitments; for GCC, obtain and review the specific offering’s terms.
And the division of labor, stated plainly: Microsoft provides platform capabilities and service-level evidence. You own data classification, identity, devices, configuration, process, and proof. A Microsoft attestation covers Microsoft’s part. It does not cover yours — and much of the 110 is yours.
Do you actually need GCC High for Microsoft Teams?
Not every contractor needs GCC High, and “we handle CUI” is not specific enough to decide. GCC High is often the stronger candidate for export-controlled data (ITAR/EAR) or contracts with stronger sovereignty requirements; Commercial (FCI only), standard GCC, or a separate enclave can be defensible in other cases. The deciding factors are your CUI category, your export status, and your contract language — not a consultant’s default.
Signals that genuinely point toward GCC High:
- Your CUI is export-controlled (ITAR- or EAR-controlled technical data) — the U.S.-person-access constraint alone rules out Commercial and standard GCC.
- Your CUI is CUI Specified in a category whose controls, or a customer requirement, call for the access and sovereignty GCC High supplies.
- Your contract or a documented prime flow-down names GCC High, FedRAMP High, or an equivalent sovereignty requirement.
- You need Microsoft services within GCC High’s specific authorization boundary.
Signals that do not, by themselves, prove you need it:
- A consultant says “all CUI requires GCC High.” (It doesn’t — Microsoft’s own docs say standard GCC serves many CUI Basic cases.)
- A competitor uses it.
- You want to “become CMMC certified.” (There’s no certificate you buy.)
- Your tenant happens to contain a government customer’s email address.
- You expect a future contract but have no CUI and no clause yet.
A short decision path:
- Is any of the data export-controlled (ITAR/EAR)? (Yes → GCC High territory.)
- Is the CUI Basic or Specified? (Specified may point higher, depending on the category and customer requirements.)
- Which Teams surfaces do you actually need? (Fewer surfaces → an enclave gets easier.)
- Can you genuinely enforce a separate enclave? (If not, an enclave is a liability, not a control.)
- What does the contract say? (This is the tiebreaker, always.)
For a comprehensive look at when GCC High is and isn’t necessary, see our GCC High for CMMC guide and our GCC vs GCC High comparison.
Can you discuss CUI in Microsoft Teams meetings, calls, or screen shares?
A live Teams meeting can process or transmit CUI through speech, video, screen share, or meeting chat — even when no recording is created. So whether a meeting is defensible depends on the tenant boundary, who’s authorized to be there, your endpoints, and your meeting settings — not on whether you hit “record.”
The trap is the word “stored.” People assume that if nothing is saved, nothing is in scope. Not so — CUI spoken aloud to an unauthorized participant, or shown on a shared screen, has been transmitted. That’s a scoping event on its own.
Where meetings go wrong:
- Participant authorization. Internal attendees, guests, external-access users, shared-channel members, anonymous joiners, PSTN dial-ins, forwarded invitations, and the person who slips in late — every one is an access-control question, not a courtesy.
- Screen sharing. Sharing your entire screen exposes notifications, open folders, other windows, and multiple monitors. A support technician watching your screen is now a participant in the data flow.
- The meeting itself. Lobby settings, presenter permissions, recording and transcription defaults, and dial-in policy either enforce your boundary or quietly defeat it.
Disabling recording does not make an otherwise uncontrolled meeting safe for CUI. It removes one artifact. It does nothing about who’s in the room, what’s on the shared screen, or which device they’re on.
Which Microsoft Teams settings and controls matter for CMMC — and where’s the honest limit?
Teams and Microsoft 365 settings can implement or support parts of a Level 2 program, but a settings checklist is never a 110-requirement pass. Organize your configuration by control objective and evidence value — and keep in mind that policy, personnel, physical security, incident response, and other non-Teams requirements still stand outside any settings screen.
The honest limit: you can configure every toggle below perfectly and still fail an assessment, because CMMC grades whether your controls operate and whether you can proveit — across your whole system, including the parts Teams never touches. Settings are necessary. They’re not sufficient.
The settings that carry real weight, grouped by what they’re for:
- Identity & access (AC, IA): Entra ID, multi-factor authentication (MFA), Conditional Access, privileged-role limits, least privilege, break-glass accounts, access reviews, guest lifecycle, service accounts, session controls.
- Teams collaboration policy (AC, SC): guest access, external access, shared channels, anonymous join, lobby bypass, presenter permissions, recording/transcription, file sharing, federation allowlists, team-creation and private-channel governance.
- Information protection (MP, SC, SI): sensitivity labels, data loss prevention (DLP), retention, records management, sharing-link defaults, download controls, eDiscovery roles, encryption context. Licensing reality (verified July 2026): Microsoft 365 E3 can support DLP for files in Exchange, SharePoint, and OneDrive, but DLP for Teams chat and channel messagesrequires an eligible E5/A5/G5 plan or a qualifying add-on. Confirm the exact government-cloud plan and feature entitlement for your tenant — and re-check, because Microsoft changes this.
- Endpoint security (AC, CM, MP, SI): managed-device requirement, Intune/MDM, disk encryption, endpoint detection and response (EDR), patch management, local-admin control, mobile app protection, download/clipboard controls, remote wipe, device inventory.
- Audit & monitoring (AU):Teams audit events, SharePoint/OneDrive events, Entra sign-ins, guest changes, app-consent events, DLP alerts, recording/sharing events, retention changes, admin activity — with a named owner who actually reviews the logs.
- Incident response (IR + DFARS 7012): a playbook that connects Teams architecture to 72-hour reporting, 90-day media preservation, evidence collection, and Microsoft support/forensic access.
What GCC High does not solve
GCC High can give you a stronger Microsoft platform boundary — but it does not classify your data, configure every control, secure every endpoint, authorize every guest, write your SSP, or prove your procedures operate. Microsoft’s own shared-responsibility guidance is blunt about the split: “For all cloud deployment types, you own your data and identities.”
What stays your job after a GCC High migration:
- Identifying and handling your CUI, and drawing the boundary.
- Identity, authorization, and access reviews.
- Endpoints — which remain your responsibility even when they’re enrolled in Microsoft identity, management, and security services.
- Configuration, policy, personnel, and physical safeguards.
- Monitoring, incident response, and evidence.
- Every third-party service in the mix, documented through your CRM.
And the tradeoffs people underestimate: collaboration changes— guest interoperability, external federation, and feature parity differ from Commercial, and some features arrive later. Migration is real work— identity, mail, files, channel restructuring, external-user impact, device enrollment, DNS, app compatibility, training, and the risk of running two environments during cutover.
GCC High is genuinely valuable when it answers a real contractual or CUI-boundary need. It’s wasteful when it’s bought as a substitute for scope analysis — and it’s dangerous when leadership assumes the migration finished the compliance program.If, reading this, you realize your data doesn’t justify GCC High, that’s not a loss — that’s money you just kept.
Migrate everything, use a CUI enclave, or keep CUI out of Teams?
An all-in migration simplifies one collaboration boundary but exposes your whole organization to migration cost and feature tradeoffs; a CUI enclave narrows scope; a “no CUI in Teams” model preserves Commercial collaboration — but the two narrower models only work when technical controls and real habits actually stop CUI from leaking. The right model is the one you can enforce, not the one that reads best in a policy document.
Model 1 — Whole-company GCC or GCC High migration. Best when CUI use is broad, many people collaborate on it, CUI meetings are frequent, and you have strong internal IT. The drawback: the widest operational impact, real migration complexity, feature and collaboration changes, and more users and devices inside the protected environment.
Model 2 — Commercial Teams plus a separate CUI enclave.Best when a limited group handles CUI in defined workflows, a full migration is too disruptive, and most staff need to keep familiar tools. The drawback: cross-boundary movement, user confusion, duplicate identities or devices, and the leakage risk from links, previews, and notifications. An enclave you can’t operate cleanly is worse than no enclave.
Model 3 — Keep CUI out of Teams entirely.Best when Teams is used for non-sensitive coordination and CUI lives in a separately approved system. The drawback: it’s hard to enforce under deadline pressure, and filenames, chat context, and screen shares can expose sensitive information even when the CUI file itself never enters Teams. A “do not upload CUI” banner is not a control.
| Decision factor | Whole-company migration | CUI enclave | No CUI in Teams |
|---|---|---|---|
| CUI user population | Broad | Limited | Very limited or none |
| Collaboration simplicity | Highest inside the protected tenant | Split workflow | Lowest for CUI work |
| Migration impact | Highest | Moderate | Lowest initially |
| Boundary-leakage risk | Lower cross-cloud risk, but broader scope | High if poorly integrated | High if it's policy-only |
| Evidence complexity | Broad enterprise evidence | Boundary-heavy evidence | Monitoring/enforcement-heavy |
| Provider category that usually fits | GCC/GCC High MSP or MSSP | CUI-enclave provider | RPO plus implementation support |
Which CMMC provider category do you need for Microsoft Teams?
The right provider depends on your unresolved problem, not on the word “Teams.”
- RPO / RP (Registered Provider Organization / Registered Practitioner) — scope & readiness. An RP/RPO can identify the relevant clauses, map your stated CMMC level, document information flow, run a gap assessment, and help build your SSP and POA&M. Disputed clause applicability, flow-down meaning, CUI-designation disputes, export-control interpretation, and enforcement questions belong with a qualified federal-contracts or export-control attorney — not a consultant.
- MSP / MSSP (Managed Security Service Provider) — implementation & operations. When you need someone to configure and run the environment: Entra, Intune, Defender, Purview, endpoint management, logging, monitoring, incident response, and ongoing evidence — including managed GCC/GCC High.
- CUI-enclave provider — boundary reduction. When the smart architecture is an isolated collaboration space for a limited CUI population, with a separate identity/device model and controlled data exchange.
- GRC platform — evidence & workflow. When your gap is control ownership, evidence collection, SSP/POA&M workflow, and continuous-compliance operations. A supporting layer — not a substitute for actual implementation. Software alone never satisfies CMMC.
- C3PAO — formal assessment. Only when a formal certification assessment is genuinely your current objective, you’re assessment-ready, and your contract or strategy supports it.
On the independence rule — it’s stricter than most contractors expect, and it’s in the regulation, not just guidance. Under 32 CFR § 170.8, a C3PAO — and every member of its assessment team — may not conduct a CMMC Level 2 certification assessment for an organization it served as a consultant, advisor, or implementer for within the prior three years. C3PAOs also must meet ISO/IEC 17020 impartiality requirements. The practical version: run two separate searches — one for readiness/implementation, one for assessment — and verify a C3PAO’s authorization on the Cyber AB Marketplace before you sign anything.
Microsoft Teams CMMC compliance checklist
This checklist is a scoping and evidence starting point — not a certification test. A “yes” can’t override your contract, your actual CUI flow, or an assessment objective, and an “unknown” should trigger a documented investigation rather than an assumed pass. Work it top to bottom, and don’t reduce it to a percentage — CMMC isn’t graded that way.
Contract & information
- Required CMMC level identified from the contract/solicitation
- Assessment type identified (Self vs C3PAO), current as of today
- Clauses reviewed in both numbering systems: FAR 52.204-21 / 52.240-93; DFARS 252.204-7012, -7021, -7025; and DFARS 252.240-7997 where the deviation applies
- FCI vs CUI determination documented; CUI Basic vs Specified considered
- Export-control (ITAR/EAR) status reviewed as a separate determination
- Prime flow-down requirements documented
Tenant & service scope
- Tenant type identified (Commercial / GCC / GCC High / mixed)
- Teams service scope verified against Microsoft’s current documentation (with date)
- SharePoint, OneDrive, Exchange, and Entra ID roles in scope identified
- Security Protection Assets identified (Entra ID, Intune, Defender, Purview, SIEM, MSP tooling)
- External service providers listed, with a Customer Responsibility Matrix per provider
Teams surfaces (from the surface matrix)
- Chats, channel messages, standard/private/shared-channel files, chat attachments
- Meetings, screen sharing, recordings, transcripts, voicemail
- Apps, bots, connectors; desktop and mobile endpoints
Identity, collaboration, endpoints, information protection
- MFA, Conditional Access, privileged-role limits, access reviews, offboarding
- Guest/external/shared-channel policy; anonymous and PSTN participation controls
- Managed-device policy, encryption, EDR, patching, mobile app protection
- Sensitivity labels, DLP (licensing verified for chat/channel vs file), retention, sharing defaults, disposition
Monitoring, incident response, evidence
- Audit logging enabled with a named review owner
- Incident playbook covering 72-hour reporting and 90-day media preservation
- SSP, asset inventory, CUI flow diagram, network diagram, Customer Responsibility Matrix
- Policy exports, tickets, access reviews, training, change and test records
- SPRS record and senior-official affirmation current, if applicable to your CMMC status and contract
What we verified and how we built this
This analysis separates three things on purpose: regulatory requirements, Microsoft-stated platform capabilities, and our editorial conclusions. We assembled it from current official CMMC and DFARS sources, NIST publications, and Microsoft’s own documentation — and we used community discussions only to understand searcher language and real-world friction, never as evidence for a regulatory or contractual claim.
Our source hierarchy, in order of authority: the Department’s current CMMC announcements and implementation memoranda; the eCFR and Acquisition.gov for the rule and clauses; NIST’s Computer Security Resource Center for the standards; Microsoft Learn for Microsoft-specific architecture and capability; the Cyber AB for ecosystem process and independence rules.
Limitations, stated plainly:we did not test a live customer tenant or conduct a CMMC assessment; Microsoft features and licensing change; contract interpretation is fact-specific; the February 2026 clause renumbering is not yet codified in formal rulemaking; and the July 2026 suspension may change again after the reform review. When we re-verify, we update the “Last verified” date at the top — and we keep a public corrections and change log.
Frequently asked questions
- Is Microsoft Teams CMMC certified?
- No. CMMC evaluates your organization's scoped system and implementation; Microsoft does not offer a Teams license that independently establishes your CMMC status. Your configuration, endpoints, and evidence decide the outcome.
- Is GCC High automatically CMMC compliant?
- No. GCC High can provide relevant platform capabilities, but you remain responsible for your data, identities, endpoints, configuration, operations, and evidence. Microsoft states that "for all cloud deployment types, you own your data and identities."
- Do we need GCC High for CMMC Level 2?
- Not automatically. It depends on your contract, CUI category, export-control status, which Teams features you use, and whether a separate enclave is a better fit. Microsoft's own guidance is that standard GCC serves many CUI Basic cases.
- Can Commercial Teams support CMMC Level 1?
- Potentially — when the environment handles FCI (not CUI), your contract requires Level 1, and you implement and evidence all 15 requirements from FAR 52.204-21(b)(1). CMMC Level 1 has 15 requirements, not 17; 32 CFR § 170.14 defines that set.
- Can Commercial Teams handle CUI?
- Don't treat it as the default answer. Microsoft excludes Office 365 Commercial from its current NIST SP 800-171 audit scope and shows it as not supporting DFARS 7012. Most contractors evaluate GCC, GCC High, or a separate enclave for CUI instead.
- Can GCC handle CUI?
- GCC may be evaluated for some CUI Basic workloads, but Microsoft states it is not suitable for CUI Specified, including export-controlled data such as ITAR-controlled information. Verify your contract, CUI category, and export status before relying on it.
- Is CUI Specified the same as ITAR or EAR?
- No — they're separate determinations. Whether information is CUI Basic or CUI Specified is set by its CUI category; whether it's export-controlled (ITAR/EAR) is a separate legal question. Export status can attach to CUI Basic or CUI Specified, and it's the U.S.-person-access restriction that most often drives the GCC High decision.
- Can employees discuss CUI in a Teams meeting?
- Only within an appropriately scoped, controlled environment, with authorized participants and suitable endpoints. A live meeting can process or transmit CUI even if no recording is made.
- Are Teams recordings and transcripts CUI?
- They can be, when they capture CUI. Recordings and retained transcripts are stored in OneDrive or SharePoint depending on the meeting, so they need corresponding access, retention, and disposition controls.
- Where are Teams chats and files stored?
- Teams messaging uses the Teams chat service with compliance copies in Exchange; channel files are stored in SharePoint, and files shared in chats are stored in the sender's OneDrive for Business.
- Can guests or subcontractors join an in-scope Teams workspace?
- Potentially — but they must be authorized, governed, and included in your identity, endpoint, and data-flow analysis. A known email domain is not authorization, and stale guest accounts are a recurring risk.
- Can we put secure-enclave links in Commercial Teams?
- Potentially, but the message, filename, preview, notification, or copied content must not expose CUI, and your architecture must prevent Commercial Teams from becoming a processor, repository, or security-protection asset for CUI.
- Does disabling meeting recording solve the CUI risk?
- No. It removes one persistent artifact but does nothing about live audio, screen sharing, meeting chat, participant authorization, or endpoints.
- Did the July 2026 Phase II suspension eliminate CMMC?
- No. Phase I self-assessment requirements remain, and DFARS 252.204-7012 continues to apply. The suspension paused the expansion of third-party assessments; it did not remove your obligation to protect CUI.
- Does DLP make Teams CMMC compliant?
- No. DLP supports specific information-protection objectives, but it doesn't implement the full 110-requirement Level 2 set or your organization's non-technical responsibilities. Note too that DLP for Teams chat and channel messages requires an eligible E5/A5/G5 plan or add-on, while E3 covers file DLP in Exchange, SharePoint, and OneDrive.
- Does the 2026 clause renumbering change what I have to do?
- No — it's a reorganization. FAR 52.204-21 became FAR 52.240-93, DFARS 252.204-7019 was eliminated, and 252.204-7020 became 252.240-7997, but 7012, 7021, and 7025 are unchanged, and the underlying obligations are the same. If you handle CUI, the self-assessment and SPRS obligations now sit under DFARS 252.204-7021.
- Is Direct Routing required for CMMC compliance?
- No CMMC rule establishes Direct Routing as a universal compliance requirement. It's a Microsoft telephony architecture used in certain government-cloud calling scenarios — an implementation detail, not a control.
- Does a C3PAO configure Microsoft Teams?
- No — and it generally can't and then assess the same environment. A C3PAO's role is formal assessment, and the rule bars it from assessing an organization it consulted for or implemented for within the prior three years. If you need scoping, migration, or managed operations, identify a readiness or implementation provider first.
- What about CMMC Level 3?
- Level 3 requires a prior Final Level 2 (C3PAO) status, is assessed by the government's DIBCAC (Defense Industrial Base Cybersecurity Assessment Center), and adds 24 selected requirements from the February 2021 edition of NIST SP 800-172 — not a later NIST edition, unless the rule is amended. Like the rest of CMMC, its rollout remains paused in Phase 1.
- Which CMMC provider type should help with Teams?
- Scope uncertainty points to an RPO/RP; configuration and operations to an MSP/MSSP; a separated environment to a CUI-enclave provider; evidence workflow to a GRC platform; and formal assessment to a C3PAO when applicable.
Before you hire, get the environment decision right
If you take one thing from this page, take this: Microsoft Teams CMMC compliance is decided by your contract, your CUI, your configuration, and your evidence — not by a product label. Get the environment decision right first, and the rest of your CMMC spend gets a lot cheaper and a lot less risky.
Disclosure
The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification.
Independence & scope
The Defense Compliance Report is not affiliated with the Cyber AB, the Department of War/Defense, DCMA DIBCAC, NIST, or any U.S. government agency. This page is educational research, not legal, contractual, or compliance advice. Confirm contract applicability, CUI scope, export-control status, and assessment requirements with a qualified CMMC Registered Practitioner or Registered Provider Organization (RP/RPO) and, where appropriate, a qualified federal-contracts attorney. The contract clause and your CUI handling set your level — not a checklist.
Primary sources
- 32 CFR Part 170 — CMMC Program rule
- DFARS 252.204-7012 — Safeguarding Covered Defense Information & Cyber Incident Reporting
- DFARS 252.204-7021 — CMMC requirements · DFARS 252.204-7025 — Notice of CMMC level requirements
- Department Class Deviation 2024-O0013 (DFARS 7012 → NIST SP 800-171 Rev. 2) and Class Deviation 2026-O0025 (FAR/DFARS renumbering)
- NIST SP 800-171 Rev. 2 and NIST SP 800-172
- Microsoft: NIST SP 800-171 offering, CMMC / US Government cloud, shared responsibility
- Cyber AB — Code of Professional Conduct and Marketplace
- NARA CUI Registry — CUI categories (Basic/Specified) and export-control entries