The Defense Compliance ReportCMMC 2.0 & the Defense Industrial Base

Microsoft Teams CMMC Compliance: Can Teams Handle FCI or CUI?

By The Defense Compliance Report Editorial Team · Last verified: July 17, 2026

Microsoft Teams CMMC compliance isn’t a setting you switch on or a license you buy — it’s a property of your whole system, and Teams is just one moving part of it. Bottom line up front: Teams by itself is never “CMMC certified.” What actually decides compliance is the Microsoft 365 environment Teams runs in — Commercial, GCC, or GCC High — plus how you configure it, where your data lands, which connected systems and devices touch it, and what your contract requires you to protect.

The part most vendors won’t say out loud is whichof those applies to you — and the wrong call is expensive. Below is the source-checked map we built: which Microsoft environment fits your data, where a Teams chat or meeting recording actually goes, which features quietly pull CUI into scope, and what to have ready before a prime or an assessor asks.

Best forNot forThe one qualifier that changes everything
DIB contractors deciding whether Teams can handle their FCI or CUI, and which Microsoft environment to run.Anyone hunting for a “Microsoft CMMC certified” seal or a single setting that guarantees compliance.Your contract sets the required CMMC level and assessment type; your actual data flow sets the system boundary. Neither is decided by a product name.

Your situation, in one glance:

If this is youThe starting answer
FCI only / Level 1Commercial or GCC can work — if you implement and evidence all 15 basic safeguarding requirements.
CUI Basic / Level 2Evaluate GCC, GCC High, or a separate CUI enclave based on your contract, CUI category, export status, and who needs access.
CUI that is export-controlled (ITAR/EAR)Microsoft says GCC is not suitable for export-controlled data; GCC High (or another defensible boundary) usually deserves evaluation.
Want to keep CUI out of Teams entirelyCommercial Teams can stay out of scope — but only if your architecture and habits actually stop CUI from landing in it, and Teams isn't providing security for the CUI environment.

Sources: 32 CFR Part 170 §§ 170.14–170.19 (the CMMC Program rule); Microsoft’s NIST SP 800-171 and CMMC documentation.


Is Microsoft Teams CMMC compliant?

No product — Teams included — is “CMMC compliant” on its own. CMMC (Cybersecurity Maturity Model Certification) assesses your organization’s information system against a security standard; it does not certify individual apps. Microsoft supplies government cloud environments (GCC and GCC High) that can host CUI inside a compliant boundary, but whether youare compliant depends on your tenant, your configuration, your endpoints, your procedures, and your evidence — not the app’s name.

We lead with this because it’s the single most expensive misunderstanding in the Defense Industrial Base. A contractor hears “we’re on GCC High,” assumes the box is checked, and moves on. It isn’t checked. GCC High is a platform. CMMC is an outcome your whole organization has to produce and prove.

There’s a second reason “Is Teams compliant?” is the wrong question: Teams is not one thing.It looks like a single app, but under the hood it’s a front end to several Microsoft services — SharePoint, OneDrive, Exchange, and Microsoft Entra ID (identity) — each holding different pieces of what your people type, share, and record. You can’t document “Teams” as one asset and stop. We map exactly where each piece goes further down, because that map is where scope is won or lost.

Here’s our one hard truth:GCC High does not make you compliant. Plenty of contractors buy it — or get sold it — before anyone confirms their data actually requires it, when standard GCC or a smaller CUI enclave would have covered the same data with materially less cost and disruption. And even after a full migration, they’re still missing the controls, configuration, and evidence that CMMC actually evaluates.

The good news: the right decision starts with two straightforward questions — what does my contract require, and is any of my CUI export-controlled?— not with a migration quote. Answer those and the fog lifts.

The five questions that actually decide the answer:

  1. What does the solicitation or contract require — Level 1, Level 2, or Level 3?
  2. Is the information FCI, CUI Basic, or CUI Specified — and, separately, is it export-controlled?
  3. Which Microsoft environment are you on — Commercial, GCC, or GCC High?
  4. Which Teams-connected services, security tools, and endpoints actually touch that data?
  5. Can you produce evidence that your controls operate — not just that a box was ticked once?

Commercial vs GCC vs GCC High: which Microsoft environment do you need?

Microsoft 365 Commercial, Office 365 GCC, GCC High, and Microsoft 365 DoD are not interchangeable, and the right one depends on your data and contract — not your preference. Microsoft’s current NIST SP 800-171 offering includes Teams in GCC, GCC High, and DoD, but excludes Office 365 Commercial from that third-party audit scope.

Quick definitions. GCC(Government Community Cloud) is a government-focused Microsoft 365 environment running on Microsoft’s commercial Azure infrastructure in a segregated partition. GCC Highis a separate environment built on Azure Government, with U.S. data residency and support access restricted to screened U.S.-person personnel — built for the DIB and for export-controlled technical information. Microsoft 365 DoDis restricted to eligible Department entities — not a purchasable “upgrade” for a contractor.

Two separate determinations drive the choice — collapsing them is where contractors overspend or under-protect:

Note the deliberate absence of the word “compliant” in any single row. No environment is compliant by itself.

Teams environmentWhere it fitsWhat Microsoft saysThe catchWhat it means for your CMMC scope
Microsoft 365 CommercialFCI-only work at Level 1; ordinary business collaboration kept outside the CUI boundary.Office 365 Commercial is excluded from Microsoft’s NIST SP 800-171 audit scope, and Microsoft’s compliance documentation shows it as not supporting DFARS 7012.Don’t treat the license name as evidence you can hold CUI. If CUI lands here, you have a problem, not a plan.The moment a user puts CUI in Commercial Teams, the connected services, endpoints, and security tools pull into scope — on a platform excluded from the relevant audit scope.
Office 365 GCCA candidate for some CUI Basic where the contract, CUI category, and sovereignty needs fit.Microsoft includes Teams, SharePoint, OneDrive, and Exchange in GCC in its NIST SP 800-171 offering.Microsoft states GCC is not suitable for CUI Specified, including export-controlled data such as ITAR-controlled technical information.The GCC label doesn’t finish the job — your identity, endpoint, external-access, app, and evidence work is still yours.
Office 365 GCC HighIn-scope CUI environments, especially export-controlled (ITAR/EAR) data or where the contract demands stronger sovereignty.Microsoft states GCC High can support Level 2 and Level 3 environments when correctly configured.GCC High does not classify your data, configure your controls, secure your laptops, write your SSP, or generate your evidence. Collaboration and feature availability also differ from Commercial.Platform boundary strength is real — but a migration without the controls, evidence, and operational discipline is a very expensive, very incomplete compliance program.
Microsoft 365 DoDEligible Department entities only.Microsoft restricts this environment to eligible DoD organizations.It is not a purchasable “upgrade” for a contractor just because you work for the government.Not a normal DIB architecture choice — disqualify yourself from this path.
Commercial Teams + a separate CUI enclaveKeep familiar Commercial Teams for most staff while confining CUI to a separately governed system.32 CFR § 170.19 permits assets to stay out of scope only under the rule’s actual data-flow and separation conditions.Links, file previews, filenames, notifications, copy-paste, downloads, and screenshots can quietly collapse the boundary. An enclave you can’t operate cleanly is worse than no enclave.Scope narrows only when you can actually enforce it — which requires real technical controls, not a “do not put CUI in Teams” policy.

A few defensible non-Microsoft paths satisfy the same underlying cloud requirement — but authorization attaches to a specific offering and boundary, not a whole brand. Confirm the exact offering and its authorization status on the FedRAMP Marketplace before you rely on it.

This matrix is a decision aid, not a compliance verdict. It reflects current regulation and Microsoft’s own documentation. It does not determine contract applicability, certify an environment, or replace scope review by a qualified practitioner or federal-contracts attorney.

Not sure where your setup lands? Use The Defense Compliance Report’s routing tool to map your situation to the right provider category before you request quotes.


What changed after the July 2026 CMMC Phase 2 suspension?

On July 13, 2026, the Department suspended advancement to CMMC Phase II — the planned expansion that would have made broader Level 2 third-party assessment a condition of award — but Phase I self-assessment requirements and DFARS 252.204-7012 duties remain in force. The pause changes the near-term rollout of new assessment mandates; it does not erase your existing obligations to safeguard CUI, report incidents, or meet current contract terms.

What’s paused: the planned move into Phase II, which would have layered broader Level 2 third-party assessment requirements into contract awards on the old November 10, 2026 timeline. Treat that date as history.

What remains fully in effect:

And here’s the part that matters most for this page: the reason your Microsoft environment choice survives the pause is that it never depended on CMMC in the first place. DFARS 252.204-7012 has been in effect since 2016, with implementation of the NIST SP 800-171 security requirements required no later than December 31, 2017. Suspend the verification, and the underlying obligation is untouched. That’s why “we’ll just wait for CMMC to settle” is not a strategy if CUI is sitting in your Teams tenant today.

DateWhat happenedWhat it means now
Dec 31, 2017DFARS 252.204-7012 NIST SP 800-171 implementation deadlineThe safeguarding baseline for covered defense information. Still in force.
Dec 16, 202432 CFR Part 170 (the CMMC Program rule) took effectThe controlling CMMC regulatory structure.
Nov 10, 2025 – Nov 9, 2026Original codified Phase 1 window; Phase 2 was set to begin one year after Phase 1Phase I self-assessment requirements remain.
Jul 13, 2026Advancement to Phase II suspended; 60-day review launchedNo current Phase II transition date. DFARS 7012 and Phase I unaffected.
FutureReform outcome unknownRe-verify against the Department's official CMMC and acquisition sources.

One caution: a Level 1 or Level 2 self-assessment is still a federal attestation a senior official signs. A knowinglyfalse cybersecurity representation can create False Claims Act exposure — the Department of Justice’s Civil Cyber-Fraud Initiative exists to pursue exactly those cases. The suspension lowered the near-term assessment pressure. It did not lower the stakes of signing your name to a score your evidence can’t back up.


Which FAR and DFARS clause numbers apply after the 2026 overhaul?

As of February 1, 2026, a Department class deviation under the “Revolutionary FAR Overhaul” renumbered the cybersecurity clauses — but it’s a reorganization, not a rollback, and the core CMMC clauses did not change. FAR 52.204-21 moved to FAR 52.240-93; DFARS 252.204-7019 was eliminated; DFARS 252.204-7020 moved to DFARS 252.240-7997; and DFARS 252.204-7012, -7021, and -7025 are unchanged. Because this was done by class deviation ahead of formal rulemaking, both old and new numbers can appear depending on your contract.

What it governsLegacy numberCurrent deviation numberStatus
Basic safeguarding of FCI (the 15 requirements)FAR 52.204-21FAR 52.240-93Renumbered; text and 15 requirements unchanged. CMMC Level 1 still references 52.204-21.
Safeguarding CUI + cyber-incident reporting + external-cloud rulesDFARS 252.204-7012DFARS 252.204-7012Unchanged.
CMMC compliance requirementDFARS 252.204-7021DFARS 252.204-7021Unchanged.
Notice of required CMMC levelDFARS 252.204-7025DFARS 252.204-7025Unchanged.
"Basic" NIST 800-171 self-assessment provisionDFARS 252.204-7019(eliminated)The standalone "Basic" self-assessment provision no longer exists as a separate clause.
NIST 800-171 DoD assessment requirementsDFARS 252.204-7020DFARS 252.240-7997Moved to new DFARS Part 240.

If you handle CUI, the self-assessment and SPRS obligations now sit under the CMMC clause, DFARS 252.204-7021. This crosswalk was implemented under Class Deviation 2026-O0025, and formal rulemaking (FAR Case 2026-001) is still in progress, so the numbering could change again. When it does, we update this table. For a deeper dive on the clause history, see our FAR 52.204-21 explained guide.


Where does CUI actually go inside Microsoft Teams?

Teams is an interface across several Microsoft services, not a single container. Chats live in the Teams messaging service with compliance copies in Exchange; channel files live in SharePoint; files shared in chats live in the sender’s OneDrive; recordings live in OneDrive or SharePoint depending on the meeting; and voicemail and calendar data live in Exchange. If you want to scope Teams for CUI, you have to scope all of that.

The Microsoft Teams surface & boundary matrix(v1.0 — verified July 2026 against Microsoft documentation)

Teams surfaceWhere the data actually landsWhy it matters for CMMC scopeLikely NIST 800-171 families*Common failure mode
1:1, group & meeting chatTeams chat service, with compliance copies in Exchange mailboxesCUI typed or pasted into chat pulls the messaging service, identities, endpoints, retention, and monitoring into scopeAC, AU, IA, SC, SITreating chat as "temporary" and overlooking retained copies
Channel posts & repliesTeams chat service + associated compliance storageChannel conversations can carry CUI independently of channel filesAC, AU, IA, SC, SIGoverning files while ignoring the text conversation
Standard-channel filesThe team's parent SharePoint site (Documents library, folder per channel)SharePoint permissions, external sharing, sync, and retention all enter the analysisAC, AU, CM, MP, SCAssuming Teams membership and SharePoint permissions always stay aligned
Private-channel filesA separate, dedicated SharePoint site with its own permissionsEach private-channel site must appear in your inventory and evidence set when it holds CUIAC, AU, CM, MP, SCMissing the separate sites during inventory or offboarding
Shared-channel filesA separate, dedicated SharePoint site for the shared channel (Teams Connect)Cross-organization members extend your identity and authorization analysis beyond your tenantAC, AU, IA, PS, SCAssuming the channel name tells you who can reach the SharePoint site
Files shared in chatThe sender's OneDrive for Business ("Microsoft Teams Chat Files")OneDrive permissions, link-sharing, endpoint sync, and account offboarding all matterAC, AU, MP, SC, SIDeleting a chat while the underlying OneDrive file stays shared
Live meeting audio, video & screen shareProcessed and transmitted through Teams and participant endpoints; not retained unless a feature creates an artifactA live meeting can process or transmit CUI even when nothing is recordedAC, IA, PE, SC, SIAssuming "not recorded" means "outside scope"
Recordings & transcriptsDepends on the meeting — OneDrive or SharePoint depending on meeting typeA recording or transcript of a CUI discussion becomes a durable CUI artifact with its own permissions and retentionAC, AU, MP, SC, SIAuto-enabling recording or transcription without reviewing the artifacts it creates
Voicemail, calendar & contactsExchange servicesVoicemail text, meeting subjects, or attachments can expose CUI or program detailsAC, AU, IA, SCExcluding voicemail and calendars because they appear inside the Teams window
Guests & external accessThe same underlying services — but identities and endpoints extend beyond your tenantAuthorization, identity proofing, access review, and offboarding need explicit treatmentAC, IA, PS, SCPermanent or stale guest accounts, or treating a known email domain as authorization
Anonymous / PSTN dial-in participantsThe meeting/calling path plus participant endpoints and telephony componentsYou must know who's authorized to receive the information and whether the meeting suits CUI at allAC, IA, SCDiscussing CUI before all participants are authenticated and authorized
Apps, bots, connectors & meeting assistantsPossibly Microsoft services, external services, or both — third-party processing can sit outside Microsoft's commitmentsEvery integration needs its own data-flow, authorization, and vendor reviewAC, AU, CA, CM, RA, SC, SIAllowing an app because it appears in Teams without reviewing where its data goes
Desktop & mobile endpointsData is displayed, cached, synced, or downloaded onto your devicesAny device that handles CUI can itself become a CUI asset in the boundaryAC, CM, IA, MP, SC, SIGoverning the cloud tenant while allowing unmanaged devices or local downloads
Retention, legal hold & eDiscovery copiesExchange, SharePoint, OneDrive, and Microsoft compliance servicesRetained copies can still contain CUI after a user "deleted" the originalAU, MP, SC, SITreating user deletion as complete data disposition

*The family column is our editorial planning map — it flags which control families a surface tends to implicate. It is not a claim that a Teams feature satisfies or fails any specific requirement. The storage facts come from Microsoft; the scope consequences are our inferences from 32 CFR § 170.19.

The lesson isn’t “Teams is dangerous.” It’s that your CMMC boundary follows your CUI and your security-protection functions — not the Teams logo. Two companies on the identical GCC High tenant can have completely different scopes depending on which of these surfaces their people actually use.


Can Teams-connected security tools be in scope even if they never store CUI?

Yes. Under 32 CFR § 170.19, an asset can be in scope because it provides security protectionfor your CUI environment — even if no CUI file is ever stored on it. These are Security Protection Assets, and the data they generate is Security Protection Data (SPD). For a Teams environment, that catches the systems most contractors forget to inventory.

Think about what actually secures a Teams-plus-CUI setup: Microsoft Entra ID (identity and Conditional Access), Microsoft Intune (device management), Microsoft Defender (endpoint and threat protection), Microsoft Purview (labeling and data loss prevention), and any SIEM or managed-security tooling watching the logs. None of those is where a user drops a CUI file. All of them can be in scope because they protect the CUI environment. Their configuration, access, and logs become part of your assessment story.

The practical takeaway: when you scope Teams, don’t just chase the repository where CUI lives. Map the tools that protectit too — and if a cloud or external provider runs any of those functions, document how responsibility is split.

The Customer Responsibility Matrix (CRM).When a cloud service provider (CSP) or external service provider (ESP) handles part of a control, the split between what Microsoft (or your MSP) does and what you do must be documented or referenced in your SSP. Microsoft publishes customer-responsibility material for its services; your job is to capture, per requirement, who’s responsible, what the evidence is, and where it lives. A CRM is how “GCC High handles the platform” turns into a defensible, requirement-by-requirement record instead of a hopeful assumption.


Can Commercial Microsoft Teams support CMMC Level 1?

Potentially yes — because CMMC Level 1 protects FCI through 15 basic safeguarding requirements from FAR 52.204-21(b)(1), and does not automatically require GCC or GCC High. Commercial Teams is not a Level 1 certificate, though. You still have to implement, self-assess, evidence, and annually affirm those safeguards across the actual system that touches FCI.

A number worth clearing up: CMMC Level 1 has 15 requirements, not 17. The current rule — 32 CFR § 170.14(c)(2) — defines 15 Level 1 requirements, incorporating the ones in FAR 52.204-21(b)(1). The “17” figure comes from the 2021 CMMC 2.0 model, which split requirement (ix) into three separate items; the rule itself now treats it as 15. If a page still says 17, it hasn’t been reconciled with the controlling regulation. See our basic safeguarding requirements FCI guide for all 15 with evidence guidance.

Commercial Teams is a plausible Level 1 home when:

You might still choose GCC even at Level 1 — for interoperability, a future CUI transition, or a prime’s preference — but that’s a business and architecture decision, not a Level 1 mandate. Don’t let anyone tell you Level 1 requiresGCC. It doesn’t.

The classic, expensive mistake at this tier: a machine shop or services firm assumes “we’re small, we’re Level 1” while a customer drawing marked CUI sits in someone’s inbox. If you’re not certain you’re CUI-free, resolve thatfirst — it changes everything downstream, including which environment you need. Work through our FCI basic safeguarding requirements guide before you sign the affirmation — the signature is a federal attestation, and it’s only as strong as the evidence behind it.


Can Microsoft Teams support CMMC Level 2?

Yes, Teams can be part of a Level 2 system — but Level 2 is an organization-and-system outcome against all 110 NIST SP 800-171 Revision 2 security requirements, not a Teams configuration. When Teams handles CUI, its cloud services, identities, endpoints, external providers, security tools, incident duties, and evidence all have to be addressed inside your actual assessment scope.

It’s 110 security requirements across 14 control families — and Revision 2 is the version that controls, for both CMMC and your contract. 32 CFR Part 170 incorporates Revision 2 for CMMC Level 2. On the contract side, DFARS 252.204-7012 is pinned to Revision 2 under Class Deviation 2024-O0013. NIST did publish Revision 3 (May 14, 2024), but it is notthe controlling version for CMMC or for 7012 today. Build to Revision 2 — and be skeptical of anyone designing your program to Revision 3 as if it already governs.

Level 2 (Self) and Level 2 (C3PAO) are two different paths — and the suspension matters here. During the current suspension period, solicitations designate Level 1 (Self) or Level 2 (Self); the broader expansion of Level 2 (C3PAO) requirements as a condition of award is exactly what Phase II would have driven, and Phase II is paused. So do not assume every Level 2 obligation currently demands a C3PAO. Check your specific solicitation, contract, amendment, and prime direction.

When Teams (or any cloud) handles CUI on your behalf, DFARS 252.204-7012 adds concrete obligations. If you use an external cloud service provider to store, process, or transmit covered defense information in performing the contract, you must require and ensure that provider meets security requirements equivalent to the FedRAMP Moderate baselineand complies with the clause’s cyber-incident provisions — including rapidly reporting a cyber incident within 72 hours of discovery and preserving images of affected systems and relevant monitoring or packet-capture data for at least 90 daysfrom submission of the incident report. GCC High carries Microsoft’s DFARS 7012 flow-down commitments; for GCC, obtain and review the specific offering’s terms.

And the division of labor, stated plainly: Microsoft provides platform capabilities and service-level evidence. You own data classification, identity, devices, configuration, process, and proof. A Microsoft attestation covers Microsoft’s part. It does not cover yours — and much of the 110 is yours.


Do you actually need GCC High for Microsoft Teams?

Not every contractor needs GCC High, and “we handle CUI” is not specific enough to decide. GCC High is often the stronger candidate for export-controlled data (ITAR/EAR) or contracts with stronger sovereignty requirements; Commercial (FCI only), standard GCC, or a separate enclave can be defensible in other cases. The deciding factors are your CUI category, your export status, and your contract language — not a consultant’s default.

Signals that genuinely point toward GCC High:

Signals that do not, by themselves, prove you need it:

A short decision path:

  1. Is any of the data export-controlled (ITAR/EAR)? (Yes → GCC High territory.)
  2. Is the CUI Basic or Specified? (Specified may point higher, depending on the category and customer requirements.)
  3. Which Teams surfaces do you actually need? (Fewer surfaces → an enclave gets easier.)
  4. Can you genuinely enforce a separate enclave? (If not, an enclave is a liability, not a control.)
  5. What does the contract say? (This is the tiebreaker, always.)

For a comprehensive look at when GCC High is and isn’t necessary, see our GCC High for CMMC guide and our GCC vs GCC High comparison.


Can you discuss CUI in Microsoft Teams meetings, calls, or screen shares?

A live Teams meeting can process or transmit CUI through speech, video, screen share, or meeting chat — even when no recording is created. So whether a meeting is defensible depends on the tenant boundary, who’s authorized to be there, your endpoints, and your meeting settings — not on whether you hit “record.”

The trap is the word “stored.” People assume that if nothing is saved, nothing is in scope. Not so — CUI spoken aloud to an unauthorized participant, or shown on a shared screen, has been transmitted. That’s a scoping event on its own.

Where meetings go wrong:

Disabling recording does not make an otherwise uncontrolled meeting safe for CUI. It removes one artifact. It does nothing about who’s in the room, what’s on the shared screen, or which device they’re on.

Which Microsoft Teams settings and controls matter for CMMC — and where’s the honest limit?

Teams and Microsoft 365 settings can implement or support parts of a Level 2 program, but a settings checklist is never a 110-requirement pass. Organize your configuration by control objective and evidence value — and keep in mind that policy, personnel, physical security, incident response, and other non-Teams requirements still stand outside any settings screen.

The honest limit: you can configure every toggle below perfectly and still fail an assessment, because CMMC grades whether your controls operate and whether you can proveit — across your whole system, including the parts Teams never touches. Settings are necessary. They’re not sufficient.

The settings that carry real weight, grouped by what they’re for:


What GCC High does not solve

GCC High can give you a stronger Microsoft platform boundary — but it does not classify your data, configure every control, secure every endpoint, authorize every guest, write your SSP, or prove your procedures operate. Microsoft’s own shared-responsibility guidance is blunt about the split: “For all cloud deployment types, you own your data and identities.”

What stays your job after a GCC High migration:

And the tradeoffs people underestimate: collaboration changes— guest interoperability, external federation, and feature parity differ from Commercial, and some features arrive later. Migration is real work— identity, mail, files, channel restructuring, external-user impact, device enrollment, DNS, app compatibility, training, and the risk of running two environments during cutover.

GCC High is genuinely valuable when it answers a real contractual or CUI-boundary need. It’s wasteful when it’s bought as a substitute for scope analysis — and it’s dangerous when leadership assumes the migration finished the compliance program.If, reading this, you realize your data doesn’t justify GCC High, that’s not a loss — that’s money you just kept.


Migrate everything, use a CUI enclave, or keep CUI out of Teams?

An all-in migration simplifies one collaboration boundary but exposes your whole organization to migration cost and feature tradeoffs; a CUI enclave narrows scope; a “no CUI in Teams” model preserves Commercial collaboration — but the two narrower models only work when technical controls and real habits actually stop CUI from leaking. The right model is the one you can enforce, not the one that reads best in a policy document.

Model 1 — Whole-company GCC or GCC High migration. Best when CUI use is broad, many people collaborate on it, CUI meetings are frequent, and you have strong internal IT. The drawback: the widest operational impact, real migration complexity, feature and collaboration changes, and more users and devices inside the protected environment.

Model 2 — Commercial Teams plus a separate CUI enclave.Best when a limited group handles CUI in defined workflows, a full migration is too disruptive, and most staff need to keep familiar tools. The drawback: cross-boundary movement, user confusion, duplicate identities or devices, and the leakage risk from links, previews, and notifications. An enclave you can’t operate cleanly is worse than no enclave.

Model 3 — Keep CUI out of Teams entirely.Best when Teams is used for non-sensitive coordination and CUI lives in a separately approved system. The drawback: it’s hard to enforce under deadline pressure, and filenames, chat context, and screen shares can expose sensitive information even when the CUI file itself never enters Teams. A “do not upload CUI” banner is not a control.

Decision factorWhole-company migrationCUI enclaveNo CUI in Teams
CUI user populationBroadLimitedVery limited or none
Collaboration simplicityHighest inside the protected tenantSplit workflowLowest for CUI work
Migration impactHighestModerateLowest initially
Boundary-leakage riskLower cross-cloud risk, but broader scopeHigh if poorly integratedHigh if it's policy-only
Evidence complexityBroad enterprise evidenceBoundary-heavy evidenceMonitoring/enforcement-heavy
Provider category that usually fitsGCC/GCC High MSP or MSSPCUI-enclave providerRPO plus implementation support

Which CMMC provider category do you need for Microsoft Teams?

The right provider depends on your unresolved problem, not on the word “Teams.”

On the independence rule — it’s stricter than most contractors expect, and it’s in the regulation, not just guidance. Under 32 CFR § 170.8, a C3PAO — and every member of its assessment team — may not conduct a CMMC Level 2 certification assessment for an organization it served as a consultant, advisor, or implementer for within the prior three years. C3PAOs also must meet ISO/IEC 17020 impartiality requirements. The practical version: run two separate searches — one for readiness/implementation, one for assessment — and verify a C3PAO’s authorization on the Cyber AB Marketplace before you sign anything.


Microsoft Teams CMMC compliance checklist

This checklist is a scoping and evidence starting point — not a certification test. A “yes” can’t override your contract, your actual CUI flow, or an assessment objective, and an “unknown” should trigger a documented investigation rather than an assumed pass. Work it top to bottom, and don’t reduce it to a percentage — CMMC isn’t graded that way.

Contract & information

Tenant & service scope

Teams surfaces (from the surface matrix)

Identity, collaboration, endpoints, information protection

Monitoring, incident response, evidence


What we verified and how we built this

This analysis separates three things on purpose: regulatory requirements, Microsoft-stated platform capabilities, and our editorial conclusions. We assembled it from current official CMMC and DFARS sources, NIST publications, and Microsoft’s own documentation — and we used community discussions only to understand searcher language and real-world friction, never as evidence for a regulatory or contractual claim.

Our source hierarchy, in order of authority: the Department’s current CMMC announcements and implementation memoranda; the eCFR and Acquisition.gov for the rule and clauses; NIST’s Computer Security Resource Center for the standards; Microsoft Learn for Microsoft-specific architecture and capability; the Cyber AB for ecosystem process and independence rules.

Limitations, stated plainly:we did not test a live customer tenant or conduct a CMMC assessment; Microsoft features and licensing change; contract interpretation is fact-specific; the February 2026 clause renumbering is not yet codified in formal rulemaking; and the July 2026 suspension may change again after the reform review. When we re-verify, we update the “Last verified” date at the top — and we keep a public corrections and change log.


Frequently asked questions

Is Microsoft Teams CMMC certified?
No. CMMC evaluates your organization's scoped system and implementation; Microsoft does not offer a Teams license that independently establishes your CMMC status. Your configuration, endpoints, and evidence decide the outcome.
Is GCC High automatically CMMC compliant?
No. GCC High can provide relevant platform capabilities, but you remain responsible for your data, identities, endpoints, configuration, operations, and evidence. Microsoft states that "for all cloud deployment types, you own your data and identities."
Do we need GCC High for CMMC Level 2?
Not automatically. It depends on your contract, CUI category, export-control status, which Teams features you use, and whether a separate enclave is a better fit. Microsoft's own guidance is that standard GCC serves many CUI Basic cases.
Can Commercial Teams support CMMC Level 1?
Potentially — when the environment handles FCI (not CUI), your contract requires Level 1, and you implement and evidence all 15 requirements from FAR 52.204-21(b)(1). CMMC Level 1 has 15 requirements, not 17; 32 CFR § 170.14 defines that set.
Can Commercial Teams handle CUI?
Don't treat it as the default answer. Microsoft excludes Office 365 Commercial from its current NIST SP 800-171 audit scope and shows it as not supporting DFARS 7012. Most contractors evaluate GCC, GCC High, or a separate enclave for CUI instead.
Can GCC handle CUI?
GCC may be evaluated for some CUI Basic workloads, but Microsoft states it is not suitable for CUI Specified, including export-controlled data such as ITAR-controlled information. Verify your contract, CUI category, and export status before relying on it.
Is CUI Specified the same as ITAR or EAR?
No — they're separate determinations. Whether information is CUI Basic or CUI Specified is set by its CUI category; whether it's export-controlled (ITAR/EAR) is a separate legal question. Export status can attach to CUI Basic or CUI Specified, and it's the U.S.-person-access restriction that most often drives the GCC High decision.
Can employees discuss CUI in a Teams meeting?
Only within an appropriately scoped, controlled environment, with authorized participants and suitable endpoints. A live meeting can process or transmit CUI even if no recording is made.
Are Teams recordings and transcripts CUI?
They can be, when they capture CUI. Recordings and retained transcripts are stored in OneDrive or SharePoint depending on the meeting, so they need corresponding access, retention, and disposition controls.
Where are Teams chats and files stored?
Teams messaging uses the Teams chat service with compliance copies in Exchange; channel files are stored in SharePoint, and files shared in chats are stored in the sender's OneDrive for Business.
Can guests or subcontractors join an in-scope Teams workspace?
Potentially — but they must be authorized, governed, and included in your identity, endpoint, and data-flow analysis. A known email domain is not authorization, and stale guest accounts are a recurring risk.
Can we put secure-enclave links in Commercial Teams?
Potentially, but the message, filename, preview, notification, or copied content must not expose CUI, and your architecture must prevent Commercial Teams from becoming a processor, repository, or security-protection asset for CUI.
Does disabling meeting recording solve the CUI risk?
No. It removes one persistent artifact but does nothing about live audio, screen sharing, meeting chat, participant authorization, or endpoints.
Did the July 2026 Phase II suspension eliminate CMMC?
No. Phase I self-assessment requirements remain, and DFARS 252.204-7012 continues to apply. The suspension paused the expansion of third-party assessments; it did not remove your obligation to protect CUI.
Does DLP make Teams CMMC compliant?
No. DLP supports specific information-protection objectives, but it doesn't implement the full 110-requirement Level 2 set or your organization's non-technical responsibilities. Note too that DLP for Teams chat and channel messages requires an eligible E5/A5/G5 plan or add-on, while E3 covers file DLP in Exchange, SharePoint, and OneDrive.
Does the 2026 clause renumbering change what I have to do?
No — it's a reorganization. FAR 52.204-21 became FAR 52.240-93, DFARS 252.204-7019 was eliminated, and 252.204-7020 became 252.240-7997, but 7012, 7021, and 7025 are unchanged, and the underlying obligations are the same. If you handle CUI, the self-assessment and SPRS obligations now sit under DFARS 252.204-7021.
Is Direct Routing required for CMMC compliance?
No CMMC rule establishes Direct Routing as a universal compliance requirement. It's a Microsoft telephony architecture used in certain government-cloud calling scenarios — an implementation detail, not a control.
Does a C3PAO configure Microsoft Teams?
No — and it generally can't and then assess the same environment. A C3PAO's role is formal assessment, and the rule bars it from assessing an organization it consulted for or implemented for within the prior three years. If you need scoping, migration, or managed operations, identify a readiness or implementation provider first.
What about CMMC Level 3?
Level 3 requires a prior Final Level 2 (C3PAO) status, is assessed by the government's DIBCAC (Defense Industrial Base Cybersecurity Assessment Center), and adds 24 selected requirements from the February 2021 edition of NIST SP 800-172 — not a later NIST edition, unless the rule is amended. Like the rest of CMMC, its rollout remains paused in Phase 1.
Which CMMC provider type should help with Teams?
Scope uncertainty points to an RPO/RP; configuration and operations to an MSP/MSSP; a separated environment to a CUI-enclave provider; evidence workflow to a GRC platform; and formal assessment to a C3PAO when applicable.

Before you hire, get the environment decision right

If you take one thing from this page, take this: Microsoft Teams CMMC compliance is decided by your contract, your CUI, your configuration, and your evidence — not by a product label. Get the environment decision right first, and the rest of your CMMC spend gets a lot cheaper and a lot less risky.

Disclosure

The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification.

Independence & scope

The Defense Compliance Report is not affiliated with the Cyber AB, the Department of War/Defense, DCMA DIBCAC, NIST, or any U.S. government agency. This page is educational research, not legal, contractual, or compliance advice. Confirm contract applicability, CUI scope, export-control status, and assessment requirements with a qualified CMMC Registered Practitioner or Registered Provider Organization (RP/RPO) and, where appropriate, a qualified federal-contracts attorney. The contract clause and your CUI handling set your level — not a checklist.

Primary sources