Microsoft 365 GCCH Cybersecurity Maturity Model Certification Configuration Assessment​ - 5 Week Assessment


Provide IT and Security departments with an indication of readiness for your Microsoft 365 GCCH Tenant as it pertains to Cybersecurity Maturity Model Certification.

CMMC Readiness: Protiviti will leverage the NIST 800-171 framework for your utilized Microsoft 365 GCCH applications and evaluate compliance with cybersecurity requirements to protect sensitive government data in line with the applicable CMMC cybersecurity maturity level, which ranges from Level 1 (basic cybersecurity hygiene) to Level 3 (advanced and proactive cybersecurity practices).​

Analyzing and Assessment of the Microsoft 365 Configurations: A Protiviti Microsoft 365 Architect will provide recommendations for Microsoft 365 GCCH settings to mitigate issues found during the assessment.

Activities to be completed:

Microsoft 365 GCCH CMMC Discovery & Review

Protiviti will:​

  • Facilitate a kickoff call with stakeholders to provide a project overview and discuss the goals and objectives, required permissions, specific policies, and/or solutions that relate to this assessment.​
  • Review the Protiviti Expectations for Tenant Permissions & Access request (see slide for further details).

Microsoft 365 GCCH Configuration & CMMC Readiness Assessment

Protiviti will:​

  • Manually review the client’s tenant and compare the Microsoft 365 GCCH configuration required to the NIST 800-171 controls framework.
  • Provide/Run scripts to collect data on the synchronization and/or Federation of AAD Connect server used to synchronize accounts to the GCCH tenant.

Microsoft 365 GCCH CMMC RCM & Runbook​

Protiviti will:​

  • Create and map a Microsoft 365 GCCH CMMC Risk and Control Matrix (RCM) and review with client.
  • Create a Microsoft 365 GCCH CMMC Assessment Runbook document and review findings with client. As needed, discuss recommendations.​


  • Microsoft 365 GCCH CMMC RCM​
  • Microsoft 365 GCCH CMMC Assessment Runbook

Note: Additional effort for remediation can be added with client approval or included in this project

At a glance