Getting CMMC Level 2 Compliant With ITAR in Your Environment

Written by Alec Toloczko

As CMMC becomes more and more of a reality for DoD contracts, many organizations are struggling to quickly become complaint. This article will provide an overview of the steps that companies handling ITAR or EAR data will need to take in order to achieve CMMC level 2 compliance via the Microsoft tech stack.


If you have an on-premise or commercial environment today and are handling ITAR or EAR data, you will need to be in a Microsoft GCC-H environment. There are two ways you can achieve this. 

The first is to set up a “greenfield” environment where users would essentially start from scratch. That means no prior email history or historical records.

The 2nd option is to migrate your data from on-prem or commercial to GCC-H. This is the more expensive option of the two. However, the users would retain all their previous data they had on-prem or in their commercial tenant.


Once you have decided on GCC-H, the next step would be to find the correct licensing that, once fully configured, can comply with CMMC level 2. There are two options here as well.

The first is to get all users an M365 E5 license. This would satisfy all the technical controls of CMMC 2.0 and include features such as Defender for Office Plan 2, Entra ID Plan 2, Intune Plan 1, Defender for Endpoint Plan 2, DLP, and more.

The second option, and the one that KTL recommends to 95% of GCC-H clients, is M365 E3 with M365 E5 Security Add-on. Similar to the E5 license, this model will satisfy the technical controls of CMMC 2.0 while not costing as much as the full E5 license. 

So, what do you miss out on when you go with E3 & E5 Security? Power BI & Teams phone are the only notable differences. You would not miss out on any of the compliance requirements or technical controls.

System Security Plan (SSP)

A System Security Plan has been a NIST 800-171 requirement since 2016. It is also a requirement for DFARS clause 7012, DFARS 7019, and CMMC. So what is an SSP. An SSP is a detailed description/overview of an organization’s cybersecurity plan. The SSP provides a clear picture of the security requirements and how an organization implements, reviews, and protects these controls. To be in compliance, an SSP will need to be regularly reviewed by a cybersecurity team to ensure all policies & producers are up to date and all technical controls are being satisfied.

Did you know that KTL offers a no-cost CMMC consultation? Click here to learn more.

Share this post

Related Posts

Checking Your CMMC Progress

Written by Alec Toloczko With Cybersecurity Maturity Model Certification (CMMC) requirements on the horizon, it’s crucial for organizations handling Controlled Unclassified Information (CUI) to adhere

Read More »