Inherited
1 control on M365 GCC High
Cloud handles it completely. You confirm the configuration and move on.
Shared Responsibility Matrix
Shared responsibility, by platform.
All 110 NIST 800-171 requirements mapped across four authorized cloud platforms. Pick yours.
Start with your platform.
Each card shows the responsibility split. Click to filter the matrix below.
Inherited
Shared
Customer
N/A
Three kinds of responsibility.
What each status actually means when the assessor asks.
Shared
78 controls on M365 GCC High
Cloud provides the capability. You configure it, evidence it, own the policy.
Customer
28 controls on M365 GCC High
You build and operate it. Cloud doesn't help. This is where your budget goes.
3 requirements are N/A on M365 GCC High — legacy platform functions superseded by cloud-native equivalents.
Shared responsibility matrix, by family.
All 110 NIST 800-171 requirements. Filter by status or search. Click a family to expand.
| ID | Status | Requirement | What M365 GCC High provides | What you do |
|---|---|---|---|---|
| 3.1.1 | Shared | Limit system access to authorized users. | Entra ID + Conditional Access enforce identity and device trust. | Define access policies. Document in SSP §3.1.1. Evidence CA rules. |
| 3.1.2 | Shared | Limit access to transaction types users can execute. | RBAC + PIM enforce role and just-in-time access. | Assign roles. Document role definitions. Evidence PIM approvals. |
| 3.1.3 | Customer | Control the flow of CUI in accordance with authorizations. | Purview DLP available but policies are yours to build. | Author DLP rules per CUI category. Document flow controls. Test quarterly. |
| 3.1.4 | Shared | Separate duties of individuals to reduce risk of collusion. | Custom roles + Access Reviews support separation. | Design role matrix. Review quarterly. Document in SSP §3.1.4. |
| 3.1.5 | Shared | Employ the principle of least privilege. | PIM + Access Reviews restrict standing access. | Define privileged role definitions. Enforce access review cadence. |
| 3.1.6 | Shared | Use non-privileged accounts when accessing non-security functions. | Separate admin and user accounts supported natively. | Enforce admin account separation. Evidence via directory review. |
| 3.1.7 | Inherited | Prevent non-privileged users from executing privileged functions. | Platform enforces at the identity layer — GCC High handles fully. | Confirm configuration. Evidence via role audit report. |
| ID | Status | Requirement | What M365 GCC High provides | What you do |
|---|---|---|---|---|
| 3.2.1 | Customer | Ensure managers, administrators, and users are aware of security risks and the applicable policies, standards, and procedures. | — | M365 provides Attack Simulation Training and Viva Learning as optional delivery platforms, but the training programme — content, assignment, tracking, completion records, CUI-specific and insider threat modules — is entirely customer responsibility per Secureframe CMMC Shared Responsibility Model guidance. |
| 3.2.2 | Customer | Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities. | — | M365 provides Attack Simulation Training and Viva Learning as optional delivery platforms, but the training programme — content, assignment, tracking, completion records, CUI-specific and insider threat modules — is entirely customer responsibility per Secureframe CMMC Shared Responsibility Model guidance. |
| 3.2.3 | Customer | Provide security awareness training on recognizing and reporting potential indicators of insider threat. | — | M365 provides Attack Simulation Training and Viva Learning as optional delivery platforms, but the training programme — content, assignment, tracking, completion records, CUI-specific and insider threat modules — is entirely customer responsibility per Secureframe CMMC Shared Responsibility Model guidance. |
| ID | Status | Requirement | What M365 GCC High provides | What you do |
|---|---|---|---|---|
| 3.3.1 | Shared | Create and retain system audit logs and records needed to monitor, analyse, investigate, and report unlawful or unauthorized system activity. | Collection script covers the technical check for this platform. CSP provides the capability; | Customer configures and evidences policy/review. |
| 3.3.2 | Shared | Ensure the actions of individual system users can be uniquely traced so they can be held accountable for their actions. | Collection script covers the technical check for this platform. CSP provides the capability; | Customer configures and evidences policy/review. |
| 3.3.3 | Shared | Review and update logged events. | Cloud platform provides the technical capability; | Customer configures the policy/setting and monitors enforcement. Resolution inferred from platform FedRAMP authorization and documented Phase 2 shared-responsibility model. |
| 3.3.4 | Shared | Alert in the event of an audit logging process failure. | Cloud platform provides the technical capability; | Customer configures the policy/setting and monitors enforcement. Resolution inferred from platform FedRAMP authorization and documented Phase 2 shared-responsibility model. |
| 3.3.5 | Shared | Correlate audit record review, analysis, and reporting processes for investigation and response to unlawful, unauthorized, suspicious, or unusual activity. | Collection script covers the technical check for this platform. CSP provides the capability; | Customer configures and evidences policy/review. |
| 3.3.6 | Shared | Provide audit record reduction and report generation to support on-demand analysis and reporting. | Collection script covers the technical check for this platform. CSP provides the capability; | Customer configures and evidences policy/review. |
| 3.3.7 | Shared | Synchronize internal system clocks with an authoritative source to generate time stamps for audit records. | Collection script covers the technical check for this platform. CSP provides the capability; | Customer configures and evidences policy/review. |
| 3.3.8 | Shared | Protect audit information and audit logging tools from unauthorized access, modification, and deletion. | Cloud platform provides the technical capability; | Customer configures the policy/setting and monitors enforcement. Resolution inferred from platform FedRAMP authorization and documented Phase 2 shared-responsibility model. |
| 3.3.9 | Shared | Limit management of audit logging functionality to a subset of privileged users. | Collection script covers the technical check for this platform. CSP provides the capability; | Customer configures and evidences policy/review. |
| ID | Status | Requirement | What M365 GCC High provides | What you do |
|---|---|---|---|---|
| 3.4.1 | Shared | Establish and maintain baseline configurations and inventories of organizational systems (hardware, software, firmware, documentation) throughout the system development life cycle. | Collection script covers the technical check for this platform. CSP provides the capability; | Customer configures and evidences policy/review. |
| 3.4.2 | Shared | Establish and enforce security configuration settings for information technology products employed in organizational systems. | Collection script covers the technical check for this platform. CSP provides the capability; | Customer configures and evidences policy/review. |
| 3.4.3 | Shared | Track, review, approve or disapprove, and log changes to organizational systems. | Collection script covers the technical check for this platform. CSP provides the capability; | Customer configures and evidences policy/review. |
| 3.4.4 | Shared | Analyze the security impact of changes prior to implementation. | Collection script covers the technical check for this platform. CSP provides the capability; | Customer configures and evidences policy/review. |
| 3.4.5 | Shared | Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems. | Collection script covers the technical check for this platform. CSP provides the capability; | Customer configures and evidences policy/review. |
| 3.4.6 | Shared | Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities. | Cloud platform provides the technical capability; | Customer configures the policy/setting and monitors enforcement. Resolution inferred from platform FedRAMP authorization and documented Phase 2 shared-responsibility model. |
| 3.4.7 | Shared | Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. | Collection script covers the technical check for this platform. CSP provides the capability; | Customer configures and evidences policy/review. |
| 3.4.8 | Shared | Apply deny-by-exception (blacklisting) to block unauthorized software, or deny-all permit-by-exception (whitelisting) to allow only authorized software. | Collection script covers the technical check for this platform. CSP provides the capability; | Customer configures and evidences policy/review. |
| 3.4.9 | Shared | Control and monitor user-installed software. | Collection script covers the technical check for this platform. CSP provides the capability; | Customer configures and evidences policy/review. |
| ID | Status | Requirement | What M365 GCC High provides | What you do |
|---|---|---|---|---|
| 3.5.1 | Shared | Identify system users, processes acting on behalf of users, and devices. | Collection script covers the technical check for this platform. CSP provides the capability; | Customer configures and evidences policy/review. |
| 3.5.2 | Shared | Authenticate (or verify) the identities of users, processes, or devices as a prerequisite to allowing access to organizational systems. | Collection script covers the technical check for this platform. CSP provides the capability; | Customer configures and evidences policy/review. |
| 3.5.3 | Shared | Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts. | Collection script covers the technical check for this platform. CSP provides the capability; | Customer configures and evidences policy/review. |
| 3.5.4 | Shared | Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts. | Cloud platform provides the technical capability; | Customer configures the policy/setting and monitors enforcement. Resolution inferred from platform FedRAMP authorization and documented Phase 2 shared-responsibility model. |
| 3.5.5 | Shared | Prevent reuse of identifiers for a defined period. | Cloud platform provides the technical capability; | Customer configures the policy/setting and monitors enforcement. Resolution inferred from platform FedRAMP authorization and documented Phase 2 shared-responsibility model. |
| 3.5.6 | Shared | Disable identifiers after a defined period of inactivity. | Cloud platform provides the technical capability; | Customer configures the policy/setting and monitors enforcement. Resolution inferred from platform FedRAMP authorization and documented Phase 2 shared-responsibility model. |
| 3.5.7 | Shared | Enforce a minimum password complexity and change of characters when new passwords are created. | Collection script covers the technical check for this platform. CSP provides the capability; | Customer configures and evidences policy/review. |
| 3.5.8 | Shared | Prohibit password reuse for a specified number of generations. | Collection script covers the technical check for this platform. CSP provides the capability; | Customer configures and evidences policy/review. |
| 3.5.9 | Shared | Allow temporary password use for system logons with an immediate change to a permanent password. | Collection script covers the technical check for this platform. CSP provides the capability; | Customer configures and evidences policy/review. |
| 3.5.10 | Shared | Store and transmit only cryptographically-protected passwords. | Collection script covers the technical check for this platform. CSP provides the capability; | Customer configures and evidences policy/review. |
| 3.5.11 | Shared | Obscure feedback of authentication information. | Collection script covers the technical check for this platform. CSP provides the capability; | Customer configures and evidences policy/review. |
| ID | Status | Requirement | What M365 GCC High provides | What you do |
|---|---|---|---|---|
| 3.6.1 | Shared | Establish an operational incident-handling capability covering preparation, detection, analysis, containment, recovery, and user response. | Collection script covers the technical check for this platform. CSP provides the capability; | Customer configures and evidences policy/review. |
| 3.6.2 | Customer | Track, document, and report incidents to designated officials and authorities both internal and external to the organization. | — | Interview-based control: customer policy/procedure/governance. Cloud platform has no role. |
| 3.6.3 | Shared | Test the organizational incident response capability. | Collection script covers the technical check for this platform. CSP provides the capability; | Customer configures and evidences policy/review. |
| ID | Status | Requirement | What M365 GCC High provides | What you do |
|---|---|---|---|---|
| 3.7.1 | Customer | Perform maintenance on organizational systems. | — | Interview-based control: customer policy/procedure/governance. Cloud platform has no role. |
| 3.7.2 | Customer | Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance. | — | Interview-based control: customer policy/procedure/governance. Cloud platform has no role. |
| 3.7.3 | N/A | Ensure equipment removed for off-site maintenance is sanitized of any CUI. | — | N/A only if: (1) all CUI infrastructure is cloud-hosted with no on-premises servers, (2) endpoints access CUI exclusively via VDI with no local CUI processing or storage, and (3) no CUI assets ever leave the premises for maintenance. If endpoints process CUI locally (standard GCC High deployment without VDI), these controls apply and are customer responsibility — sanitise devices before repair, check maintenance media for malicious code, supervise uncleared maintenance personnel. |
| 3.7.4 | N/A | Check media containing diagnostic and test programs for malicious code before the media are used in organizational systems. | — | N/A only if: (1) all CUI infrastructure is cloud-hosted with no on-premises servers, (2) endpoints access CUI exclusively via VDI with no local CUI processing or storage, and (3) no CUI assets ever leave the premises for maintenance. If endpoints process CUI locally (standard GCC High deployment without VDI), these controls apply and are customer responsibility — sanitise devices before repair, check maintenance media for malicious code, supervise uncleared maintenance personnel. |
| 3.7.5 | Customer | Require multifactor authentication for nonlocal maintenance sessions and terminate such connections when maintenance is complete. | — | Interview-based control: customer policy/procedure/governance. Cloud platform has no role. |
| 3.7.6 | N/A | Supervise the maintenance activities of maintenance personnel without required access authorization. | — | N/A only if: (1) all CUI infrastructure is cloud-hosted with no on-premises servers, (2) endpoints access CUI exclusively via VDI with no local CUI processing or storage, and (3) no CUI assets ever leave the premises for maintenance. If endpoints process CUI locally (standard GCC High deployment without VDI), these controls apply and are customer responsibility — sanitise devices before repair, check maintenance media for malicious code, supervise uncleared maintenance personnel. |
| ID | Status | Requirement | What M365 GCC High provides | What you do |
|---|---|---|---|---|
| 3.8.1 | Shared | Protect (physically control and securely store) system media containing CUI, both paper and digital. | Collection script covers the technical check for this platform. CSP provides the capability; | Customer configures and evidences policy/review. |
| 3.8.2 | Shared | Limit access to CUI on system media to authorized users. | Collection script covers the technical check for this platform. CSP provides the capability; | Customer configures and evidences policy/review. |
| 3.8.3 | Customer | Sanitize or destroy system media containing CUI before disposal or release for reuse. | — | Interview-based control: customer policy/procedure/governance. Cloud platform has no role. |
| 3.8.4 | Customer | Mark media with necessary CUI markings and distribution limitations. | — | Interview-based control: customer policy/procedure/governance. Cloud platform has no role. |
| 3.8.5 | Customer | Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas. | — | Interview-based control: customer policy/procedure/governance. Cloud platform has no role. |
| 3.8.6 | Shared | Implement cryptographic mechanisms to protect the confidentiality of CUI on digital media during transport, unless otherwise protected by alternative physical safeguards. | Collection script covers the technical check for this platform. CSP provides the capability; | Customer configures and evidences policy/review. |
| 3.8.7 | Customer | Control the use of removable media on system components. | — | Interview-based control: customer policy/procedure/governance. Cloud platform has no role. |
| 3.8.8 | Customer | Prohibit the use of portable storage devices when such devices have no identifiable owner. | — | Interview-based control: customer policy/procedure/governance. Cloud platform has no role. |
| 3.8.9 | Shared | Protect the confidentiality of backup CUI at storage locations. | Collection script covers the technical check for this platform. CSP provides the capability; | Customer configures and evidences policy/review. |
| ID | Status | Requirement | What M365 GCC High provides | What you do |
|---|---|---|---|---|
| 3.9.1 | Customer | Screen individuals prior to authorizing access to organizational systems containing CUI. | — | Interview-based control: customer policy/procedure/governance. Cloud platform has no role. |
| 3.9.2 | Customer | Ensure organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers. | — | Interview-based control: customer policy/procedure/governance. Cloud platform has no role. |
| ID | Status | Requirement | What M365 GCC High provides | What you do |
|---|---|---|---|---|
| 3.10.1 | Customer | Limit physical access to organizational systems, equipment, and operating environments to authorized individuals. | — | Interview-based control: customer policy/procedure/governance. Cloud platform has no role. |
| 3.10.2 | Customer | Protect and monitor the physical facility and support infrastructure for organizational systems. | — | Interview-based control: customer policy/procedure/governance. Cloud platform has no role. |
| 3.10.3 | Customer | Escort visitors and monitor visitor activity. | — | Interview-based control: customer policy/procedure/governance. Cloud platform has no role. |
| 3.10.4 | Customer | Maintain audit logs of physical access. | — | Interview-based control: customer policy/procedure/governance. Cloud platform has no role. |
| 3.10.5 | Customer | Control and manage physical access devices. | — | Interview-based control: customer policy/procedure/governance. Cloud platform has no role. |
| 3.10.6 | Customer | Enforce safeguarding measures for CUI at alternate work sites. | — | Interview-based control: customer policy/procedure/governance. Cloud platform has no role. |
| ID | Status | Requirement | What M365 GCC High provides | What you do |
|---|---|---|---|---|
| 3.11.1 | Shared | Periodically assess risk to organizational operations, assets, and individuals arising from the operation of systems that process, store, or transmit CUI. | Collection script covers the technical check for this platform. CSP provides the capability; | Customer configures and evidences policy/review. |
| 3.11.2 | Shared | Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting them are identified. | Cloud platform provides the technical capability; | Customer configures the policy/setting and monitors enforcement. Resolution inferred from platform FedRAMP authorization and documented Phase 2 shared-responsibility model. |
| 3.11.3 | Shared | Remediate vulnerabilities in accordance with risk assessments. | Collection script covers the technical check for this platform. CSP provides the capability; | Customer configures and evidences policy/review. |
| ID | Status | Requirement | What M365 GCC High provides | What you do |
|---|---|---|---|---|
| 3.12.1 | Customer | Periodically assess the security controls in organizational systems to determine whether the controls are effective in their application. | — | Interview-based control: customer policy/procedure/governance. Cloud platform has no role. |
| 3.12.2 | Customer | Develop and implement plans of action to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems. | — | Interview-based control: customer policy/procedure/governance. Cloud platform has no role. |
| 3.12.3 | Customer | Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls. | — | Interview-based control: customer policy/procedure/governance. Cloud platform has no role. |
| 3.12.4 | Customer | Develop, document, and periodically update system security plans covering system boundaries, environments, how security requirements are implemented, and connections to other systems. | — | Interview-based control: customer policy/procedure/governance. Cloud platform has no role. |
| ID | Status | Requirement | What M365 GCC High provides | What you do |
|---|---|---|---|---|
| 3.13.1 | Shared | Monitor, control, and protect organizational communications at the external boundaries and key internal boundaries of organizational systems. | Collection script covers the technical check for this platform. CSP provides the capability; | Customer configures and evidences policy/review. |
| 3.13.2 | Shared | Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems. | Cloud platform provides the technical capability; | Customer configures the policy/setting and monitors enforcement. Resolution inferred from platform FedRAMP authorization and documented Phase 2 shared-responsibility model. |
| 3.13.3 | Shared | Separate user functionality from system management functionality. | Collection script covers the technical check for this platform. CSP provides the capability; | Customer configures and evidences policy/review. |
| 3.13.4 | Inherited | Prevent unauthorized and unintended information transfer via shared system resources. | M365 SaaS tenant isolation and object-reuse controls are handled entirely by Microsoft's FedRAMP High authorization; | Customer has no tenant-level configuration. |
| 3.13.5 | Shared | Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. | Cloud platform provides the technical capability; | Customer configures the policy/setting and monitors enforcement. Resolution inferred from platform FedRAMP authorization and documented Phase 2 shared-responsibility model. |
| 3.13.6 | Shared | Deny network communications traffic by default and allow network communications traffic by exception (deny all, permit by exception). | Cloud platform provides the technical capability; | Customer configures the policy/setting and monitors enforcement. Resolution inferred from platform FedRAMP authorization and documented Phase 2 shared-responsibility model. |
| 3.13.7 | Shared | Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via other connections to external networks (split tunneling). | Cloud platform provides the technical capability; | Customer configures the policy/setting and monitors enforcement. Resolution inferred from platform FedRAMP authorization and documented Phase 2 shared-responsibility model. |
| 3.13.8 | Shared | Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission, unless otherwise protected by alternative physical safeguards. | Collection script covers the technical check for this platform. CSP provides the capability; | Customer configures and evidences policy/review. |
| 3.13.9 | Shared | Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity. | Collection script covers the technical check for this platform. CSP provides the capability; | Customer configures and evidences policy/review. |
| 3.13.10 | Shared | Establish and manage cryptographic keys for cryptography employed in organizational systems. | Cloud platform provides the technical capability; | Customer configures the policy/setting and monitors enforcement. Resolution inferred from platform FedRAMP authorization and documented Phase 2 shared-responsibility model. |
| 3.13.11 | Shared | Employ FIPS-validated cryptography when used to protect the confidentiality of CUI. | Cloud platform provides the technical capability; | Customer configures the policy/setting and monitors enforcement. Resolution inferred from platform FedRAMP authorization and documented Phase 2 shared-responsibility model. |
| 3.13.12 | Shared | Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device. | Teams/Intune policies control collaborative-computing device behaviour (webcam/mic activation, meeting recording). | Customer configures the policies. |
| 3.13.13 | Shared | Control and monitor the use of mobile code. | Defender for Office 365 and Defender for Endpoint filter mobile code (ActiveX, macros, scripts). | Customer configures policies. |
| 3.13.14 | Shared | Control and monitor the use of Voice over Internet Protocol (VoIP) technologies. | Microsoft Teams is VoIP; admin controls log/restrict call routing, recording, guest access. | Customer configures policies. |
| 3.13.15 | Shared | Protect the authenticity of communications sessions. | Cloud platform provides the technical capability; | Customer configures the policy/setting and monitors enforcement. Resolution inferred from platform FedRAMP authorization and documented Phase 2 shared-responsibility model. |
| 3.13.16 | Shared | Protect the confidentiality of CUI at rest. | Collection script covers the technical check for this platform. CSP provides the capability; | Customer configures and evidences policy/review. |
| ID | Status | Requirement | What M365 GCC High provides | What you do |
|---|---|---|---|---|
| 3.14.1 | Shared | Identify, report, and correct system flaws in a timely manner. | Collection script covers the technical check for this platform. CSP provides the capability; | Customer configures and evidences policy/review. |
| 3.14.2 | Shared | Provide protection from malicious code at designated locations within organizational systems. | Collection script covers the technical check for this platform. CSP provides the capability; | Customer configures and evidences policy/review. |
| 3.14.3 | Customer | Monitor system security alerts and advisories and take action in response. | — | Interview-based control: customer policy/procedure/governance. Cloud platform has no role. |
| 3.14.4 | Shared | Update malicious code protection mechanisms when new releases are available. | Collection script covers the technical check for this platform. CSP provides the capability; | Customer configures and evidences policy/review. |
| 3.14.5 | Shared | Perform periodic scans of organizational systems and real-time scans of files from external sources as files are downloaded, opened, or executed. | Cloud platform provides the technical capability; | Customer configures the policy/setting and monitors enforcement. Resolution inferred from platform FedRAMP authorization and documented Phase 2 shared-responsibility model. |
| 3.14.6 | Shared | Monitor organizational systems — including inbound and outbound communications traffic — to detect attacks and indicators of potential attacks. | Collection script covers the technical check for this platform. CSP provides the capability; | Customer configures and evidences policy/review. |
| 3.14.7 | Shared | Identify unauthorized use of organizational systems. | Collection script covers the technical check for this platform. CSP provides the capability; | Customer configures and evidences policy/review. |
Download the shared responsibility matrix.
The full matrix as a spreadsheet. One tab per platform, all 110 requirements, with responsibility language you can lift into your SSP.
Download the matrix (XLSX)
Don't know your scope yet? Scoping guide →
Want us to apply this? Talk to us →