Share post:
TABLE OF CONTENTS
See Virtru In Action
Share post:
If you're part of the Defense Industrial Base (DIB) and working toward CMMC compliance, you've probably heard the same advice repeatedly: Migrate to Microsoft GCC High. While this FedRAMP-authorized cloud environment is certainly one path to compliance, it's not the only one—and for many organizations, it's prohibitively expensive.
The good news? There's a smarter, more affordable alternative that lets you stay on Microsoft Office 365 commercial cloud while still achieving CMMC compliance. But to understand why this matters, we first need to understand how CMMC assessments work.
The Tale of Two Scenarios: What Gets Assessed?
When it comes to CMMC assessments, not all cloud architectures are created equal. The key difference lies in a critical question: Can your cloud provider decrypt your CUI (Controlled Unclassified Information)?
Scenario A: Traditional Cloud (Provider CAN Decrypt)
In a traditional cloud setup—think Box, Dropbox, or standard Microsoft Office 365—your cloud provider controls the encryption keys. This means they can decrypt your data.
Here's the problem: When your provider can access your CUI, both your systems and the cloud provider fall within the CMMC assessment boundary. This means:
- Your customer systems must meet all 110 CMMC Level 2 requirements.
- Your cloud provider must also meet all 110 requirements.
- The provider must be either FedRAMP authorized or undergo their own CMMC assessment.
- You're essentially responsible for ensuring your vendor's compliance.
This is why many consultants push DIB organizations toward GCC High—it's a FedRAMP authorized environment that checks these boxes. But it comes at a steep cost, both in migration expenses and ongoing subscription fees.
Scenario B: Zero-Knowledge Encryption (Provider CANNOT Decrypt)
Now imagine a different architecture: One where you control the encryption keys, and your cloud provider stores only encrypted data they cannot access. This is the "zero-knowledge" model.
In this scenario, something remarkable happens. Only your customer systems need to be assessed. The cloud provider may fall outside the CMMC assessment boundary entirely because:
- Encryption happens on your devices before data ever touches the cloud
- You control the encryption keys, not the provider
- The solution uses FIPS 140-2 validated encryption
- The provider stores only encrypted blobs they cannot decrypt
- Keys remain separated from the encrypted data
This is precisely how Virtru works—and it's a game-changer for CMMC compliance.
How Virtru Enables CMMC Compliance on Microsoft 365 Commercial Cloud
Virtru wraps each CUI file in a secure container using the Trusted Data Format (TDF), an open standard embraced by the DoD, Intelligence Community, and NATO. This container binds access controls directly to the data itself, then encrypts everything with FIPS 140-2 validated encryption.
Here's what happens when you share CUI using Virtru:
For Email Attachments
When you send a Virtru-protected file as an Outlook attachment, what looks like an attachment is actually a link to the file. The actual file is stored in Virtru's FedRAMP Moderate Authorized environment—not in Microsoft Commercial Cloud. Microsoft never has access to your unencrypted CUI.
For Email Content
Email body text is converted to ciphertext when protected by Virtru. Many organizations adopt a best practice of sharing CUI only as file attachments (not in email body text) to create a clear separation between Microsoft Commercial Cloud and CUI data.
For File Sharing
Files shared via Virtru Secure Share are hosted in Virtru's FedRAMP environment with full cryptographic controls. You maintain complete control over who can access the data, for how long, and under what conditions—even after it's been shared.
Here's what one Virtru customer, Maya HTT, had to say about using Virtru to pass their CMMC Level 2 assessment.
The Bottom Line: Compliance Without Breaking the Bank
Virtru supports 27 of the 110 CMMC Level 2 controls, addressing a significant portion of requirements around proper protection and access control for CUI. When combined with your other security measures, Virtru provides:
- DFARS 7012 compliance for secure file sharing
- FedRAMP Moderate Authorized storage environment
- Zero-knowledge architecture that keeps providers out of scope
- FIPS 140-2 validated encryption
- Seamless integration with your existing Microsoft 365 commercial cloud
- No costly migration to GCC High required
Staying on Commercial Cloud: What You Need to Know
Microsoft Office 365 Commercial Cloud is not FedRAMP authorized and should never be used to store or share CUI unprotected. However, when CUI is properly contained within cryptographic controls — like Virtru's TDF containers — that data remains adequately protected and inaccessible to Microsoft.
This distinction is crucial. With Virtru, encrypted CUI is stored only in FedRAMP-authorized environments, and with the Virtru Private Keystore, only you hold the keys.
Preparing for Your C3PAO Assessment
According to the CyberAB's October 2025 Town Hall, there are just 83 accredited C3PAOs to assess a total of 200,000 to 300,000 defense organizations across the DIB. Some assessors may need additional clarification about how Virtru-encrypted CUI is protected when used with Microsoft Commercial Cloud.
If your assessor has questions, Virtru is ready to provide:
- Additional technical resources
- Precedent from other successful assessments
- Supplementary DFARS and DoD guidance
- Direct engagement with your Customer Success Manager
The Path Forward
For hundreds of DIB organizations, Virtru has proven that CMMC compliance doesn't require abandoning your existing Microsoft 365 commercial cloud environment. By implementing zero-knowledge encryption that keeps your cloud provider out of the assessment boundary, you can achieve compliance at a fraction of the cost of migrating to GCC High.
Ready to explore a more affordable path to CMMC compliance? Contact Virtru to learn how we can help you protect CUI, satisfy CMMC requirements, and stay on your current Microsoft 365 commercial cloud environment.
Matt Howard
A proven executive and entrepreneur with over 25 years experience developing high-growth software companies, Matt serves as Virtru’s CMO and leads all aspects of the company’s go-to-market motion within the data protection and Zero Trust security ecosystems.
View more posts by Matt HowardSign Up for the Virtru Newsletter
"This Message Will Self-Destruct": Secure Document Sharing With an Access Kill Switch
Email Encryption for Banks: What CISOs Need to Know in 2026
/blog%20-%20anthropic%20boat/anthropic-boat.webp)
Mythos Is a "Walls Crumbling" Moment — And We're Gonna Need a Smaller Boat
/blog%20-%20mythos%20john/ai-john-mythos.webp)
Anthropic Just Proved What We've Been Saying: Security Has to Start with the Data
/blog%20-%20pubsec%20AI/pubsecAI.webp)
Public-Sector AI Needs Secure, Controlled Collaboration
/blog%20-%20RSA%202026/RSA-BLOG.webp)
RSA 2026: Hope, Hype, and a 20-Year Unsolved Problem
DCS in Action: How Virtru and the Trusted Data Format Power the Mission
Policy Foundations & Strategic Guidance: Data-Centric Security as a Mission Force Multiplier
The Splinternet Problem Has One Solution: Data Interoperability
Beyond Blockchain: Why Operational Data Security Is Crucial in Crypto
/blog%20-%20DCMMC%202026%20Recaps/DCMMC-BLOG-RECAP-2.webp)