If you're part of the Defense Industrial Base (DIB) and working toward CMMC compliance, you've probably heard the same advice repeatedly: Migrate to Microsoft GCC High. While this FedRAMP-authorized cloud environment is certainly one path to compliance, it's not the only one—and for many organizations, it's prohibitively expensive.
The good news? There's a smarter, more affordable alternative that lets you stay on Microsoft Office 365 commercial cloud while still achieving CMMC compliance. But to understand why this matters, we first need to understand how CMMC assessments work.
When it comes to CMMC assessments, not all cloud architectures are created equal. The key difference lies in a critical question: Can your cloud provider decrypt your CUI (Controlled Unclassified Information)?
In a traditional cloud setup—think Box, Dropbox, or standard Microsoft Office 365—your cloud provider controls the encryption keys. This means they can decrypt your data.
Here's the problem: When your provider can access your CUI, both your systems and the cloud provider fall within the CMMC assessment boundary. This means:
This is why many consultants push DIB organizations toward GCC High—it's a FedRAMP authorized environment that checks these boxes. But it comes at a steep cost, both in migration expenses and ongoing subscription fees.
Now imagine a different architecture: One where you control the encryption keys, and your cloud provider stores only encrypted data they cannot access. This is the "zero-knowledge" model.
In this scenario, something remarkable happens. Only your customer systems need to be assessed. The cloud provider may fall outside the CMMC assessment boundary entirely because:
This is precisely how Virtru works—and it's a game-changer for CMMC compliance.
Virtru wraps each CUI file in a secure container using the Trusted Data Format (TDF), an open standard embraced by the DoD, Intelligence Community, and NATO. This container binds access controls directly to the data itself, then encrypts everything with FIPS 140-2 validated encryption.
Here's what happens when you share CUI using Virtru:
When you send a Virtru-protected file as an Outlook attachment, what looks like an attachment is actually a link to the file. The actual file is stored in Virtru's FedRAMP Moderate Authorized environment—not in Microsoft Commercial Cloud. Microsoft never has access to your unencrypted CUI.
Email body text is converted to ciphertext when protected by Virtru. Many organizations adopt a best practice of sharing CUI only as file attachments (not in email body text) to create a clear separation between Microsoft Commercial Cloud and CUI data.
Files shared via Virtru Secure Share are hosted in Virtru's FedRAMP environment with full cryptographic controls. You maintain complete control over who can access the data, for how long, and under what conditions—even after it's been shared.
Virtru supports 27 of the 110 CMMC Level 2 controls, addressing a significant portion of requirements around proper protection and access control for CUI. When combined with your other security measures, Virtru provides:
Microsoft Office 365 Commercial Cloud is not FedRAMP authorized and should never be used to store or share CUI unprotected. However, when CUI is properly contained within cryptographic controls — like Virtru's TDF containers — that data remains adequately protected and inaccessible to Microsoft.
This distinction is crucial. With Virtru, encrypted CUI is stored only in FedRAMP-authorized environments, and with the Virtru Private Keystore, only you hold the keys.
According to the CyberAB's October 2025 Town Hall, there are just 83 accredited C3PAOs to assess a total of 200,000 to 300,000 defense organizations across the DIB. Some assessors may need additional clarification about how Virtru-encrypted CUI is protected when used with Microsoft Commercial Cloud.
If your assessor has questions, Virtru is ready to provide:
For hundreds of DIB organizations, Virtru has proven that CMMC compliance doesn't require abandoning your existing Microsoft 365 commercial cloud environment. By implementing zero-knowledge encryption that keeps your cloud provider out of the assessment boundary, you can achieve compliance at a fraction of the cost of migrating to GCC High.
Ready to explore a more affordable path to CMMC compliance? Contact Virtru to learn how we can help you protect CUI, satisfy CMMC requirements, and stay on your current Microsoft 365 commercial cloud environment.