Virtru + Microsoft Commercial Cloud for CMMC Level 2

The Problem? Microsoft GCC High Comes with a High Price Tag.

For many DIB organizations working toward CMMC compliance, the cost of migrating to Microsoft's premium GCC High SKU is simply prohibitive. Smaller companies, in particular, need cost-effective alternatives that enable CMMC compliance within the Microsoft ecosystem without breaking the bank.

This is precisely why hundreds of organizations in the DIB trust Virtru to support their CMMC compliance efforts — most of whom operate on Microsoft commercial cloud platforms — proving that there are viable, affordable alternatives to the expensive GCC High route.

CMMC Controls that Virtru Supports

Virtru supports 27 of the 110 CMMC Level 2 controls, as outlined in our Shared Responsibility Matrix. While Virtru will be just one component of your overall CMMC strategy, it can address a significant portion of requirements that demonstrate proper protection and access control for controlled unclassified information (CUI). 

A FedRAMP Authorized, DFARS-Compliant, Secure Container for CUI Files

Virtru wraps each data object (e.g., a file containing CUI) in a secure container. That container is the Trusted Data Format (TDF), an open standard embraced by the DoD, IC, and NATO that binds policy and access controls to the data itself. That container is then wrapped in a layer of FIPS 140-2 validated encryption. 

Virtru-protected files shared as Outlook email attachments or via Virtru Secure Share are stored in Virtru’s FedRAMP Moderate Authorized environment. Virtru’s cryptographic controls and secure storage location, in conjunction with our practices around incident reporting, make Virtru-protected file sharing compliant with DFARS 7012 requirements – and give companies in the DIB an affordable and seamless alternative to upgrading their Office 365 subscription and migrating to Microsoft’s FedRAMP authorized GCC High cloud service.

Encrypted CUI in a Non-FedRAMP Environment 

Many Virtru customers use our technology in FedRAMP Authorized environments like Google Workspace and Microsoft Government Cloud. Customers also use our Secure Share product for secure file sharing, where files are stored outside of the Microsoft and Google Cloud ecosystems altogether.

However, Microsoft Commercial Cloud is not FedRAMP Authorized. On its own, Microsoft Commercial Cloud is not considered CMMC compliant and should not be used to store or share CUI unprotected. However, if that CUI is contained securely, wrapped in cryptographic controls in accordance with DFARS requirements, that data is adequately protected to satisfy CMMC requirements. It remains inaccessible to any third party, including Microsoft. 

Here are the details:

• Files shared via Virtru are links, not true email attachments. Files (email attachments) are shared as a link, not as ciphertext or a true email attachment. What may appear as a file is actually a link to the file hosted by Virtru in a FedRAMP moderate environment. It is not stored in Microsoft Commercial Cloud.
• For an added layer of separation from Microsoft Commercial Cloud, share CUI in a file, not the email body. Email content (text) is converted to ciphertext when the message is protected by Virtru. Users may choose to add an unencrypted message at the top of the email. In preparation for CMMC level 2 assessments, and to align email workflows with optimal CUI controls, some organizations require that users handling and sharing CUI do so ONLY in the form of a file attachment, rather than including CUI as text in the body of an email. This ensures a layer of separation between Microsoft Commercial Cloud and CUI. 

Undergoing CMMC Assessments by C3PAOs

Because CMMC is a new regulation for DoD contractors, and because C3PAOs are just beginning their assessment journeys, there are still many nuances of the CMMC framework that are open to interpretation by auditors and that have not yet been clarified by the DoD Cyber AB. 

According to the CyberAB's October 2025 Town Hall, there are just 83 accredited C3PAOs to assess a total of 200,000 to 300,000 defense organizations across the DIB. Some of these assessors may not be security professionals, but, rather, compliance professionals focused on “checking the box.” In some cases, auditors may need additional guidance and clarification for exactly how Virtru-encrypted CUI is protected when used with Microsoft Commercial Cloud

Should an assessor raise a question about the use of Virtru in Microsoft Commercial Cloud, Virtru is happy to provide additional resources upon request. Please contact your Customer Success Manager for more information.

FAQ: Frequently Asked Questions About Microsoft Commercial Cloud for CMMC 

Can you meet CMMC compliance with Microsoft Commercial Cloud? 

Yes, with additional data security and access controls. On its own, Microsoft Commercial Cloud is not FedRAMP authorized or DFARS compliant, but organizations can securely manage the flow of CUI so it is not exposed to Microsoft Commercial Cloud unprotected. There are two ways Virtru can help you accomplish this:

1. Use end-to-end encryption to safeguard CUI content. As mentioned above, end-to-end encryption obscures CUI content so it’s only accessible by the intended recipient, and not by any third party — including Microsoft. See below for additional DFARS documentation on encrypted CUI.  
2. Create a layer of separation between Microsoft and CUI. You can also choose to handle CUI via secure workflows that work functionally alongside Microsoft Commercial Cloud, but not technically within it.

For example, instead of sharing CUI in the body of an encrypted Outlook email, you can share CUI as a Virtru-protected file attachment in Outlook, or via the Virtru Secure Share file-sharing workflow. These Virtru solutions store encrypted CUI files in a FedRAMP-authorized environment, separate from Microsoft Commercial Cloud. 

What does DFARS say about encrypted CUI? 

The DFARS Cybersecurity FAQ (from the DoD Procurement Toolbox) references encryption as a mechanism to safeguard CUI shared externally. On page 55, it states: 

Accordingly, FIPS-validated cryptography is required to protect CUI, typically when transmitted or stored outside the protected environment of the covered contractor information system…

This indicates that encryption is sufficient protection for CUI that travels outside of the system boundary. The Virtru Data Security Platform also provides all of the auditing capabilities necessary to perform incident response and reporting. 

The CUI quick start guide from the Defense Counterintelligence Security Agency also says:

CUI can also be transmitted by e-mail when practical, via approved encrypted communications systems…

Is encrypted CUI sufficient for CMMC? 

CMMC documentation suggests that encryption is sufficient protection of CUI in non-FedRAMP environments. CMMC Control AC.L2-3.1.3 – CONTROL CUI FLOW addresses requirements for defining authorized and approved methods for controlling the flow of CUI within and between systems. It gives an example (Example 2, pg. 21) of implementing this control:

You create a policy document that specifies who is allowed to transmit CUI and that such transmission requires manager approval [a,c,d]. The policy instructs users to encrypt any CUI transmitted via email…

It's also worth noting that these references to encryption are likely based on S/MIME, which does not enforce granular access policy like Virtru. Virtru is encrypting the payload and restricting access to the key based on access policy — further ensuring that CUI is only accessed by the right entities.

Is there precedent for how to handle encrypted CUI?

ITAR (International Traffic in Arms Regulation) and EAR (Export Administration Regulation) designate an encryption carve-out rule for end-to-end encrypted data as being considered an export. ITAR controlled data is a subset of CUI. For more information on how Virtru supports ITAR and EAR, see the Virtru Trust Center.  

What does DFARS 7012 mean for CMMC? 

DFARS 7012 addresses Covered Defense Information safeguards and requirements for incident reporting as part of defense acquisition policy. CMMC is the verification mechanism for ensuring that contractors adhere to the applicable requirements laid out by DFARS.  

Does Virtru comply with DFARS 7012?

Yes. Virtru is compliant with all applicable clauses laid out in DFARS, including the following:

 (b) Use of Cloud Services must be FedRAMP Moderate authorized or equivalent

(c)(1) Have an incident handling and reporting process for covered defense information.

(c)(2) Report incidents to https://dibnet.dod.mil.

(c)(3) Have a Medium Assurance certificate to access dibnet

(d)  Submit malicious software related to an incident to the DoD Crime Center

(e) Preserve and protect images of affected systems for minimally 90 days

(f) Provide the DoD access to additional information for forensic analysis

(g) Conduct damage assessment in coordination with DoD

For more information on Virtru’s technology and security standards, visit the Virtru Trust Center. 

Is Virtru FedRAMP authorized? 

Yes. Virtru is FedRAMP authorized at the moderate level, and it is FIPS 140-2 validated. It’s important to note that, with CMMC, FedRAMP authorization is far more effective at reducing risk and breach responsibility than FedRAMP equivalency, which is touted by many CMMC vendors but ultimately shifts responsibility to the software customer, rather than the software vendor. 

Is Microsoft Commercial Cloud DFARS compliant? 

No. Microsoft Commercial Cloud on its own is not DFARS compliant. Its government SKUs, GCC and GCC High, are. To use Microsoft Commercial Cloud in a DFARS compliant way, you need additional protection — such as end-to-end encryption or a separate file storage environment — to safeguard CUI in compliance with DFARS and CMMC.