Organizations seeking Cybersecurity Maturity Model Certification CMMC Level 2 need to understand how Microsoft Copilot fits into their compliance boundary. Copilot runs on top of Microsoft 365 services that are already FedRAMP High certified, which provides a baseline of inherited controls. However, not every CMMC Level 2 practice is covered by Microsoft’s inherited controls. This article explains which security controls Copilot inherits from the underlying Microsoft 365 platform and which controls remain the responsibility of the customer.
Key Takeaways: Copilot CMMC Level 2 Compliance Mapping
- FedRAMP High certification for Microsoft 365: Provides inherited controls for access control, audit logging, and encryption at rest and in transit.
- Customer Responsibility Matrix CRM in Service Trust Portal: Lists exactly which CMMC Level 2 practices are inherited versus customer-managed for Copilot.
- Copilot-specific data handling settings: Tenant isolation, data residency, and prompt filtering are customer-configured controls that are not inherited.
How CMMC Level 2 Controls Map to Copilot
CMMC Level 2 requires organizations to implement 110 security practices aligned with NIST SP 800-171. Microsoft Copilot operates as an AI service that connects to Microsoft Graph, Microsoft 365 apps, and Azure OpenAI. The security of Copilot depends on the underlying Microsoft 365 infrastructure and the customer’s configuration of Copilot itself.
Microsoft publishes a Customer Responsibility Matrix CRM in the Service Trust Portal. This matrix shows which controls are inherited from Microsoft’s FedRAMP High authorization and which controls the customer must implement. For Copilot, the inheritance pattern follows the same structure as Microsoft 365 services.
Inherited Controls
The following control families are inherited from Microsoft 365’s FedRAMP High baseline:
- Access Control AC: Account management, least privilege, and remote access controls are inherited. Microsoft manages physical and logical access to the infrastructure hosting Copilot.
- Audit and Accountability AU: Audit logging for Copilot interactions is inherited. Microsoft logs API calls, user actions, and system events in Azure Monitor and Microsoft 365 audit logs.
- Configuration Management CM: Baseline configuration and change management for the Copilot service are inherited. Microsoft applies security updates and configuration baselines.
- Identification and Authentication IA: User identity management and authentication are inherited through Microsoft Entra ID. Multifactor authentication MFA is available but must be enabled by the customer.
- Media Protection MP: Media sanitization and disposal are inherited. Microsoft follows NIST SP 800-88 guidelines for data destruction.
- Physical and Environmental Protection PE: Physical security of data centers is inherited. Microsoft controls access to facilities hosting Copilot.
- System and Communications Protection SC: Encryption at rest and in transit is inherited. Copilot data is encrypted using AES-256 and TLS 1.2 or higher.
- System and Information Integrity SI: Flaw remediation and malicious code protection are inherited. Microsoft scans for vulnerabilities and applies patches.
Customer-Managed Controls
The following controls are not inherited and require customer action:
- Access Control AC-3: Enforcement of access control policies for Copilot-specific roles like Copilot administrator and Copilot user. Customers must define and enforce role-based access control RBAC in Microsoft Entra ID.
- Audit and Accountability AU-6: Audit review, analysis, and reporting. Customers must configure audit log retention policies in Microsoft 365 compliance center and review logs for Copilot activity.
- Configuration Management CM-7: Least functionality for Copilot. Customers must disable unnecessary Copilot features such as web search plugins if not required.
- Incident Response IR: Incident handling for Copilot-related security events. Customers must define incident response procedures and test them.
- Risk Assessment RA: Risk assessment for Copilot data processing. Customers must evaluate the sensitivity of data sent to Copilot and apply data classification labels.
- System and Services Acquisition SA: Acquisition of Copilot as a service. Customers must review Microsoft’s Data Protection Addendum DPA and ensure contractual compliance.
- System and Communications Protection SC-12: Cryptographic key management for customer-managed encryption keys if using Customer Key. Customers must manage keys in Azure Key Vault.
- System and Information Integrity SI-12: Handling of information output from Copilot. Customers must implement data loss prevention DLP policies to prevent sensitive data from being exposed in Copilot responses.
Steps to Map Copilot Controls for CMMC Level 2
Follow these steps to map Copilot controls to your CMMC Level 2 scope.
- Access the Service Trust Portal
Go to servicetrust.microsoft.com. Sign in with your Microsoft 365 global admin account. Navigate to Compliance Manager > Customer Responsibility Matrix. - Download the CRM for Microsoft 365
Select the Microsoft 365 CRM for CMMC Level 2. The file contains a spreadsheet with all 110 practices. Each row shows whether the control is inherited, shared, or customer-managed for each Microsoft 365 workload including Copilot. - Identify Copilot-Specific Rows
Filter the spreadsheet by the column “Service” and select “Copilot.” Review the control IDs and their inheritance status. Note which controls are marked “Customer” or “Shared.” - Configure Customer-Managed Controls
For each control marked as customer-managed, implement the required security measures. For example, for AC-3, create a custom role in Microsoft Entra ID named “Copilot Restricted User” with permissions to only use Copilot in specific apps. - Enable Audit Logging for Copilot
In the Microsoft 365 compliance center, go to Audit > Audit retention. Set retention to at least 365 days for CMMC Level 2 compliance. Enable logging for Copilot events under the workload “Microsoft Copilot.” - Apply Data Classification Labels
Use Microsoft Purview Information Protection to apply sensitivity labels to data that Copilot can access. Labels such as “Confidential” or “Highly Confidential” restrict Copilot from using that data in responses. - Review Copilot Data Residency Settings
In the Microsoft 365 admin center, go to Settings > Org settings > Copilot. Under Data residency, confirm that your tenant data is stored in the approved geographic region for CMMC compliance.
Common Misconceptions About Copilot and CMMC Level 2
Copilot Inherits All Microsoft 365 Controls
This is false. Copilot inherits infrastructure controls but not application-level controls. For example, encryption at rest is inherited, but data classification and DLP for Copilot output are not. The CRM clearly separates inherited from customer-managed controls.
Copilot Is FedRAMP High Certified
Copilot itself is not FedRAMP High certified. It runs on Microsoft 365 services that are FedRAMP High authorized. Microsoft’s FedRAMP authorization covers the underlying platform, not the Copilot application layer. Customers must verify with their assessor whether the Copilot service is within the authorized boundary.
All Copilot Features Are Compliant by Default
Features like web search, plugin access, and file upload are not compliant by default. Customers must disable or restrict these features to meet CMMC Level 2 requirements. Use the Copilot configuration policies in the Microsoft 365 admin center to turn off web search and plugin access.
Customer Key Is Not Required
Customer Key is optional for CMMC Level 2 but recommended for SC-12 compliance. If you choose not to use Customer Key, Microsoft manages encryption keys under its FedRAMP High baseline. Document this decision in your System Security Plan SSP.
| Item | Inherited Controls | Customer-Managed Controls |
|---|---|---|
| Access Control | Account management, least privilege, remote access | Role-based access control for Copilot roles |
| Audit and Accountability | Audit logging of API calls and system events | Audit log review, retention policy configuration |
| Configuration Management | Baseline configuration, change management | Least functionality, disabling unused Copilot features |
| Incident Response | None inherited | Incident handling procedures for Copilot events |
| Risk Assessment | None inherited | Evaluation of data sensitivity and Copilot usage |
| System and Communications Protection | Encryption at rest and in transit | Customer Key management, data residency configuration |
| System and Information Integrity | Flaw remediation, malicious code protection | DLP policies for Copilot output, data classification |
Microsoft Copilot inherits a strong security baseline from Microsoft 365’s FedRAMP High authorization. However, CMMC Level 2 requires customers to actively manage controls related to access, audit review, incident response, and data protection. Use the Customer Responsibility Matrix in the Service Trust Portal to identify exactly which controls are inherited and which are not. Configure Copilot-specific settings such as data residency, role-based access, and DLP policies to close the compliance gap. For a complete assessment, work with a CMMC Third-Party Assessor Organization C3PAO to validate your implementation.