An assessor will ask you to produce a record of who did what and when. If the logs are not on, or they rolled off after 90 days, you have a finding. Audit and accountability in GCC High lives in Microsoft Purview, with the option to forward into a SIEM.
Turn on the Unified Audit Log (3.3.1, 3.3.2)
NIST 800-171 3.3.1 and 3.3.2 require auditable records of user and admin activity, and the Unified Audit Log is the system of record for Microsoft 365. In the Purview portal, open Audit and start recording user and admin activity if it is not already on. Confirm mailbox auditing is enabled tenant-wide.
Set retention to a year or more (3.3.1)
The default retention window is too short for an assessment. CMMC expects at least a year of retained logs. With Purview Audit Premium, create an Audit retention policy and set retention to 365 days or longer for the record types in scope.
Stream logs to a SIEM and alert (3.3.5, 3.3.6)
NIST 800-171 3.3.5 and 3.3.6 are about correlation, review and reporting, and raw logs do not do that on their own. Connect Microsoft Sentinel, or whatever SIEM you run, to the Microsoft 365 and Entra connectors, then enable analytics rules that alert on privileged role changes, impossible travel and mass downloads. The goal is that a meaningful event reaches a human instead of sitting in a log nobody reads.
A note on what "done" means
Configuring these settings hardens your Microsoft 365 GCC High tenant to the NIST 800-171 technical baseline. It is not a CMMC certification. A C3PAO assesses your documented System Security Plan, not your tenant directly, so the configuration above only counts once it is written down with evidence. Our free GCC High Setup Autopilot walks you through every step in order and hands the result to your control set when you move to Readyline Pro.
