Once identity is solid, the next gap is the endpoint. A correctly authenticated user on an unmanaged, unencrypted laptop is still a CUI exposure. Device and configuration management in GCC High runs through Microsoft Intune.
Define device compliance baselines (3.4.1, 3.4.2)
NIST 800-171 3.4.1 and 3.4.2 require baseline configurations and a way to enforce them. In Intune, create compliance policies that require encryption, a minimum OS version, a healthy Defender and a screen lock, then apply a security baseline such as the Windows or Defender baseline to managed devices.
Enforce BitLocker on all devices (3.13.16)
Encrypting devices at rest protects CUI on hardware that gets lost or stolen. Under Endpoint security then Disk encryption, create a BitLocker policy that enables silently and escrows recovery keys to Entra.
Restrict removable media (3.8.7)
NIST 800-171 3.8.7 controls the use of removable media, and a blocked or read-only USB port stops casual exfiltration. Under Endpoint security then Attack surface reduction then Device control, block or set read-only access to removable storage and allow exceptions only where justified.
Require a compliant device to sign in (3.1.1, 3.4.2)
Combining identity with device health keeps CUI off unmanaged endpoints. Add a Conditional Access policy that grants access only when the device is marked compliant, and target the apps that touch CUI: Exchange, SharePoint and Teams.
A note on what "done" means
Configuring these settings hardens your Microsoft 365 GCC High tenant to the NIST 800-171 technical baseline. It is not a CMMC certification. A C3PAO assesses your documented System Security Plan, not your tenant directly, so the configuration above only counts once it is written down with evidence. Our free GCC High Setup Autopilot walks you through every step in order and hands the result to your control set when you move to Readyline Pro.
