A quick review of Compliance Manager (or the Office 365 MT FedRAMP system security plan) shows that Microsoft has documented the areas where customer orgs need to implement their own controls (policies, procedures, tenant configurations) in order to fully satisfy a FedRAMP control requirement.

I know that CMMC is different. We aren't focusing on just the cloud system, but rather the entire organization, its people, information, technology and facilities. That distinction aside: how much do we think Microsoft's security capabilities can be "inherited" by subscriber organizations for use in a CMMC assessment? How much still needs to be documented, performed, and managed by the organization itself? More than FedRAMP? Less? 42?