We implemented Azure Policy to help with compliance on GCC-High and Commercial tenant recently, after doing a compliance review based on CMMC Level 3, NIST SP 800 171 R2, Azure Security Benchmark, and CSS benchmarks. Azure Policy helps with governance and to maintain the compliance by way of continuous monitoring. You might find this helpful. We can help you with review of your tenant/subscriptions and setup for continuous compliance.