Security & Compliance
Gap Analysis
CISA Baseline
Safeguarding your organization’s data, infrastructure, and users.
Gap Analysis
Microsoft SharePoint Online
Microsoft 365 (M365) SharePoint Online is a web-based collaboration and document management platform. It is primarily used to collaborate on documents and communicate information in projects. M365 OneDrive is a cloud-based file storage system primarily used to store a user’s personal files, but it can also be used to share documents with others. This secure configuration baseline (SCB) provides specific policies to strengthen the security of both services.
The Cybersecurity and Infrastructure Security Agency (CISA), provides guidance and capabilities to secure federal civilian executive branch agencies’ cloud business application environments and protect federal information that is created, accessed, shared, and stored in those environments.
The License Requirements sections of this document assume the organization is using an M365 E3 license level at a minimum. Therefore, only licenses not included in E3 are listed.
The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” in this document are to be interpreted as described in RFC 2119.
Baseline Policies
This section helps reduce security risks related to sharing files with users external to the agency. This includes guest users, users who use a verification code, and users who access an Anyone link.
MS.SHAREPOINT.1.1v1 – External sharing for SharePoint SHALL be limited to Existing guests or Only people in your organization.
- Rationale: Sharing information outside the organization via SharePoint increases the risk of unauthorized access. By limiting external sharing, administrators decrease the risk of access to information.
- Last modified: June 2023
- MITRE ATT&CK TTP Mapping:
MS.SHAREPOINT.1.2v1 – External sharing for OneDrive SHALL be limited to Existing guests or Only people in your organization.
- Rationale: Sharing files outside the organization via OneDrive increases the risk of unauthorized access. By limiting external sharing, administrators decrease the risk of unauthorized unauthorized access to information.
- Last modified: June 2023
- MITRE ATT&CK TTP Mapping:
MS.SHAREPOINT.1.3v1 – External sharing SHALL be restricted to approved external domains and/or users in approved security groups per interagency collaboration needs.
- Rationale: By limiting sharing to domains or approved security groups used for interagency collaboration purposes, administrators help prevent sharing with unknown organizations and individuals.
- Last modified: March 2025
- Note: This policy is only applicable if the external sharing slider in the SharePoint admin center is not set to Only people in your organization.
- MITRE ATT&CK TTP Mapping:
Overview of external sharing in SharePoint and OneDrive in Microsoft 365 | Microsoft Documents
Manage sharing settings for SharePoint and OneDrive in Microsoft 365 | Microsoft Documents
- N/A
This section provides policies to set the scope and permissions for sharing links to secure default values.
MS.SHAREPOINT.2.1v1 – File and folder default sharing scope SHALL be set to Specific people (only the people the user specifies).
- Rationale: By making the default sharing the most restrictive, administrators prevent accidentally sharing information too broadly.
- Last modified: June 2023
- MITRE ATT&CK TTP Mapping:
MS.SHAREPOINT.2.2v1 – File and folder default sharing permissions SHALL be set to View.
- Rationale: Edit access to files and folders could allow a user to make unauthorized changes. By restricting default permissions to View, administrators prevent unintended or malicious modification.
- Last modified: June 2023
- MITRE ATT&CK TTP Mapping:
- N/A
Sharing files with external users via the usage of Anyone links or Verification codes is strongly discouraged because it provides access to data within a tenant with weak or no authentication. If these features are used, this section details some access restrictions that could provide limited security risk mitigations.
Note: The settings in this section are only applicable if an agency is using Anyone links or Verification code sharing. See each policy below for details.
MS.SHAREPOINT.3.1v1 – Expiration days for Anyone links SHALL be set to 30 days or less.
- Rationale: Links may be used to provide access to information for a short period of time. Without expiration, however, access is indefinite. By setting expiration timers for links, administrators prevent unintended sustained access to information.
- Last modified: March 2025
- Note: This policy is only applicable if the external sharing slider in the SharePoint admin center is set to Anyone.
- MITRE ATT&CK TTP Mapping:
MS.SHAREPOINT.3.2v1 – The allowable file and folder permissions for links SHALL be set to View only.
- Rationale: Unauthorized changes to files can be made if permissions allow editing by anyone. By restricting permissions on links to View only, administrators prevent anonymous file changes.
- Last modified: March 2025
- Note: This policy is only applicable if the external sharing slider in the SharePoint admin center is set to Anyone.
- MITRE ATT&CK TTP Mapping:
MS.SHAREPOINT.3.3v1 – Reauthentication days for people who use a verification code SHALL be set to 30 days or less.
- Rationale: A verification code may be given out to provide access to information for a short period of time. By setting expiration timers for verification code access, administrators prevent unintended sustained access to information.
- Last modified: March 2025
- Note: This policy is only applicable if the external sharing slider in the SharePoint admin center is set to Anyone or New and existing guests.
- MITRE ATT&CK TTP Mapping:
- N/A
Security Solutions
2. Risk Based Policies
This section provides policies that reduce security risks related to potentially compromised user accounts. These policies combine Microsoft Entra ID Protection and Microsoft Entra ID Conditional Access. Microsoft Entra ID Protection uses numerous signals to detect the risk level for each user or sign-in and determine if an account may have been compromised.
Additional mitigations to reduce risks associated with the authentication of workload identities: Although not covered in this baseline due to the need for an additional non-standard license, Microsoft provides support for mitigating risks related to workload identities (Microsoft Entra ID applications or service principals). Agencies should strongly consider implementing this feature because workload identities present many of the same risks as interactive user access and are commonly used in modern systems. CISA urges organizations to apply Conditional Access policies to workload identities.
Note: In this section, the term “high risk” denotes the risk level applied by the Microsoft Entra ID Protection service to a user account or sign-in event.
Users detected as high risk SHALL be blocked.
- Rationale: Blocking high-risk users may prevent compromised accounts from accessing the tenant.
- Last modified: June 2023
- Note: Users identified as high risk by Microsoft Entra ID Identity Protection can be blocked from accessing the system via a Microsoft Entra ID Conditional Access policy. A high-risk user will be blocked until an administrator remediates their account.
- MITRE ATT&CK TTP Mapping:
A notification SHOULD be sent to the administrator when high-risk users are detected.
- Rationale: Notification enables the admin to monitor the event and remediate the risk. This helps the organization proactively respond to cyber intrusions as they occur.
- Last modified: June 2023
- MITRE ATT&CK TTP Mapping:
Sign-ins detected as high risk SHALL be blocked.
- Rationale: This prevents compromised accounts from accessing the tenant.
- Last modified: June 2023
- MITRE ATT&CK TTP Mapping:
- Requires a Microsoft Entra ID P2 license
- Create a conditional access policy blocking users categorized as high risk by the Identity Protection service. Configure the following policy settings in the new conditional access policy as per the values below:
Users > Include > All users Target resources > Cloud apps > All cloud apps Conditions > User risk > High Access controls > Grant > Block Access
- Configure Microsoft Entra ID Protection to send a regularly monitored security mailbox email notification when user accounts are determined to be high risk.
- Create a Conditional Access policy blocking sign-ins determined high risk by the Identity Protection service. Configure the following policy settings in the new Conditional Access policy as per the values below:
Users > Include > All users Target resources > Cloud apps > All cloud apps Conditions > Sign-in risk > High Access controls > Grant > Block Access
Security Solutions
Microsoft Defender
External Attack Surface Management (EASM)
EASM helps you discover and manage your external attack surface. It identifies vulnerabilities and provides actionable insights.
Security Solutions
Microsoft
Intune
Microsoft Intune is a unified endpoint management platform that ensures secure access to corporate resources across devices.
Security Solutions
Microsoft
Sentinel
Microsoft Sentinel is a cloud-native SIEM (Security Information and Event Management) solution. It collects, analyses, and correlates security data from various sources, enabling proactive threat detection and response.
Threat Detection: Detect and respond to security incidents.
Security Orchestration: Automate incident response.
Advanced Analytics: Uncover hidden threats.
Security Solutions
Microsoft Copilot
for Security
Microsoft Copilot for Security, powered by advanced GPT-4 models from OpenAI, is the industry’s first generative AI solution. It empowers security and IT professionals to catch what others miss, move faster, and strengthen team expertise. Here’s why you should choose Copilot:
Tailored Insights: Copilot analyses large-scale data and threat intelligence, including over 78 trillion security signals processed by Microsoft daily. It delivers personalized insights and guides your next steps.
Speed and Scale: Protect at the speed and scale of AI. Copilot transforms your security operations, making them more efficient and effective.
Economic Gains: Our studies show that experienced security professionals using Copilot are 22% faster and 7% more accurate across all tasks.
Security Solutions
DMARC
Email Security
Email remains a primary attack vector for cybercriminals. Our DMARC email security solution ensures that your organization’s emails are protected against phishing, spoofing, and other threats. Key features include:
Authentication: DMARC authenticates your outbound emails, preventing domain spoofing and ensuring email integrity.
Visibility: Gain insights into email traffic, detect anomalies, and proactively address potential threats.
Compliance: Meet regulatory requirements with ease, thanks to DMARC’s compliance features.
Check your domain’s secure score below with your email address.
Security Solutions
Sophos
Firewalls
Firewalls are the first line of defence against external threats. Our Sophos firewall solutions provide robust protection for your network infrastructure:
Unified Threat Management (UTM): Sophos UTM combines firewall, intrusion prevention, web filtering, and more in a single solution.
Next-Generation Firewalls (NGFW): Sophos NGFWs offer advanced threat detection, application control, and secure VPN connectivity.
Synchronized Security: Sophos integrates seamlessly with other security products, enhancing overall protection.
Security Solutions
Gap Analysis
Reports for Risk & Compliance
Gap Analysis is a comprehensive report designed to help risk and compliance officers ensure their Microsoft 365 environments meet the highest security standards. Our report provides detailed insights and actionable recommendations to enhance your organization’s security posture.
Regulatory Compliance Assurance: Ensure adherence to industry standards and regulatory requirements. Avoid penalties and maintain trust with documented compliance efforts.
Detailed Risk Assessment: Identify potential security risks and vulnerabilities in your M365 environment. Proactively manage and mitigate risks with clear, actionable insights.
Audit Readiness: Be prepared for audits with comprehensive documentation of your security configurations. Demonstrate compliance with CISA’s Secure Configuration Baselines.
Policy Enforcement: Consistently enforce security policies across your organization. Reduce the likelihood of non-compliance with tailored recommendations.
Continuous Improvement: Regularly monitor and improve your security configurations. Adapt to evolving threats and compliance requirements with ongoing assessments.
Our Expertise
Why Choose
Crimson Line?
01.
Crimson Line
Innovation
We stay ahead of the curve by embracing AI-driven tools like Copilot.
02.
Crimson Line
Expertise
Our experienced team architects and manages cloud-native solutions.
03.
Crimson Line
Cost-Effective
Enjoy the benefits of PaaS with minimal risk.
04.
Crimson Line
Flexibility
We tailor solutions to meet your unique needs.
Get Started
Create a Customized
Security Strategy
At Crimson Line, security is not just a product—it’s our commitment to your peace of mind.