PLACEHOLDER

Version 1.1

Release Date: 11/17/2025

Document Change History¶

This table documents all versions and changes made to this System Security Plan.

Version	Date	Description	Prepared By	Approved By
1.0	10/14/2025	Initial document creation establishing CMMC Level 2 compliance	Reed Rising	XYZ
1.1	11/17/2025	Update to Exchange as CUI Asset	Reed Rising	XYZ

Document Maintenance¶

This System Security Plan (SSP) will be reviewed and updated at least annually to ensure continued accuracy and effectiveness. Reviews will be conducted whenever significant changes occur to the system architecture, security controls, organizational structure, threat environment, or regulatory requirements.

The annual review process includes assessment of:

System owner changes
Information security representative changes
System architecture modifications
Operational status updates
System interconnection changes
Scope modifications
Authorizing official changes
Certification and accreditation status

All updates will be documented in the revision history and require approval from the designated authorizing official before implementation.

Description of Document¶

This System Security Plan (SSP) documents the security controls and implementation details for the organization's CMMC Level 2 compliant environment designed to protect Controlled Unclassified Information (CUI) in accordance with NIST SP 800-171 Rev. 2 requirements. The SSP serves as the authoritative source for understanding the system's security architecture, control implementation, and operational procedures required to maintain the confidentiality of CUI while supporting the organization's mission objectives.

The SSP provides comprehensive documentation of:

System boundaries and architecture defining the CMMC assessment scope, including all CUI assets, security protection assets, and contractor risk managed assets
Security control implementation detailing how each of the 110 NIST SP 800-171 security requirements are satisfied through technical, administrative, and physical safeguards
Inherited controls from FedRAMP-authorized cloud service providers (Microsoft Azure Government and Microsoft 365 GCC High) and managed service providers

Organization Description¶

Organization Information¶


Organization Name	PLACEHOLDER
Organization Address	PLACEHOLDER
Organization Phone Number	PLACEHOLDER

System Description¶

System Information¶


System Name	PLACEHOLDER
System Abbreviated Name	PLACEHOLDER
System Sensitivity Level	Moderate Impact for Confidentiality
System Environment Type	Cloud

System Description¶

The system is a cloud-native CMMC Level 2 secure enclave operating within Microsoft's Government Community Cloud High (GCC High) infrastructure, designed to protect Controlled Unclassified Information (CUI) in accordance with NIST SP 800-171 Rev. 2 requirements.

Environment description covers technical, management, and operational aspects with specific focus on CUI processing, storage, and transmission.

System Key Personnel¶

The following individuals are responsible for the security and management of the system:

System Owner¶


Name	PLACEHOLDER
Title	PLACEHOLDER
Organization	PLACEHOLDER
Email	PLACEHOLDER
Phone	PLACEHOLDER

Serves as the system owner overseeing the CMMC service line, including implementation and oversight of applicable controls. Oversees resource management and provides executive approval for future client proposals. Acts as the primary point of contact for all external stakeholders, including CyberAB, DIBCAC, and other interested parties.

System Security Officer¶


Name	PLACEHOLDER
Title	PLACEHOLDER
Organization	PLACEHOLDER
Email	PLACEHOLDER
Phone	PLACEHOLDER

Serves as the Director of Innovation and Technology, responsible for overseeing system owners and ensuring the implementation of firm-wide information security policies and practices. Provides strategic direction for cybersecurity, manages risk, ensures regulatory compliance, and leads incident response efforts. Also plays a key role in security governance and alignment of security initiatives with business objectives.

System Security Officer¶


Name	PLACEHOLDER
Title	PLACEHOLDER
Organization	PLACEHOLDER
Email	PLACEHOLDER
Phone	PLACEHOLDER

Responsible for designing, implementing, and maintaining the organization's CMMC Level 2 compliant security architecture. The Security Administrator leads the security services support provided, maintains the System Security Plan and related documentation, and serves as the technical liaison during C3PAO assessments.

System & Data Flow Diagrams¶

System Boundary Diagram¶

System Boundary Diagram

System Boundary Diagram Description¶

This diagram illustrates the CMMC assessment boundary and data flow architecture for the organization's CUI environment, clearly delineating assets within scope and their interconnections. All CUI assets are hosted within FedRAMP-authorized Microsoft cloud services: Azure Government or Microsoft 365 GCC High. All Microsoft cloud services, whether they are CUI assets or not, can only be accessed from a Cloud PC

System Boundary Components¶

Azure Government Environment (Lower Section):

Microsoft Entra ID (SPA) - Provides centralized authentication and identity management for all system access
Cloud PC - CUI Users (CUI Asset) - Windows 365 Cloud PCs where authorized users process and access CUI
Cloud PC - Security Team (CRMA) - Dedicated Windows 365 Cloud PCs for administrative access to Microsoft management portals, with no access to CUI components or data
Microsoft Defender XDR (SPA) - Unified threat protection and security monitoring platform
Intune (SPA) - Device management and compliance enforcement
Privileged Identity Management (SPA) - Just-in-time administrative access control
Microsoft Managed Network - Azure's underlying network infrastructure

Microsoft 365 GCC High Environment (Upper Right):

SharePoint Online (CUI Asset) - Primary document repository for CUI storage
Microsoft Teams (CUI Asset) - Collaboration platform for CUI communications
OneDrive (CUI Asset) - Individual user CUI storage synchronized with Cloud PCs
Exchange Online (CUI / CRMA) - Email services for users. This is a CUI asset for users who access CUI, and a CRMA asset for users who do not have access to CUI.
Microsoft 365 Administration (SPA) - Administrative portal for service management

External Cloud Services

HaloPSA (SPA) - ITSM platform for ticketing and compliance management, accessible directly from out-of-scope devices
n8n (SPA) - Automation platform for security workflows, accessible directly from out-of-scope devices
Huntress (SPA) – Provides managed endpoint protection (EDR), identity threat detection response (ITDR), and security event information (SIEM) services and serves as the security training platform

Out of Scope

User Laptops (OOS) - Out-of-scope endpoints used to connect to Cloud PCs

Data Flow Descriptions

The diagram depicts six distinct data flows:

CUI Data Flow (blue) - CUI-authorized users accessing CUI through dedicated Cloud PCs to M365 services
SPA Data Flow (green) - Security team accessing administrative tools through CRMA Cloud PCs for Microsoft services, with direct access to external SPAs (HaloPSA/n8n)
Administrative Data Flow (black) - Standard operational connections to HaloPSA for ticketing and Exchange for email. Exchange may only be accessed through a Cloud PC
Authentication Flow (dotted) - Entra ID authentication for all access requests to the FedRAMP boundary
Intra-Service Data Flow (orange dashed) - Communications between Microsoft services
OOS VDI Access Flow (red) - Remote desktop connections from out-of-scope devices to both CUI and CRMA Cloud PCs

This architecture ensures complete CUI isolation within the FedRAMP-authorized Microsoft cloud services while segregating administrative access through dedicated CRMA Cloud PCs. Security personnel must access Microsoft administrative portals through their assigned CRMA Cloud PCs, preventing direct CUI access, while external management tools (HaloPSA and n8n) remain accessible directly for operational efficiency.

CUI Data Flow Diagram¶

CUI Data Flow Diagram

CUI Data Flow Diagram Description¶

This diagram illustrates the specific data flow path for Controlled Unclassified Information (CUI) through the CMMC assessment boundary, demonstrating how CUI remains protected within the authorized environment.

CUI Flow Path¶

Entry Point: CUI-authorized users connect to the environment from out-of-scope laptops using Remote Desktop Protocol (RDP) to access their assigned Windows 365 Cloud PCs. The connection is authenticated through Microsoft Entra ID with conditional access policies enforcing MFA and device compliance checks. Only screen, keyboard, and mouse data traverse this connection—no CUI data can be copied or transferred to the local out-of-scope device.

CUI Processing Environment: Within the Azure Government boundary, Cloud PCs (marked as CUI assets) serve as the sole computing environment where users can view, create, and modify CUI. These STIG-hardened Windows 11 virtual desktops maintain complete data isolation, preventing unauthorized data exfiltration through disabled clipboard, file transfer, and printing capabilities to local devices.

CUI Assets: From the Cloud PCs, CUI flows exclusively to the authorized Microsoft 365 GCC High services:

SharePoint Online - Primary repository for shared CUI documents and collaboration sites
OneDrive - Individual user CUI storage with automatic synchronization to Cloud PCs
Microsoft Teams - CUI shared through teams and channels, with files stored in underlying SharePoint libraries
Exchange Online – Email services through which CUI may be transmitted.

Security Controls Along the Flow

The blue CUI data flow lines represent encrypted channels using FIPS 140-2 validated cryptographic modules, ensuring CUI protection in transit between Cloud PCs to Microsoft 365 services via TLS 1.2+ encryption.

Data Flow Isolation

The diagram clearly shows that CUI data flow (blue lines) is completely segregated from:

Administrative data flows to management portals (SPA components)
External service provider connections (HaloPSA and n8n)
Security monitoring and compliance tools that only access metadata

This architecture ensures CUI remains within the FedRAMP High authorized boundary throughout its lifecycle, from creation to disposal, with no unauthorized pathways for data exfiltration.

SPA Data Flow Diagram¶

SPA Data Flow Diagram

SPA Data Flow Diagram Description¶

This diagram illustrates the data flow paths for Security Protection Assets, showing how administrative and security tools are accessed without touching CUI data.

SPA Access Architecture¶

The green SPA data flow lines demonstrate a dual-access pattern for security and administrative tools:

Internal Microsoft SPAs: Security team members must connect through their dedicated CRMA Cloud PCs to access Microsoft administrative tools within the FedRAMP boundary
External SPAs: HaloPSA, n8n, and Huntress can be accessed directly from out-of-scope laptops without requiring Cloud PC connections as these assets are completely segregated from CUI data

SPA Components and Access Paths¶

Accessed via CRMA Cloud PC:

Microsoft 365 Administration Portal - User and service management requiring FedRAMP boundary access
Privileged Identity Management (PIM) - Just-in-time role elevation and access governance
Microsoft Defender XDR - Security monitoring, threat hunting, and incident response
Intune - Device configuration, compliance policies, and patch management
Purview – Comprehensive data governance solution and includes capabilities such as applying sensitivity labels and data loss prevention policies

Accessed Directly or via Cloud PC:

HaloPSA - ITSM platform for ticketing, change management, and compliance tracking
n8n - Security automation workflows processing only technical metadata
Huntress - Provides managed endpoint protection (EDR), identity threat detection response (ITDR), and security event information (SIEM) services and serves as the security training platform

Security Controls and Segregation¶

The SPA flow architecture enforces several key security principles:

Security team members use separate CRMA Cloud PCs that cannot access CUI repositories
All Microsoft administrative tools require authenticated Cloud PC sessions, ensuring audit trails remain within the FedRAMP boundary
External SPAs operate completely outside the CUI processing environment with no data plane access
Green flow lines never intersect with blue CUI data flows, maintaining complete segregation

Operational Workflow¶

Security administrators connect to their CRMA Cloud PCs via RDP, authenticate through Entra ID with enhanced MFA requirements, then access Microsoft administrative portals. For routine operations like ticket management in HaloPSA, security monitoring in Huntress, or automation development in n8n, direct laptop access is permitted since these services are logically separated from CUI and cannot access CUI data. This dual-access model balances security requirements with operational efficiency, ensuring administrative activities are logged and controlled within the FedRAMP boundary while allowing flexible access to external operational tools.

¶

Administrative Data Flow¶

Administrative Data Flow Diagram

¶

Administrative Data Flow Diagram Description¶

This diagram illustrates the administrative data flow paths for standard operational activities, showing how users perform non-CUI and administrative functions such as ticket management and email communications.

Administrative Access Patterns¶

Administrative functions follow distinct access requirements based on service location and data sensitivity:

External Service Access (HaloPSA): Users can connect directly to HaloPSA from out-of-scope laptops OR through their Cloud PCs for ticket management, change requests, and project tracking. This flexibility is permitted because HaloPSA operates outside the FedRAMP boundary and never processes CUI.
FedRAMP Service Access (Exchange): All access to Exchange Online and Microsoft 365 Administration Portal requires connection through Cloud PCs. Users access Exchange through their dedicated Cloud PCs.

Administrative Services¶

The black administrative flow lines connect to:

HaloPSA (External SPA) - ITSM platform for viewing and managing tickets, tracking vulnerabilities, processing change requests, and managing compliance activities. Accessible from both out-of-scope laptops and Cloud PCs for operational flexibility.
Exchange Online (CRMA) - Email and calendar services restricted to Cloud PC access only, ensuring organizational communications remain within the FedRAMP boundary.

Access Flow Description¶

For HaloPSA Access: Users can choose their access method based on convenience - either directly from laptops or through Cloud PCs. Both paths require Entra ID authentication. This dual-access model maximizes operational efficiency for non-CUI administrative tasks.

For Exchange Online Access: All users, including security team members, must access Exchange through their assigned Cloud PCs (CUI or CRMA). This ensures email communications, which may contain CUI references, remain within the FedRAMP authorized boundary.

Security Segregation¶

The architecture enforces clear boundaries:

External administrative tools (HaloPSA) operate outside the FedRAMP boundary without CUI access
Exchange Online, as a CRMA, is protected within the FedRAMP authorized boundary but segregated from primary CUI storage
Security team's CRMA Cloud PCs provide access to Exchange without CUI exposure

This design balances operational efficiency for external tool access with strict boundary enforcement for FedRAMP services, ensuring all potentially sensitive communications remain within the controlled environment.

Intra-Service Data Flow¶

Intra-Service Data Flow Diagram

Intra-Service Data Flow Diagram Description¶

This diagram illustrates the internal service-to-service communications within the Microsoft cloud infrastructure, demonstrating the backend integrations that enable unified security, identity, and collaboration capabilities.

Microsoft-Managed Service Communications¶

The orange dashed lines represent automated data flows between Microsoft services that occur without direct user interaction. These backend communications are entirely managed by Microsoft within their FedRAMP-authorized infrastructure and are inherited controls from the cloud service provider.

Azure Government Service Integration

Within the Azure Government boundary, intra-service flows connect:

Entra ID ↔ All Services: Provides authentication tokens and authorization decisions to every component
Microsoft Defender XDR ↔ Intune: Shares device compliance status and threat detection signals for automated remediation
Microsoft Defender XDR ↔ PIM: Monitors privileged account usage and detects anomalous administrative activities
PIM ↔ Entra ID: Manages just-in-time role activations and privileged access governance

Microsoft 365 GCC High Integration

Within the M365 GCC High environment:

Teams ↔ SharePoint: Teams stores all files in underlying SharePoint document libraries
Teams ↔ Exchange: Calendar integration and presence information synchronization
OneDrive ↔ SharePoint: Shared storage infrastructure and permission inheritance
Microsoft 365 Admin Portal ↔ All M365 Services: Service configuration and user provisioning
Purview ↔ All M365 Services: Purview has data governance over M365 services

Cross-Platform Integration

Between Azure Government and M365 GCC High:

Entra ID ↔ M365 Services: Single sign-on authentication and conditional access policy enforcement
Defender XDR ↔ M365 Services: Unified threat signals from email, collaboration, and endpoint security

External Service Integration

The diagram also shows intra-service flows to external SPAs:

n8n ↔ HaloPSA: Automated ticket creation from security workflows
n8n ↔ Defender XDR: Webhook-based vulnerability data extraction (metadata only)
HaloPSA ↔ Entra ID: User synchronization between Entra ID and HaloPSA

Security and Compliance¶

All intra-service communications within the system boundary:

Use Microsoft's internal service fabric with encryption in transit
Are isolated from customer data planes using Microsoft Managed Networks
Generate telemetry and audit logs aggregated in Defender XDR
Inherit FedRAMP security controls for service-to-service authentication

This backend orchestration enables seamless user experiences—such as accessing Teams files through SharePoint permissions or automatic threat response across endpoints—while maintaining security boundaries and audit capabilities required for CMMC compliance.

System Assets Description¶

This section describes all system assets within the boundary. Components are organized by their asset scope classification, which determines the level of security controls applied and their role in protecting Controlled Unclassified Information (CUI).

CUI ASSETS¶

CUI Assets are system components where Controlled Unclassified Information (CUI) is processed, stored, or transmitted. These assets are subject to the full scope of NIST SP 800-171 controls and CMMC Level 2 requirements.

Cloud PC¶

Field	Value
Component Name	Cloud PC
Provider	Microsoft
Type	Cloud Service
Asset Scope	CUI Asset

Description¶

Windows 365 Cloud PC is a cloud-native Desktop-as-a-Service (DaaS) solution that serves as the primary CUI processing environment within the CMMC enclave. Each Cloud PC is a dedicated virtual machine running Windows 11 Enterprise in Microsoft's GCC High infrastructure, providing users with persistent, personalized desktops that maintain state between sessions while ensuring CUI remains within the FedRAMP-authorized boundary. Cloud PCs are configured as CUI Assets where authorized users directly access, process, and store Controlled Unclassified Information through Microsoft 365 applications. All CUI data remains encrypted at rest on the Cloud PC's managed disk, and users can only interact with CUI through the secure RDP session protected by TLS 1.2+ encryption.

Each Cloud PC is:

STIG-hardened according to DoD Windows 11 security baselines
Entra ID-joined with conditional access policies enforcing device compliance
Intune-managed with automated configuration policies and security updates
Defender-protected with real-time antimalware, firewall, and attack surface reduction rules
DLP-enforced preventing unauthorized data exfiltration through clipboard, local drives, or USB redirection Cloud PCs enforce strict isolation where CUI-authorized users can only connect from compliant devices that meet conditional access requirements, including MFA authentication, known locations, and device health attestation. The Cloud PC architecture prevents data leakage by blocking all file transfers, clipboard operations, and printer redirection to the user's local device, ensuring CUI remains within the controlled environment while allowing only screen, keyboard, and mouse data to traverse the connection.

OneDrive¶

Field	Value
Component Name	OneDrive
Provider	Microsoft
Type	Cloud Service
Asset Scope	CUI Asset

Description¶

OneDrive for Business provides individual CUI storage for each authorized user within the Microsoft 365 GCC High environment, functioning as a personal workspace that synchronizes with their Windows 365 Cloud PC. As a CUI Asset, OneDrive ensures that user files remain within the government cloud boundary while enabling offline access through the sync client with files encrypted on Cloud PCs and requiring Entra ID authentication for access.

SharePoint¶

Field	Value
Component Name	SharePoint
Provider	Microsoft
Type	Cloud Service
Asset Scope	CUI Asset

Description¶

SharePoint Online (SPO) serves as the primary CUI document repository within Microsoft 365 GCC High, providing centralized document management and collaboration capabilities for the organization. As a designated CUI Asset, SharePoint hosts site collections with granular permissions enabling need-to-know access controls, version history tracking, and comprehensive audit logging of all CUI interactions. The platform enforces Microsoft Purview DLP policies and sensitivity labels at the document library level, preventing unauthorized external sharing while maintaining full text search capabilities across CUI content for authorized users within the FedRAMP High boundary.

Teams¶

Field	Value
Component Name	Teams
Provider	Microsoft
Type	Cloud Service
Asset Scope	CUI Asset

Description¶

Microsoft Teams enables secure collaboration and communication for CUI-authorized users within the GCC High environment, providing persistent chat, video conferencing, and file sharing capabilities required for organizational operations. As a CUI Asset, Teams stores all shared files in underlying SharePoint document libraries, ensuring consistent security controls and retention policies across all CUI communications.

Exchange Online¶

Field	Value
Component Name	Exchange Online
Provider	Microsoft
Type	Cloud Service
Asset Scope	CUI Asset

Description¶

Exchange Online provides secure email, calendar, and contact management services for CUI-authorized users within the GCC High environment. As a CUI Asset, Exchange Online ensures that CUI user communications—including messages and attachments that may contain Controlled Unclassified Information—are transmitted and stored within the FedRAMP High authorized boundary. Exchange enforces encryption for data at rest and in transit, applies Microsoft Purview Data Loss Prevention (DLP) policies, and integrates with Defender for Office 365 to protect against phishing and malware. All access to Exchange Online is restricted to compliant Cloud PC sessions, maintaining strict isolation and consistent security controls across all CUI communications.

SECURITY PROTECTION ASSETS (SPA)¶

Security Protection Assets (SPA) are components that provide security functions, monitoring, or protection capabilities for the CUI environment but do not directly process, store, or transmit CUI. These assets support the implementation of security controls.

HaloPSA¶

Field	Value
Component Name	HaloPSA
Provider	Halo
Type	Cloud Service
Asset Scope	SPA

Description¶

HaloPSA is a cloud-based IT Service Management (ITSM) platform that serves as a Security Protection Asset (SPA) for managing the administrative and compliance functions of the CMMC environment without processing or accessing CUI. The platform provides centralized ticketing for incident and change management, user access requests and service requests, and is also where security documentation is stored.

Huntress¶

Field	Value
Component Name	Huntress
Provider	Huntress
Type	Cloud Service
Asset Scope	SPA

Description¶

Huntress is a managed security platform operating as a Security Protection Asset (SPA) that provides comprehensive endpoint, identity, and log management protection through three integrated services: Managed Endpoint Detection and Response (EDR), Managed Identity Threat Detection and Response (ITDR), and Managed Security Information and Event Management (SIEM). All services are backed by a 24/7 human-led, AI-assisted Security Operations Center (SOC) that provides continuous threat hunting, investigation, and actionable remediation guidance without accessing or processing CUI data.

Managed EDR combines machine analysis with expert threat hunters who review suspicious activities, investigate anomalies, and provide remediation guidance. Unlike traditional EDR solutions relying solely on automated detection, Huntress specializes in detecting post-exploitation activities and persistent threats that evade conventional security tools by:

Persistent foothold detection identifying backdoors, web shells, and unauthorized remote access tools
Ransomware canaries deploying decoy files that trigger immediate alerts upon encryption attempts
External recon detection monitoring for exposed RDP, VNC, and other remote access services
Process behavior analysis identifying living-off-the-land techniques and fileless malware
Managed remediation with SOC analysts providing step-by-step removal instructions or automated isolation

Managed ITDR integrates with Microsoft 365 and Microsoft Entra ID to protect cloud identities and prevent business email compromise by monitoring:

Account takeovers through suspicious login locations, VPN anomalies, and credential theft detection
Session hijacking identifying stolen authentication tokens that bypass MFA/2FA
Rogue OAuth applications exploiting Microsoft's OAuth protocol for unauthorized access
Malicious inbox rules and mail forwarding configurations used for data exfiltration
Identity risk assignment and automated identity isolation when compromise is detected

Managed SIEM collects and analyzes security-relevant log data through Smart Filtering technology that reduces noise while retaining critical security events:

Windows Security Event Logs from endpoints and Cloud PCs including authentication, process creation, and PowerShell script execution events
Identity and authentication logs from Microsoft 365 and other cloud services
Compliance-ready data retention with powerful search and reporting capabilities

The platform also delivers comprehensive security awareness training including:

Role-based training modules covering CUI handling, insider threats, password security, and incident reporting
Automated enrollment and tracking ensuring all users complete initial and annual refresher training

Huntress deploys via lightweight agents on Windows 365 Cloud PCs, integrates with Microsoft Defender for defense-in-depth coverage, and generates alerts that flow into HaloPSA ticketing for centralized incident management and response tracking.

Intune¶

Field	Value
Component Name	Intune
Provider	Microsoft
Type	Cloud Service
Asset Scope	SPA

Description¶

Microsoft Intune is a cloud-based endpoint management service operating as a Security Protection Asset (SPA) that enforces security configurations, compliance policies, and automated remediation across all Windows 365 Cloud PCs in the CMMC environment. Intune enables centralized device management through the Microsoft Endpoint Manager admin center, ensuring all Cloud PCs maintain STIG-compliant configurations while automatically deploying security updates and approved applications without requiring user intervention.

Intune provides:

Configuration profiles enforcing BitLocker encryption, Windows Firewall rules, and attack surface reduction policies required for CUI protection
Compliance policies continuously evaluating device health against security baselines with automatic remediation or access blocking for non-compliant devices
Windows Update for Business orchestrating monthly security patches and feature updates within defined maintenance windows
Application deployment managing allowlisted software while blocking unauthorized application installation

Microsoft Defender XDR¶

Field	Value
Component Name	Microsoft Defender XDR
Provider	Microsoft
Type	Cloud Service
Asset Scope	SPA

Description¶

Microsoft Defender XDR (Extended Detection and Response) serves as the unified threat protection platform and security operations center for the CMMC environment, operating as a Security Protection Asset (SPA) that provides comprehensive visibility across endpoints, identities, email, and cloud applications. Defender XDR correlates signals from Microsoft Defender for Endpoint, Defender for Identity, Defender for Office 365, and Defender for Cloud Apps to detect sophisticated attacks, automatically contain threats, and provide AI-powered investigation capabilities that dramatically reduce mean time to respond (MTTR).

The platform delivers:

Automated investigation and response that contains compromised accounts, isolates infected devices, and remediates malicious emails without manual intervention
Advanced hunting with KQL (Kusto Query Language) enabling proactive threat hunting across raw security data
Unified incident queue correlating alerts across all Defender products into prioritized incidents with full kill chain visibility
Vulnerability management continuously assessing Cloud PCs for missing patches, misconfigurations, and security recommendations with risk-based prioritization

Microsoft Entra ID¶

Field	Value
Component Name	Microsoft Entra ID
Provider	Microsoft
Type	Cloud Service
Asset Scope	SPA

Description¶

Microsoft Entra ID is a Security Protection Asset (SPA) and is Microsoft's cloud-based directory and identity management service providing centralized authentication and authorization for the CMMC environment. Entra ID combines core directory services, advanced identity governance, and application access management while offering a rich, standards-based platform that enables developers to deliver access control to their applications based on centralized policy and rules.

Entra ID enforces Conditional Access policies that evaluate user sign-in requests in real-time, requiring multi-factor authentication, device compliance checks, and trusted location verification before granting access to CUI resources. These risk-based policies automatically block or challenge suspicious login attempts, enforce session controls for privileged accounts, and restrict access to SharePoint, OneDrive, and Teams based on device trust levels, ensuring only authorized users on managed, compliant devices can access CUI within the GCC High boundary.

Microsoft Purview¶

Field	Value
Component Name	Microsoft Purview
Provider	Microsoft
Type	Cloud Service
Asset Scope	SPA

Description¶

Microsoft Purview serves as the data governance and compliance platform within Microsoft 365 GCC High, operating as a Security Protection Asset (SPA) that provides information protection and data loss prevention capabilities for CUI handling. Purview enables the organization to classify, protect, and monitor sensitive data across SharePoint, OneDrive, Teams, and Exchange within the GCC High environment.

Microsoft 365 Administration¶

Field	Value
Component Name	Microsoft 365 Administration
Provider	Microsoft
Type	Cloud Service
Asset Scope	SPA

Description¶

Microsoft 365 Administration is a cloud-based administrative platform that serves as a Security Protection Asset (SPA) for managing user identities, permissions, and license assignments across the Microsoft 365 environment without processing or accessing CUI. The platform provides centralized administration through the Microsoft 365 Admin Center and Azure Entra ID for provisioning user accounts, assigning software licenses, configuring role-based access controls, and managing security group memberships. Administrative functions include user lifecycle management (onboarding/offboarding), license allocation for Office 365 and Microsoft Teams, and permission delegation for organizational resources.

n8n¶

Field	Value
Component Name	n8n
Provider	n8n
Type	Cloud Service
Asset Scope	SPA

Description¶

n8n is an open-source workflow automation platform operating as a Security Protection Asset (SPA) that orchestrates security and compliance processes without accessing or processing CUI data. The platform provides a visual workflow builder with custom integrations for Microsoft Graph API, HaloPSA, and external threat intelligence sources, enabling automated data flows between security protection assets. n8n's primary function involves: Automated data extraction from Microsoft Defender XDR via Graph API webhooks, retrieving only technical metadata (device IDs, CVE numbers, severity ratings) Threat intelligence enrichment cross-referencing vulnerabilities against CISA Known Exploited Vulnerabilities (KEV) catalog for risk prioritization Ticket generation in HaloPSA with remediation timelines based on CVSS scores and exploitability metrics Status synchronization updating tickets when Defender reports successful patch deployment or remediation completion

Privileged Identity Management¶

Field	Value
Component Name	Privileged Identity Management
Provider	Microsoft
Type	Cloud Service
Asset Scope	SPA

Description¶

Privileged Identity Management (PIM) is an Azure Entra ID service operating as a Security Protection Asset (SPA) that provides just-in-time privileged access to Azure Government and Microsoft 365 GCC High administrative roles. PIM eliminates standing administrative privileges by requiring eligible administrators to request and justify role activation for time-bounded periods, typically 4-8 hours, with MFA verification before elevation.

Key Capabilities:

On-demand role activation requiring business justification for sensitive administrative functions
Time-limited access automatically removing privileges after the specified duration expires
Audit history maintaining comprehensive logs of all role activations and configuration changes

PIM directly supports CMMC access control requirements by ensuring privileged accounts are only active when necessary and maintaining separation between standard user access and administrative functions. The service integrates with Microsoft Defender XDR to detect anomalous privileged account usage and generates compliance reports demonstrating just-in-time access patterns for audit evidence.

CONTRACTOR RISK MANAGED ASSETS (CRMA)¶

Contractor Risk Managed Assets (CRMA) are components that have the technical capability to process CUI but are managed through policies, procedures, and technical controls to prevent CUI access or storage. These assets require ongoing monitoring to ensure they do not inadvertently process CUI.

Cloud PC¶

Field	Value
Component Name	Cloud PC
Provider	Microsoft
Type	Cloud Service
Asset Scope	CRMA

Description¶

Windows 365 Cloud PC is a cloud-native Desktop-as-a-Service (DaaS) solution that serves as an administrative platform within the CMMC enclave. Each Cloud PC is a dedicated virtual machine running Windows 11 Enterprise in Microsoft's GCC High infrastructure, providing administrators with persistent, personalized desktops that maintain state between sessions while operating within the FedRAMP-authorized boundary. For security/administrative users who do not access CUI, Cloud PCs are configured as Contractor Risk Managed Assets (CRMA) that have the technical capability but are not intended to process, store, or transmit Controlled Unclassified Information. Administrative users utilize these Cloud PCs for tenant management, security administration, and infrastructure tasks, with technical controls and policies preventing access to CUI repositories in OneDrive, SharePoint, and Teams. Each Cloud PC is:

STIG-hardened according to DoD Windows 11 security baselines
Entra ID-joined with conditional access policies enforcing device compliance
Intune-managed with automated configuration policies and security updates
Defender-protected with real-time antimalware, firewall, and attack surface reduction rules
DLP-enforced preventing unauthorized data movement through clipboard, local drives, or USB redirection Cloud PCs enforce strict isolation where administrative users can only connect from compliant devices that meet conditional access requirements, including MFA authentication, known locations, and device health attestation. The Cloud PC architecture includes security controls blocking file transfers, clipboard operations, and printer redirection to the user's local device, while administrative access is restricted through role-based permissions and policies that prevent CUI access. Only screen, keyboard, and mouse data traverse the connection, with audit logging monitoring all administrative actions for compliance verification.

Exchange Online¶

Field	Value
Component Name	Exchange Online
Provider	Microsoft
Type	Cloud Service
Asset Scope	CRMA

¶

Description¶

Exchange Online (EXO) provides enterprise email, calendar, and contact management services within the Microsoft 365 GCC High environment, serving as a Contractor Risk Managed Asset (CRMA) in the CMMC boundary. Exchange enforces transport-layer encryption using TLS 1.2+ for all mail flow, implements Microsoft Defender for Office 365 anti-phishing and safe attachments scanning, and applies Purview DLP policies to detect and prevent unauthorized CUI transmission via email.

Control Implementations¶

1. ACCESS CONTROL (AC)¶

Control 3.1.1: Limit System Access to Authorized Users¶

Control Summary¶

Field	Value
Control ID	3.1.1
Control Title	Limit System Access to Authorized Users
Control Family	Access Control
Status	IMPLEMENTED
Primary Responsibility	Self
Primary Components	Microsoft Entra ID, Intune

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.1.1[a]	authorized users are identified.	Microsoft Entra ID	Microsoft	Self	Authorized users are enabled users that are present within Microsoft Entra.
3.1.1[b]	processes acting on behalf of authorized users are identified.	Microsoft Entra ID	Microsoft	Self	Authorized service principals are identified within Microsoft Entra.
3.1.1[c]	devices (and other systems) authorized to connect to the system are identified.	Intune	Microsoft	Self	Intune identifies devices authorized to connect to the system.
3.1.1[d]	system access is limited to authorized users.	Microsoft Entra ID	Microsoft	Self	Microsoft Entra manages user access through role-based access control (RBAC) and conditional access policies that limit system access to authorized users, processes, and devices.
3.1.1[e]	system access is limited to processes acting on behalf of authorized users.	Microsoft Entra ID	Microsoft	Self	Microsoft Entra manages user access through role-based access control (RBAC) and conditional access policies that limit system access to authorized users, processes, and devices.
3.1.1[f]	system access is limited to authorized devices (including other systems).	Microsoft Entra ID	Microsoft	Self	Microsoft Entra manages user access through role-based access control (RBAC) and conditional access policies that limit system access to authorized users, processes, and devices.

Control 3.1.2: Limit System Access to Types of Transactions and Functions¶

Control Summary¶

Field	Value
Control ID	3.1.2
Control Title	Limit System Access to Types of Transactions and Functions
Control Family	Access Control
Status	IMPLEMENTED
Primary Responsibility	Self
Primary Components	Information Security Policy and Procedures, Microsoft Entra ID

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.1.2[a]	the types of transactions and functions that authorized users are permitted to execute are defined.	Information Security Policy and Procedures	-	Self	The organizational access control policy defines role-based access control with user groups to limit user access to specific transactions and functions.
3.1.2[b]	system access is limited to the defined types of transactions and functions for authorized users.	Microsoft Entra ID	Microsoft	Self	Microsoft Entra implements role-based access control with user groups to limit user access to specific transactions and functions. Privileged Identity Management (PIM) provides just-in-time access to elevated functions with approval workflows and time-limited assignments.

Control 3.1.3: Control the Flow of CUI¶

Control Summary¶

Field	Value
Control ID	3.1.3
Control Title	Control the Flow of CUI
Control Family	Access Control
Status	IMPLEMENTED
Primary Responsibility	Self
Primary Components	System Security Plan (SSP), Microsoft Entra ID, Microsoft Purview

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.1.3[a]	information flow control policies are defined.	System Security Plan (SSP)	-	Self	The System Security Plan (SSP) documents approved CUI flow paths and enforcement mechanisms.
3.1.3[b]	methods and enforcement mechanisms for controlling the flow of CUI are defined.	Microsoft Entra ID	Microsoft	Self	Information flow control policies are enforced through Microsoft Entra Conditional Access policies. Conditional Access policies restrict CUI access based on user role and risk level.
3.1.3[b]	methods and enforcement mechanisms for controlling the flow of CUI are defined.	Microsoft Purview	Microsoft	Self	Microsoft Purview Information Protection labels and policies control CUI flow between systems and users.
3.1.3[c]	designated sources and destinations (e.g., networks, individuals, and devices) for CUI within the system and between interconnected systems are identified.	System Security Plan (SSP)	-	Self	The Authorized Boundary Diagram (ABD) identifies the designated sources and destinations for CUI.
3.1.3[d]	authorizations for controlling the flow of CUI are defined.	System Security Plan (SSP)	-	Self	The Authorized Boundary Diagram (ABD) identifies the authorized flow for CUI.
3.1.3[e]	approved authorizations for controlling the flow of CUI are enforced.	Microsoft Entra ID	Microsoft	Self	Information flow control policies are enforced through Microsoft Entra Conditional Access policies. Conditional Access policies restrict CUI access based on user role and risk level.
3.1.3[e]	approved authorizations for controlling the flow of CUI are enforced.	Microsoft Purview	Microsoft	Self	Microsoft Purview Information Protection labels and policies control CUI flow between systems and users.

Control 3.1.4: Separate Duties of Individuals¶

Control Summary¶

Field	Value
Control ID	3.1.4
Control Title	Separate Duties of Individuals
Control Family	Access Control
Status	IMPLEMENTED
Primary Responsibility	Self
Primary Components	Information Security Policy and Procedures, Microsoft Entra ID

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.1.4[a]	the duties of individuals requiring separation are defined.	Information Security Policy and Procedures	-	Self	Organizational Access Control Policy defines separation of duties requirements for critical security functions.
3.1.4[b]	responsibilities for duties that require separation are assigned to separate individuals.	Microsoft Entra ID	Microsoft	Self	Microsoft Entra implements separation through distinct user roles (for example: CUI User, Security Administrator, etc.).
3.1.4[c]	access privileges that enable individuals to exercise the duties that require separation are granted to separate individuals.	Microsoft Entra ID	Microsoft	Self	Microsoft Entra implements separation through distinct user roles (for example: CUI User, Security Administrator, etc.).

Control 3.1.5: Employ the Principle of Least Privilege¶

Control Summary¶

Field	Value
Control ID	3.1.5
Control Title	Employ the Principle of Least Privilege
Control Family	Access Control
Status	IMPLEMENTED
Primary Responsibility	Self
Primary Components	Microsoft Entra ID, Privileged Identity Management, Information Security Policy and Procedures

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.1.5[a]	privileged accounts are identified.	Microsoft Entra ID	Microsoft	Self	All active/enabled user accounts within Microsoft Entra are privileged accounts. Users either have access to CUI or have security administrative function.
3.1.5[b]	access to privileged accounts is authorized in accordance with the principle of least privilege.	Microsoft Entra ID	Microsoft	Self	Microsoft Entra implements least privilege through role assignments that provide minimum necessary permissions.
3.1.5[b]	access to privileged accounts is authorized in accordance with the principle of least privilege.	Privileged Identity Management	Microsoft	Self	Privileged Identity Management (PIM) enforces just-in-time access restricting escalation of privileges to a time-based window.
3.1.5[c]	security functions are identified.	Information Security Policy and Procedures	-	Self	Organizational Access Control Policy defines security functions.
3.1.5[d]	access to security functions is authorized in accordance with the principle of least privilege.	Microsoft Entra ID	Microsoft	Self	Security functions are restricted through Microsoft Entra role assignments combined with Privileged Identity Management (PIM). PIM enforces just-in-time access for security functions, requiring justification for elevated privileges. Time-bound assignments automatically expire, ensuring security functions are only accessible when needed.
3.1.5[d]	access to security functions is authorized in accordance with the principle of least privilege.	Privileged Identity Management	Microsoft	Self	Security functions are restricted through Microsoft Entra role assignments combined with Privileged Identity Management (PIM). PIM enforces just-in-time access for security functions, requiring justification for elevated privileges. Time-bound assignments automatically expire, ensuring security functions are only accessible when needed.

Control 3.1.6: Use Non-Privileged Accounts¶

Control Summary¶

Field	Value
Control ID	3.1.6
Control Title	Use Non-Privileged Accounts
Control Family	Access Control
Status	IMPLEMENTED
Primary Responsibility	Self
Primary Components	Microsoft Entra ID, Privileged Identity Management

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.1.6[a]	nonsecurity functions are identified.	Microsoft Entra ID	Microsoft	Self	Nonsecurity functions are identified and documented within Microsoft Entra through role definitions and group memberships. Standard user activities such as email access, document collaboration, and business application usage are classified as nonsecurity functions.
3.1.6[b]	users are required to use non-privileged accounts or roles when accessing nonsecurity functions.	Privileged Identity Management	Microsoft	Self	Privileged Identity Management enforces separation between privileged and non-privileged access. Users with administrative roles must explicitly elevate privileges through PIM for administrative tasks, defaulting to non-privileged access for standard operations.

Control 3.1.7: Prevent Non-Privileged Users from Executing Privileged Functions¶

Control Summary¶

Field	Value
Control ID	3.1.7
Control Title	Prevent Non-Privileged Users from Executing Privileged Functions
Control Family	Access Control
Status	IMPLEMENTED
Primary Responsibility	Self
Primary Components	Information Security Policy and Procedures, Microsoft Entra ID, Microsoft Defender XDR, Huntress

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.1.7[a]	privileged functions are defined.	Information Security Policy and Procedures	-	Self	Privileged functions are formally defined in the Access Control Policy documentation and include device administration, security administration, and user administration.
3.1.7[b]	non-privileged users are defined.	Information Security Policy and Procedures	-	Self	Non-privileged users are defined as standard users without administrative roles in Microsoft Entra, documented in the Access Control Policy and identified by their membership in non-administrative groups.
3.1.7[b]	non-privileged users are defined.	Microsoft Entra ID	Microsoft	Self	Non-privileged users are defined as standard users without administrative roles in Microsoft Entra, documented in the Access Control Policy and identified by their membership in non-administrative groups.
3.1.7[c]	non-privileged users are prevented from executing privileged functions.	Microsoft Entra ID	Microsoft	Self	Microsoft Entra enforces RBAC to prevent non-privileged users from executing privileged functions. Administrative interfaces are restricted through conditional access policies and role assignments.
3.1.7[d]	the execution of privileged functions is captured in audit logs.	Microsoft Defender XDR	Microsoft	Self	Microsoft Entra generates detailed audit logs for all privileged function executions. Microsoft Defender XDR collects and correlates these logs for comprehensive monitoring.
3.1.7[d]	the execution of privileged functions is captured in audit logs.	Huntress	Huntress	Inherited	Huntress Managed SIEM is fully integrated with Microsoft 365 GCC High, capturing logs and activity, including the execution of privileged functions, within the tenant.

Control 3.1.8: Limit Unsuccessful Logon Attempts¶

Control Summary¶

Field	Value
Control ID	3.1.8
Control Title	Limit Unsuccessful Logon Attempts
Control Family	Access Control
Status	IMPLEMENTED
Primary Responsibility	Self
Primary Components	Microsoft Entra ID

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.1.8[a]	the means of limiting unsuccessful logon attempts is defined.	Microsoft Entra ID	Microsoft	Self	Entra defines account lockout thresholds at 3 invalid attempts within 15 minutes.
3.1.8[b]	the defined means of limiting unsuccessful logon attempts is implemented.	Microsoft Entra ID	Microsoft	Self	Entra enforces account lockout thresholds at 3 invalid attempts within 15 minutes.

Control 3.1.9: Provide Privacy and Security Notices¶

Control Summary¶

Field	Value
Control ID	3.1.9
Control Title	Provide Privacy and Security Notices
Control Family	Access Control
Status	IMPLEMENTED
Primary Responsibility	Self
Primary Components	Intune

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.1.9[a]	privacy and security notices required by CUI-specified rules are identified, consistent, and associated with the specific CUI category.	Intune	Microsoft	Self	Microsoft Intune configuration profiles define standardized privacy and security notices for CUI handling based on NIST SP 800-171 requirements.
3.1.9[b]	privacy and security notices are displayed.	Intune	Microsoft	Self	Intune enforces display of security notices through device configuration profiles with mandatory acknowledgment screens before system access.

Control 3.1.10: Use Session Lock with Pattern-Hiding Displays¶

Control Summary¶

Field	Value
Control ID	3.1.10
Control Title	Use Session Lock with Pattern-Hiding Displays
Control Family	Access Control
Status	IMPLEMENTED
Primary Responsibility	Self
Primary Components	Intune

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.1.10[a]	the period of inactivity after which the system initiates a session lock is defined.	Intune	Microsoft	Self	Microsoft Intune configuration profiles define session lock timeouts of 15 minutes.
3.1.10[b]	access to the system and viewing of data is prevented by initiating a session lock after the defined period of inactivity.	Intune	Microsoft	Self	Intune deploys automatic session timeout policies by disconnecting the user from the Cloud PC session after 15 minutes of inactivity.
3.1.10[c]	previously visible information is concealed via a pattern-hiding display after the defined period of inactivity.	Intune	Microsoft	Self	Intune configuration profiles deploy a session timeout policy which disconnects the user from the Cloud PC remote session, effectively concealing previously visible information.

Control 3.1.11: Terminate User Sessions¶

Control Summary¶

Field	Value
Control ID	3.1.11
Control Title	Terminate User Sessions
Control Family	Access Control
Status	IMPLEMENTED
Primary Responsibility	Self
Primary Components	Intune

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.1.11[a]	conditions requiring a user session to terminate are defined.	Intune	Microsoft	Self	A user session is terminated after the session has been disconnected for 1 hour.
3.1.11[b]	a user session is automatically terminated after any of the defined conditions occur.	Intune	Microsoft	Self	Intune deploys session termination policies through configuration profiles.

Control 3.1.12: Monitor and Control Remote Access Sessions¶

Control Summary¶

Field	Value
Control ID	3.1.12
Control Title	Monitor and Control Remote Access Sessions
Control Family	Access Control
Status	IMPLEMENTED
Primary Responsibility	Self
Primary Components	Information Security Policy and Procedures, Microsoft Entra ID, Microsoft Defender XDR, Huntress

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.1.12[a]	remote access sessions are permitted.	Information Security Policy and Procedures	-	Self	The Access Control Policy authorizes remote access through Cloud PCs.
3.1.12[b]	the types of permitted remote access are identified.	Information Security Policy and Procedures	-	Self	Permitted remote access methods include Cloud PC for access to the FedRAMP authorized boundary. Security Protection Assets such as HaloPSA, n8n, and Huntress may be accessed via web browser.
3.1.12[c]	remote access sessions are controlled.	Microsoft Entra ID	Microsoft	Self	Microsoft Entra Conditional Access policies enforce controls including device compliance verification, location restrictions, and MFA requirements.
3.1.12[d]	remote access sessions are monitored.	Microsoft Defender XDR	Microsoft	Self	Microsoft Defender XDR monitors remote access sessions with real-time analytics detecting anomalous patterns and triggering alerts.
3.1.12[d]	remote access sessions are monitored.	Huntress	Huntress	Self	Through its integration with Microsoft 365, Huntress SIEM monitors remote access sessions with their 24/7 Managed SOC service.

Control 3.1.13: Employ Cryptographic Mechanisms¶

Control Summary¶

Field	Value
Control ID	3.1.13
Control Title	Employ Cryptographic Mechanisms
Control Family	Access Control
Status	IMPLEMENTED
Primary Responsibility	Shared
Primary Components	Cloud PC, Intune

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.1.13[a]	cryptographic mechanisms to protect the confidentiality of remote access sessions are identified.	Cloud PC	Microsoft	Inherited	This is inherited through Microsoft. Windows 365 Cloud PC implements end-to-end encryption using RDP over TLS.
3.1.13[b]	cryptographic mechanisms to protect the confidentiality of remote access sessions are implemented.	Intune	Microsoft	Self	This is inherited through Microsoft. Windows 365 Cloud PC implements end-to-end encryption using RDP over TLS.

Control 3.1.14: Control Access to Wireless Networks¶

Control Summary¶

Field	Value
Control ID	3.1.14
Control Title	Control Access to Wireless Networks
Control Family	Access Control
Status	IMPLEMENTED
Primary Responsibility	Inherited
Primary Components	Cloud PC

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.1.14[a]	managed access control points are identified and implemented.	Cloud PC	Microsoft	Inherited	Windows 365 Cloud PC provides managed access control points through Azure Virtual Desktop gateways, infrastructure that is inherited through Microsoft.
3.1.14[b]	remote access is routed through managed network access control points.	Cloud PC	Microsoft	Inherited	Windows 365 Cloud PC provides managed access control points through Azure Virtual Desktop gateways, infrastructure that is inherited through Microsoft.

Control 3.1.15: Authorize Wireless Access¶

Control Summary¶

Field	Value
Control ID	3.1.15
Control Title	Authorize Wireless Access
Control Family	Access Control
Status	IMPLEMENTED
Primary Responsibility	Self
Primary Components	Microsoft Entra ID, Privileged Identity Management

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.1.15[a]	privileged commands authorized for remote execution are identified.	Microsoft Entra ID	Microsoft	Self	Access to privileged commands by privileged users is authorized based on roles assigned.
3.1.15[b]	security-relevant information authorized to be accessed remotely is identified.	Microsoft Entra ID	Microsoft	Self	All security-relevant information is authorized for remote access by privileged users with the appropriate user role.
3.1.15[c]	the execution of the identified privileged commands via remote access is authorized.	Privileged Identity Management	Microsoft	Self	Privileged Identity Management authorizes remote privileged command execution through just-in-time role activation.
3.1.15[d]	access to the identified security-relevant information via remote access is authorized.	Microsoft Entra ID	Microsoft	Self	Microsoft Entra role assignments control remote access to security information.

Control 3.1.16: Authorize Wireless Access¶

Control Summary¶

Field	Value
Control ID	3.1.16
Control Title	Authorize Wireless Access
Control Family	Access Control
Status	NOT APPLICABLE
Primary Responsibility	N/A
Primary Components	N/A

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.1.16[a]	wireless access points are identified.	N/A	-	N/A	This control is not applicable. The organization does not utilize wireless access points within the boundary.
3.1.16[b]	wireless access is authorized prior to allowing such connections.	N/A	-	N/A	This control is not applicable. The organization does not authorize or maintain wireless access points for CUI systems access.

Control 3.1.17: Protect Wireless Access¶

Control Summary¶

Field	Value
Control ID	3.1.17
Control Title	Protect Wireless Access
Control Family	Access Control
Status	NOT APPLICABLE
Primary Responsibility	N/A
Primary Components	N/A

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.1.17[a]	wireless access is protected using authentication.	N/A	-	N/A	This control is not applicable. The organization does not operate wireless access points within the boundary.
3.1.17[b]	wireless access is protected using encryption.	N/A	-	N/A	This control is not applicable. The organization does not maintain wireless infrastructure for CUI access.

Control 3.1.18: Encrypt CUI on Mobile Devices¶

Control Summary¶

Field	Value
Control ID	3.1.18
Control Title	Encrypt CUI on Mobile Devices
Control Family	Access Control
Status	IMPLEMENTED
Primary Responsibility	Self
Primary Components	Microsoft Entra ID

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.1.18[a]	mobile devices that process, store, or transmit CUI are identified.	Microsoft Entra ID	Microsoft	Self	Mobile devices and mobile computing platforms are prevented from accessing CUI through Microsoft Entra Conditional Access.
3.1.18[b]	mobile device connections are authorized.	Microsoft Entra ID	Microsoft	Self	Mobile devices and mobile computing platforms are prevented from accessing CUI through Microsoft Entra Conditional Access.
3.1.18[c]	mobile device connections are monitored and logged.	Microsoft Entra ID	Microsoft	Self	Mobile devices and mobile computing platforms are prevented from accessing CUI through Microsoft Entra Conditional Access.

Control 3.1.19: Control Connection of Mobile Devices¶

Control Summary¶

Field	Value
Control ID	3.1.19
Control Title	Control Connection of Mobile Devices
Control Family	Access Control
Status	IMPLEMENTED
Primary Responsibility	Self
Primary Components	Microsoft Entra ID

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.1.19[a]	mobile devices and mobile computing platforms that process, store, or transmit CUI are identified.	Microsoft Entra ID	Microsoft	Self	Mobile devices and mobile computing platforms are prevented from accessing CUI through Microsoft Entra Conditional Access.
3.1.19[b]	encryption is employed to protect CUI on identified mobile devices and mobile computing platforms.	Microsoft Entra ID	Microsoft	Self	Mobile devices and mobile computing platforms are prevented from accessing CUI through Microsoft Entra Conditional Access.

Control 3.1.20: Control CUI Posting or Processing on Publicly Accessible Systems¶

Control Summary¶

Field	Value
Control ID	3.1.20
Control Title	Control CUI Posting or Processing on Publicly Accessible Systems
Control Family	Access Control
Status	IMPLEMENTED
Primary Responsibility	Self
Primary Components	System Security Plan (SSP), Information Security Policy and Procedures, Microsoft Entra ID

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.1.20[a]	connections to external systems are identified.	System Security Plan (SSP)	-	Self	The System Security Plan documents all authorized external system connections including authorized cloud services.
3.1.20[b]	the use of external systems is identified.	System Security Plan (SSP)	-	Self	The System Security Plan documents the use of authorized external systems.
3.1.20[c]	connections to external systems are verified.	Information Security Policy and Procedures	-	Self	Organizational Access Control Policy states the terms and conditions for connections to external systems.
3.1.20[d]	the use of external systems is verified.	Information Security Policy and Procedures	-	Self	Organizational Access Control Policy states the terms and conditions for use of external systems.
3.1.20[e]	connections to external systems are controlled/limited.	Microsoft Entra ID	Microsoft	Self	Connections to external systems are limited to those that have been approved for use.
3.1.20[f]	the use of external systems is controlled/limited.	Microsoft Entra ID	Microsoft	Self	Connections to external systems are limited to those that have been approved for use.

Control 3.1.21: Authorize Access to Publicly Accessible Systems¶

Control Summary¶

Field	Value
Control ID	3.1.21
Control Title	Authorize Access to Publicly Accessible Systems
Control Family	Access Control
Status	IMPLEMENTED
Primary Responsibility	Self
Primary Components	Intune

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.1.21[a]	the use of portable storage devices containing CUI on external systems is identified and documented.	Intune	Microsoft	Self	The use of portable storage devices is prohibited.
3.1.21[b]	limits on the use of portable storage devices containing CUI on external systems are defined.	Intune	Microsoft	Self	Intune configuration policies define limitations prohibiting portable storage.
3.1.21[c]	the use of portable storage devices containing CUI on external systems is limited as defined.	Intune	Microsoft	Self	Intune enforces portable storage restrictions through device configuration profiles.

Control 3.1.22: Control Public Information¶

Control Summary¶

Field	Value
Control ID	3.1.22
Control Title	Control Public Information
Control Family	Access Control
Status	IMPLEMENTED
Primary Responsibility	Self
Primary Components	Information Security Policy and Procedures

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.1.22[a]	individuals authorized to post or process information on publicly accessible systems are identified.	Information Security Policy and Procedures	-	Self	The Access Control Policy identifies roles authorized to post public content limited to designated personnel.
3.1.22[b]	procedures to ensure CUI is not posted or processed on publicly accessible systems are identified.	Information Security Policy and Procedures	-	Self	Procedures have been developed to ensure that CUI is not posted on publicly accessible systems.
3.1.22[c]	a review process is in place prior to posting of any content to publicly accessible systems.	Information Security Policy and Procedures	-	Self	The Access Control Policy establishes a procedural review requiring approval.
3.1.22[d]	content on publicly accessible systems is reviewed to ensure that it does not include CUI.	Information Security Policy and Procedures	-	Self	A review process of any proposed content is included within the procedures.
3.1.22[e]	mechanisms are in place to remove and address improper posting of CUI.	Information Security Policy and Procedures	-	Self	The Access Control Policy defines rapid response procedures for removing improperly posted FCI/CUI.

2. AWARENESS AND TRAINING (AT)¶

Control 3.2.1: Ensure Managers, System Administrators, and Users are Aware¶

Control Summary¶

Field	Value
Control ID	3.2.1
Control Title	Ensure Managers, System Administrators, and Users are Aware
Control Family	Awareness and Training
Status	IMPLEMENTED
Primary Responsibility	Self
Primary Components	Huntress, HaloPSA, Information Security Policy and Procedures

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.2.1[a]	security risks associated with organizational activities involving CUI are identified.	Huntress	Huntress	Self	Huntress Security Awareness Training platform identifies and catalogs security risks associated with CUI handling.
3.2.1[b]	policies, standards, and procedures related to the security of the system are identified.	HaloPSA	Halo	Self	IT policies, standards, and procedures are centrally stored in HaloPSA document library.
3.2.1[c]	managers, systems administrators, and users of the system are made aware of the security risks associated with their activities.	Huntress	Huntress	Self	All users are required to complete the security awareness training within 30 days and annually thereafter.
3.2.1[d]	managers, systems administrators, and users of the system are made aware of the applicable policies, standards, and procedures related to the security of the system.	Information Security Policy and Procedures	-	Self	All users are made aware of IT security policies, standards, and procedures during onboarding.

Control 3.2.2: Ensure Personnel are Trained¶

Control Summary¶

Field	Value
Control ID	3.2.2
Control Title	Ensure Personnel are Trained
Control Family	Awareness and Training
Status	IMPLEMENTED
Primary Responsibility	Self
Primary Components	Information Security Policy and Procedures, Microsoft Entra ID, Huntress

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.2.2[a]	information security-related duties, roles, and responsibilities are defined.	Information Security Policy and Procedures	-	Self	Information security duties, roles, and responsibilities are formally defined in the Roles and Responsibilities matrix maintained in HaloPSA. Each role includes specific security responsibilities mapped to job functions and training requirements.
3.2.2[b]	information security-related duties, roles, and responsibilities are assigned to designated personnel.	Microsoft Entra ID	Microsoft	Self	Security roles and responsibilities are assigned through Microsoft Entra group memberships to enforce access controls aligned with assigned duties.
3.2.2[c]	personnel are adequately trained to carry out their assigned information security-related duties, roles, and responsibilities.	Huntress	Huntress	Self	Huntress provides role-based security training assigned to the appropriate personnel.

Control 3.2.3: Provide Security Awareness Training on Recognizing Insider Threats¶

Control Summary¶

Field	Value
Control ID	3.2.3
Control Title	Provide Security Awareness Training on Recognizing Insider Threats
Control Family	Awareness and Training
Status	IMPLEMENTED
Primary Responsibility	Self
Primary Components	Huntress

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.2.3[a]	potential indicators associated with insider threats are identified.	Huntress	Huntress	Self	Huntress training modules identify indicators of insider threats.
3.2.3[b]	security awareness training on recognizing and reporting potential indicators of insider threat is provided to managers and employees.	Huntress	Huntress	Self	Huntress delivers mandatory insider threat awareness training to all personnel within 30 days of onboarding and annually thereafter.

3. AUDIT AND ACCOUNTABILITY (AU)¶

Control 3.3.1: Create and Retain Audit Records¶

Control Summary¶

Field	Value
Control ID	3.3.1
Control Title	Create and Retain Audit Records
Control Family	Audit and Accountability
Status	IMPLEMENTED
Primary Responsibility	Inherited
Primary Components	Microsoft Defender XDR, Huntress

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.3.1[a]	audit logs needed (i.e., event types to be logged) to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity are specified.	Microsoft Defender XDR	Microsoft	Hybrid	Microsoft Defender XDR collects comprehensive audit logs including Account Logon, Account Management, Directory Service Access, Logon Events, Object Access, Policy Change, Privileged Use, Process Tracking, and System Events. Defender XDR is configured to capture security-relevant activities across Cloud PCs, Azure Government, and Microsoft 365 GCC High.
3.3.1[a]	audit logs needed (i.e., event types to be logged) to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity are specified.	Huntress	Huntress	Hybrid	Huntress SIEM is integrated with Microsoft 365 to collect audit logs required to monitor, analyze, investigate, and report unlawful or unauthorized system activity through its 24/7 managed SOC.
3.3.1[b]	the content of audit records needed to support monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity is defined.	Microsoft Defender XDR	Microsoft	Inherited	Audit record content is standardized to include Date/Time stamps, User ID, Event ID, IP address, Action performed, Resource accessed, and Success/Failure status. Microsoft Defender XDR schemas ensure consistent data collection with mandatory fields populated for all security events.
3.3.1[b]	the content of audit records needed to support monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity is defined.	Huntress	Huntress	Inherited	Audit record content is standardized to include Date/Time stamps, User ID, Event ID, IP address, Action performed, Resource accessed, and Success/Failure status. Huntress SIEM schemas ensure consistent data collection with mandatory fields populated for all security events.
3.3.1[c]	audit records are created (generated).	Microsoft Defender XDR	Microsoft	Inherited	Defender for Endpoint generate audit records for Cloud PC activity, cloud service logs are generated in Azure Government and Microsoft 365 GCC High and are ingested into Microsoft Defender XDR.
3.3.1[c]	audit records are created (generated).	Huntress	Huntress	Hybrid	Through its integration with Microsoft 365, Huntress SIEM creates audit records sourced from endpoint and cloud-based activity.
3.3.1[d]	audit records, once created, contain the defined content.	Microsoft Defender XDR	Microsoft	Inherited	Audit record content is standardized to include Date/Time stamps, User ID, Event ID, IP address, Action performed, Resource accessed, and Success/Failure status. Microsoft Defender XDR schemas ensure consistent data collection with mandatory fields populated for all security events.
3.3.1[d]	audit records, once created, contain the defined content.	Huntress	Huntress	Inherited	Audit record content is standardized to include Date/Time stamps, User ID, Event ID, IP address, Action performed, Resource accessed, and Success/Failure status. Huntress SIEM schemas ensure consistent data collection with mandatory fields populated for all security events.
3.3.1[e]	retention requirements for audit records are defined.	Microsoft Defender XDR	Microsoft	Inherited	Audit record retention is configured for 30 days in Microsoft Defender XDR.
3.3.1[e]	retention requirements for audit records are defined.	Huntress	Huntress	Inherited	Audit record data is held in active storage for 1 month, and long-term, cold storage, for 12 months, with the first month being in both active and cold storage simultaneously. The total duration of storage not exceeding 12 months. For the duration of the first month, all non-filtered data will be searchable via the SIEM console. For the remaining 11 months cold stored data may be "rehydrated" to active storage for search and compliance use cases.
3.3.1[f]	audit records are retained as defined.	Microsoft Defender XDR	Microsoft	Inherited	Microsoft Defender XDR enforces retention of audit records for 30 days.
3.3.1[f]	audit records are retained as defined.	Huntress	Huntress	Inherited	Audit record data is held in active storage for 1 month, and long-term, cold storage, for 12 months, with the first month being in both active and cold storage simultaneously. The total duration of storage not exceeding 12 months. For the duration of the first month, all non-filtered data will be searchable via the SIEM console. For the remaining 11 months cold stored data may be "rehydrated" to active storage for search and compliance use cases.

Control 3.3.2: Ensure Actions Can Be Traced to Users¶

Control Summary¶

Field	Value
Control ID	3.3.2
Control Title	Ensure Actions Can Be Traced to Users
Control Family	Audit and Accountability
Status	IMPLEMENTED
Primary Responsibility	Inherited
Primary Components	Microsoft Defender XDR, Huntress

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.3.2[a]	the content of the audit records needed to support the ability to uniquely trace users to their actions is defined.	Microsoft Defender XDR	Microsoft	Inherited	Audit record content is standardized to include Date/Time stamps, User ID, Event ID, IP address, Action performed, Resource accessed, and Success/Failure status. Microsoft Defender XDR schemas ensure consistent data collection with mandatory fields populated for all security events.
3.3.2[a]	the content of the audit records needed to support the ability to uniquely trace users to their actions is defined.	Huntress	Huntress	Inherited	Audit record content is standardized to include Date/Time stamps, User ID, Event ID, IP address, Action performed, Resource accessed, and Success/Failure status. Huntress SIEM schemas ensure consistent data collection with mandatory fields populated for all security events.
3.3.2[b]	audit records, once created, contain the defined content.	Microsoft Defender XDR	Microsoft	Inherited	Audit record content is standardized to include Date/Time stamps, User ID, Event ID, IP address, Action performed, Resource accessed, and Success/Failure status. Microsoft Defender XDR schemas ensure consistent data collection with mandatory fields populated for all security events.
3.3.2[b]	audit records, once created, contain the defined content.	Huntress	Huntress	Inherited	Audit record content is standardized to include Date/Time stamps, User ID, Event ID, IP address, Action performed, Resource accessed, and Success/Failure status. Huntress SIEM schemas ensure consistent data collection with mandatory fields populated for all security events.

Control 3.3.3: Review and Update Audit Events¶

Control Summary¶

Field	Value
Control ID	3.3.3
Control Title	Review and Update Audit Events
Control Family	Audit and Accountability
Status	IMPLEMENTED
Primary Responsibility	Self
Primary Components	HaloPSA, Microsoft Defender XDR, Huntress

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.3.3[a]	a process for determining when to review logged events is defined.	HaloPSA	Halo	Self	Logged events are reviewed annually and when significant changes to the system occur.
3.3.3[b]	event types being logged are reviewed in accordance with the defined review process.	HaloPSA	Halo	Self	HaloPSA scheduled tickets ensures systematic review of logged events according to defined schedules with task assignments to security administrators.
3.3.3[c]	event types being logged are updated based on the review.	Microsoft Defender XDR	Microsoft	Self	Updates to the event types logged are made as necessary based upon the review.
3.3.3[c]	event types being logged are updated based on the review.	Huntress	Huntress	Self	Updates to the event types logged are made as necessary based upon the review.

Control 3.3.4: Alert in the Event of an Audit Logging Process Failure¶

Control Summary¶

Field	Value
Control ID	3.3.4
Control Title	Alert in the Event of an Audit Logging Process Failure
Control Family	Audit and Accountability
Status	IMPLEMENTED
Primary Responsibility	Self
Primary Components	Microsoft Defender XDR, Huntress

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.3.4[a]	personnel or roles to be alerted in the event of an audit logging process failure are identified.	Microsoft Defender XDR	Microsoft	Hybrid	The Security Administrator role is designated as the primary contact for audit logging failures.
3.3.4[a]	personnel or roles to be alerted in the event of an audit logging process failure are identified.	Huntress	Huntress	Self	The Security Administrator role is designated as the primary contact for audit logging failures.
3.3.4[b]	types of audit logging process failures for which alert will be generated are defined.	Microsoft Defender XDR	Microsoft	Hybrid	Alert-triggering failures include service failures on the Microsoft 365 and Defender XDR platforms.
3.3.4[b]	types of audit logging process failures for which alert will be generated are defined.	Huntress	Huntress	Hybrid	Alert-triggering failures include data source log ingestion interruption.
3.3.4[c]	identified personnel or roles are alerted in the event of an audit logging process failure.	Microsoft Defender XDR	Microsoft	Hybrid	Microsoft Defender XDR automatically generates alerts through email.
3.3.4[c]	identified personnel or roles are alerted in the event of an audit logging process failure.	Huntress	Huntress	Hybrid	Huntress automatically generates alerts through email.

Control 3.3.5: Correlate Audit Record Review, Analysis, and Reporting¶

Control Summary¶

Field	Value
Control ID	3.3.5
Control Title	Correlate Audit Record Review, Analysis, and Reporting
Control Family	Audit and Accountability
Status	IMPLEMENTED
Primary Responsibility	Inherited
Primary Components	Incident Response Plan, Microsoft Defender XDR, Huntress

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.3.5[a]	audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity are defined.	Incident Response Plan	-	Self	The Incident Response Plan defines structured processes for audit record analysis using Microsoft Defender XDR investigation capabilities.
3.3.5[b]	defined audit record review, analysis, and reporting processes are correlated.	Microsoft Defender XDR	Microsoft	Inherited	Microsoft Defender XDR automatically correlates audit records across multiple data sources using built-in fusion detection rules to identify attack patterns spanning cloud and endpoint environments.
3.3.5[b]	defined audit record review, analysis, and reporting processes are correlated.	Huntress	Huntress	Inherited	Huntress SIEM automatically correlates audit records across multiple data sources using built-in fusion detection rules to identify attack patterns spanning cloud and endpoint environments.

Control 3.3.6: Provide Audit Reduction and Report Generation¶

Control Summary¶

Field	Value
Control ID	3.3.6
Control Title	Provide Audit Reduction and Report Generation
Control Family	Audit and Accountability
Status	IMPLEMENTED
Primary Responsibility	Inherited
Primary Components	Microsoft Defender XDR, Huntress

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.3.6[a]	an audit record reduction capability that supports on-demand analysis is provided.	Microsoft Defender XDR	Microsoft	Inherited	Microsoft Defender XDR provides powerful data reduction through KQL (Kusto Query Language) enabling complex filtering, aggregation, and summarization of audit datasets. Advanced hunting capabilities can reduce thousands of events to actionable insights.
3.3.6[a]	an audit record reduction capability that supports on-demand analysis is provided.	Huntress	Huntress	Inherited	Huntress SIEM provides powerful data reduction through ES\|QL (Elastic Structured Query Language) enabling complex filtering, aggregation, and summarization of audit datasets. Advanced hunting capabilities can reduce thousands of events to actionable insights.
3.3.6[b]	a report generation capability that supports on-demand reporting is provided.	Microsoft Defender XDR	Microsoft	Hybrid	Microsoft Defender XDR reporting engine generates on-demand reports and custom queries can be created as well.
3.3.6[b]	a report generation capability that supports on-demand reporting is provided.	Huntress	Huntress	Inherited	Microsoft Defender XDR reporting engine generates on-demand and scheduled reports.

Control 3.3.7: Provide a System Capability that Compares Audit Records¶

Control Summary¶

Field	Value
Control ID	3.3.7
Control Title	Provide a System Capability that Compares Audit Records
Control Family	Audit and Accountability
Status	IMPLEMENTED
Primary Responsibility	Self
Primary Components	Intune

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.3.7[a]	internal system clocks are used to generate time stamps for audit records.	Intune	Microsoft	Self	All endpoints use Windows Time Service (time.windows.com) to generate consistent timestamps for audit records with microsecond precision. Intune configuration profiles enforce time synchronization settings preventing manual time adjustments.
3.3.7[b]	an authoritative source with which to compare and synchronize internal system clocks is specified.	Intune	Microsoft	Self	time.windows.com is configured as the authoritative NTP source for all endpoints through Intune device configuration profiles.
3.3.7[c]	internal system clocks used to generate time stamps for audit records are compared to and synchronized with the specified authoritative time source.	Intune	Microsoft	Self	All internal systems generating audit records are configured with Windows NTP Client enabled to synchronize with the authoritative time source time.windows.com every 17 minutes through Active Directory's NT5DS time hierarchy, ensuring accurate timestamps on all audit records.

Control 3.3.8: Protect Audit Information and Audit Logging Tools¶

Control Summary¶

Field	Value
Control ID	3.3.8
Control Title	Protect Audit Information and Audit Logging Tools
Control Family	Audit and Accountability
Status	IMPLEMENTED
Primary Responsibility	Inherited
Primary Components	Microsoft Entra ID, Microsoft Defender XDR, Huntress

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.3.8[a]	audit information is protected from unauthorized access.	Microsoft Entra ID	Microsoft	Self	Only users with a relevant authorized role assigned through Microsoft Entra can access audit information.
3.3.8[b]	audit information is protected from unauthorized modification.	Microsoft Defender XDR	Microsoft	Inherited	Audit data in Microsoft Defender XDR is immutable preventing modification after ingestion.
3.3.8[b]	audit information is protected from unauthorized modification.	Huntress	Huntress	Inherited	Audit data in Huntress SIEM is immutable preventing modification after ingestion.
3.3.8[c]	audit information is protected from unauthorized deletion.	Microsoft Defender XDR	Microsoft	Inherited	Microsoft Defender XDR retention policies prevent premature deletion.
3.3.8[c]	audit information is protected from unauthorized deletion.	Huntress	Huntress	Inherited	Huntress SIEM retention policies prevent premature deletion.
3.3.8[d]	audit logging tools are protected from unauthorized access.	Microsoft Entra ID	Microsoft	Self	Access to Microsoft Defender XDR portal requires privileged role assignment through Microsoft Entra with just-in-time access via PIM for administrative functions.
3.3.8[d]	audit logging tools are protected from unauthorized access.	Huntress	Huntress	Self	Access to Huntress SIEM requires privileged role assignment approved through user access requests.
3.3.8[e]	audit logging tools are protected from unauthorized modification.	Microsoft Entra ID	Microsoft	Hybrid	Access to Microsoft Defender XDR portal requires privileged role assignment through Microsoft Entra with just-in-time access via PIM for administrative functions. Only security administrators have authorization to modify configurations within Microsoft Defender XDR.
3.3.8[e]	audit logging tools are protected from unauthorized modification.	Huntress	Huntress	Hybrid	Huntress SIEM requires privileged role assignment approved through user access requests. Only security administrators have authorization to modify configurations within Huntress.
3.3.8[f]	audit logging tools are protected from unauthorized deletion.	Microsoft Defender XDR	Microsoft	Inherited	Microsoft Defender XDR cannot be deleted as it is a SaaS product that is owned and operated by Microsoft.
3.3.8[f]	audit logging tools are protected from unauthorized deletion.	Huntress	Huntress	Inherited	Huntress SIEM cannot be deleted as it is a SaaS product that is owned and operated by Huntress.

Control 3.3.9: Limit Management of Audit Logging to Privileged Users¶

Control Summary¶

Field	Value
Control ID	3.3.9
Control Title	Limit Management of Audit Logging to Privileged Users
Control Family	Audit and Accountability
Status	IMPLEMENTED
Primary Responsibility	Self
Primary Components	Microsoft Entra ID

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.3.9[a]	a subset of privileged users granted access to manage audit logging functionality is defined.	Microsoft Entra ID	Microsoft	Self	The Security Administrator role is exclusively authorized to manage audit logging functionality. Role definition in Microsoft Entra explicitly grants audit configuration permissions.
3.3.9[b]	management of audit logging functionality is limited to the defined subset of privileged users.	Microsoft Entra ID	Microsoft	Self	Microsoft Entra Privileged Identity Management enforces just-in-time access for audit management functions requiring business justification. Microsoft Entra RBAC model restricts configuration changes to Security Administrator role.

4. CONFIGURATION MANAGEMENT (CM)¶

Control 3.4.1: Establish and Maintain Baseline Configurations¶

Control Summary¶

Field	Value
Control ID	3.4.1
Control Title	Establish and Maintain Baseline Configurations
Control Family	Configuration Management
Status	IMPLEMENTED
Primary Responsibility	Self
Primary Components	Intune

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.4.1[a]	a baseline configuration is established.	Intune	Microsoft	Self	Baseline configurations are established through Microsoft Intune configuration profiles including STIG-hardened Windows 365 Cloud PCs.
3.4.1[b]	the baseline configuration includes hardware, software, firmware, and documentation.	Intune	Microsoft	Self	Intune device inventory captures comprehensive baseline elements including hardware specifications, software inventory with version numbers, firmware versions, and drivers. Cloud PC configurations include virtual hardware specifications, Windows 11 Enterprise build numbers, installed applications, and STIG compliance settings.
3.4.1[c]	the baseline configuration is maintained (reviewed and updated) throughout the system development life cycle.	Intune	Microsoft	Self	Baseline configurations undergo annual review cycles managed through HaloPSA ticketing. Intune compliance policies continuously monitor configuration drift with automated remediation for non-compliant settings.
3.4.1[d]	a system inventory is established.	Intune	Microsoft	Self	Intune maintains real-time system inventory for all assets including Cloud PCs with automated discovery and enrollment.
3.4.1[e]	the system inventory includes hardware, software, firmware, and documentation.	Intune	Microsoft	Self	Intune inventory collection profiles capture hardware details, complete software inventory with publisher/version/install date, firmware versions, and driver information. Cloud PC inventory includes virtual hardware allocations, Windows 365 license types, and user assignments.
3.4.1[f]	the inventory is maintained (reviewed and updated) throughout the system development life cycle.	Intune	Microsoft	Self	Intune performs daily inventory synchronization with changes automatically reflected in the inventory report.

Control 3.4.2: Establish and Enforce Security Configuration Settings¶

Control Summary¶

Field	Value
Control ID	3.4.2
Control Title	Establish and Enforce Security Configuration Settings
Control Family	Configuration Management
Status	IMPLEMENTED
Primary Responsibility	Self
Primary Components	Intune

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.4.2[a]	security configuration settings for information technology products employed in the system are established and included in the baseline configuration.	Intune	Microsoft	Self	Security configuration settings are defined through Intune configuration profiles implementing DISA STIG benchmarks for the Windows 11 Cloud PCs, among other configuration controls aligning with CMMC requirements.
3.4.2[b]	security configuration settings for information technology products employed in the system are enforced.	Intune	Microsoft	Self	Security configuration settings are enforced through Intune configuration profiles implementing DISA STIG benchmarks for the Windows 11 Cloud PCs, among other configuration controls aligning with CMMC requirements.

Control 3.4.3: Track, Review, Approve or Disapprove Changes¶

Control Summary¶

Field	Value
Control ID	3.4.3
Control Title	Track, Review, Approve or Disapprove Changes
Control Family	Configuration Management
Status	IMPLEMENTED
Primary Responsibility	Self
Primary Components	HaloPSA

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.4.3[a]	changes to the system are tracked.	HaloPSA	Halo	Self	All system changes are tracked through HaloPSA change request tickets with unique identifiers, requester information, and change description.
3.4.3[b]	changes to the system are reviewed.	HaloPSA	Halo	Self	The Change Advisory Board conducts monthly reviews of proposed changes through HaloPSA workflows with risk assessment, impact analysis, and technical review requirements. Emergency changes undergo expedited review within 24 hours.
3.4.3[c]	changes to the system are approved or disapproved.	HaloPSA	Halo	Self	Change Advisory Board approval is required for all normal changes with voting members from security, operations, and business units documented in HaloPSA. Approval workflows enforce separation of duties with requesters unable to approve their own changes.
3.4.3[d]	changes to the system are logged.	HaloPSA	Halo	Self	HaloPSA maintains comprehensive change logs including request date, implementation date, implementer, systems affected, rollback procedures, and validation results.

Control 3.4.4: Analyze Impact of Changes¶

Control Summary¶

Field	Value
Control ID	3.4.4
Control Title	Analyze Impact of Changes
Control Family	Configuration Management
Status	IMPLEMENTED
Primary Responsibility	Self
Primary Components	HaloPSA

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.4.4[a]	the security impact of changes to the system is analyzed prior to implementation.	HaloPSA	Halo	Self	Security impact analysis is mandatory for all changes with HaloPSA templates guiding assessment of confidentiality, integrity, and availability impacts.

Control 3.4.5: Define, Document, Approve, and Enforce Access Restrictions¶

Control Summary¶

Field	Value
Control ID	3.4.5
Control Title	Define, Document, Approve, and Enforce Access Restrictions
Control Family	Configuration Management
Status	IMPLEMENTED
Primary Responsibility	Self
Primary Components	All CUI Components, Microsoft Entra ID, HaloPSA, Privileged Identity Management

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.4.5[a]	physical access restrictions associated with changes to the system are defined.	All CUI Components	Microsoft	Inherited	This control is inherited. Physical access restrictions are inherently enforced through cloud service provider controls for all CUI components.
3.4.5[b]	physical access restrictions associated with changes to the system are documented.	All CUI Components	Microsoft	Inherited	This control is inherited. Physical access restrictions are inherently enforced through cloud service provider controls for all CUI components.
3.4.5[c]	physical access restrictions associated with changes to the system are approved.	All CUI Components	Microsoft	Inherited	This control is inherited. Physical access restrictions are inherently enforced through cloud service provider controls for all CUI components.
3.4.5[d]	physical access restrictions associated with changes to the system are enforced.	All CUI Components	Microsoft	Inherited	This control is inherited. Physical access restrictions are inherently enforced through cloud service provider controls for all CUI components.
3.4.5[e]	logical access restrictions associated with changes to the system are defined.	Microsoft Entra ID	Microsoft	Self	Logical access restrictions are defined through Microsoft Entra role-based access control.
3.4.5[f]	logical access restrictions associated with changes to the system are documented.	Microsoft Entra ID	Microsoft	Self	Role definitions for logical access are documented in the organizational access control policy.
3.4.5[g]	logical access restrictions associated with changes to the system are approved.	HaloPSA	Halo	Self	Logical access requests require approval through HaloPSA ticket workflows.
3.4.5[h]	logical access restrictions associated with changes to the system are enforced.	Microsoft Entra ID	Microsoft	Self	Microsoft Entra Conditional Access policies enforce logical access restrictions.
3.4.5[h]	logical access restrictions associated with changes to the system are enforced.	Privileged Identity Management	Microsoft	Self	Privileged Identity Management automatically revokes elevated access after approved time windows.

Control 3.4.6: Employ Principle of Least Functionality¶

Control Summary¶

Field	Value
Control ID	3.4.6
Control Title	Employ Principle of Least Functionality
Control Family	Configuration Management
Status	IMPLEMENTED
Primary Responsibility	Inherited
Primary Components	All CUI Components

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.4.6[a]	essential system capabilities are defined based on the principle of least functionality.	All CUI Components	Microsoft	Inherited	All components are configured for their specific function only. Cloud PC for remote access, Microsoft 365 GCC High for collaboration, Microsoft Entra for identity management, and Microsoft Defender XDR as the security stack suite.
3.4.6[b]	the system is configured to provide only the defined essential capabilities.	All CUI Components	Microsoft	Inherited	All components are configured for their specific function only. Cloud PC for remote access, Microsoft 365 GCC High for collaboration, Microsoft Entra for identity management, and Microsoft Defender XDR as the security stack suite.

Control 3.4.7: Restrict, Disable, or Prevent Software¶

Control Summary¶

Field	Value
Control ID	3.4.7
Control Title	Restrict, Disable, or Prevent Software
Control Family	Configuration Management
Status	IMPLEMENTED
Primary Responsibility	Self
Primary Components	Intune

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.4.7[a]	essential programs are defined.	Intune	Microsoft	Self	Essential programs are defined in within Intune. Applications are limited to what is installed through Intune and what is pre-installed on the Cloud PC image.
3.4.7[b]	the use of nonessential programs is defined.	Intune	Microsoft	Self	Nonessential programs are defined as any software not explicitly approved through change management and listed in the authorized software inventory. The Acceptable Use Policy prohibits installation of personal software and games.
3.4.7[c]	the use of nonessential programs is restricted, disabled, or prevented as defined.	Intune	Microsoft	Self	Intune Application Control policies prevent execution of unauthorized programs. Cloud PCs utilize application whitelisting allowing only approved executables to run.
3.4.7[d]	essential functions are defined.	Intune	Microsoft	Self	Intune defines essential functions through configuration profiles.
3.4.7[e]	the use of nonessential functions is defined.	Intune	Microsoft	Self	Any function not defined as essential is considered nonessential and not allowed to be used.
3.4.7[f]	the use of nonessential functions is restricted, disabled, or prevented as defined.	Intune	Microsoft	Self	Intune configuration profiles enforce configuration baselines on the devices.
3.4.7[g]	essential ports are defined.	Intune	Microsoft	Self	Intune defines essential ports through firewall configuration policy.
3.4.7[h]	the use of nonessential ports is defined.	Intune	Microsoft	Self	Nonessential ports include all ports not considered as essential.
3.4.7[i]	the use of nonessential ports is restricted, disabled, or prevented as defined.	Intune	Microsoft	Self	Intune enforces essential ports through firewall configuration policy.
3.4.7[j]	essential protocols are defined.	Intune	Microsoft	Self	Intune defines essential protocols through firewall configuration policy.
3.4.7[k]	the use of nonessential protocols is defined.	Intune	Microsoft	Self	Nonessential protocols include all protocols not considered as essential.
3.4.7[l]	the use of nonessential protocols is restricted, disabled, or prevented as defined.	Intune	Microsoft	Self	Intune enforces essential protocols through firewall configuration policy.
3.4.7[m]	essential services are defined.	Intune	Microsoft	Self	Intune defines essential services through configuration policies.
3.4.7[n]	the use of nonessential services is defined.	Intune	Microsoft	Self	Nonessential services include all services not considered as essential.
3.4.7[o]	the use of nonessential services is restricted, disabled, or prevented as defined.	Intune	Microsoft	Self	Intune enforces essential services through configuration policies.

Control 3.4.8: Apply Deny-by-Exception Policy to Software¶

Control Summary¶

Field	Value
Control ID	3.4.8
Control Title	Apply Deny-by-Exception Policy to Software
Control Family	Configuration Management
Status	IMPLEMENTED
Primary Responsibility	Self
Primary Components	Intune

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.4.8[a]	a policy specifying whether whitelisting or blacklisting is to be implemented is specified.	Intune	Microsoft	Self	Intune app control policy enforces application whitelisting for authorized software.
3.4.8[b]	the software allowed to execute under whitelisting or denied use under blacklisting is specified.	Intune	Microsoft	Self	Intune app control policy enforces application whitelisting for authorized software.
3.4.8[c]	whitelisting to allow the execution of authorized software or blacklisting to prevent the use of unauthorized software is implemented as specified.	Intune	Microsoft	Self	Intune app control policy enforces application whitelisting for authorized software.

Control 3.4.9: Control and Monitor User-Installed Software¶

Control Summary¶

Field	Value
Control ID	3.4.9
Control Title	Control and Monitor User-Installed Software
Control Family	Configuration Management
Status	IMPLEMENTED
Primary Responsibility	Self
Primary Components	Intune

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.4.9[a]	a policy for controlling the installation of software by users is established.	Intune	Microsoft	Self	Intune app control policy enforces application whitelisting for authorized software.
3.4.9[b]	installation of software by users is controlled based on the established policy.	Intune	Microsoft	Self	Intune app control policy enforces application whitelisting for authorized software.
3.4.9[c]	installation of software by users is monitored.	Intune	Microsoft	Self	Intune app control policy enforces application whitelisting for authorized software.

5. IDENTIFICATION AND AUTHENTICATION (IA)¶

Control 3.5.1: Identify System Users¶

Control Summary¶

Field	Value
Control ID	3.5.1
Control Title	Identify System Users
Control Family	Identification and Authentication
Status	IMPLEMENTED
Primary Responsibility	Self
Primary Components	Microsoft Entra ID, Intune

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.5.1[a]	system users are identified.	Microsoft Entra ID	Microsoft	Self	Microsoft Entra uniquely identifies system users through User Principal Names (UPNs) and unique Object IDs assigned to each user account.
3.5.1[b]	processes acting on behalf of users are identified.	Microsoft Entra ID	Microsoft	Self	Service accounts and applications are identified through Application IDs and Service Principal Object IDs.
3.5.1[c]	devices accessing the system are identified.	Intune	Microsoft	Inherited	Microsoft Intune identifies devices through unique Device IDs issued during enrollment, ensuring each device connecting to organizational systems has a unique identity.

Control 3.5.2: Authenticate Users¶

Control Summary¶

Field	Value
Control ID	3.5.2
Control Title	Authenticate Users
Control Family	Identification and Authentication
Status	IMPLEMENTED
Primary Responsibility	Shared
Primary Components	Microsoft Entra ID, Intune

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.5.2[a]	the identity of each user is authenticated or verified as a prerequisite to system access.	Microsoft Entra ID	Microsoft	Self	Microsoft Entra authenticates user identities through username/password combinations with replay-resistant multi-factor authentication.
3.5.2[b]	the identity of each process acting on behalf of a user is authenticated or verified as a prerequisite to system access.	Microsoft Entra ID	Microsoft	Hybrid	Service principals authenticate using client secrets stored within Microsoft Entra.
3.5.2[c]	the identity of each device accessing or connecting to the system is authenticated or verified as a prerequisite to system access.	Intune	Microsoft	Inherited	Microsoft Intune authenticates devices through device certificates and compliance policies before allowing network access to organizational resources.

Control 3.5.3: Use Multifactor Authentication¶

Control Summary¶

Field	Value
Control ID	3.5.3
Control Title	Use Multifactor Authentication
Control Family	Identification and Authentication
Status	IMPLEMENTED
Primary Responsibility	Self
Primary Components	Microsoft Entra ID

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.5.3[a]	privileged accounts are identified.	Microsoft Entra ID	Microsoft	Self	All users in the system are a type of privileged user and are either accessing CUI or are security operators/administrators.
3.5.3[b]	multifactor authentication is implemented for local access to privileged accounts.	Microsoft Entra ID	Microsoft	Self	Microsoft Entra Conditional Access policies enforce multifactor authentication for all access to privileged accounts.
3.5.3[c]	multifactor authentication is implemented for network access to privileged accounts.	Microsoft Entra ID	Microsoft	Self	Microsoft Entra Conditional Access policies enforce multifactor authentication for all access to privileged accounts.
3.5.3[d]	multifactor authentication is implemented for network access to non-privileged accounts.	Microsoft Entra ID	Microsoft	Self	Microsoft Entra Conditional Access policies enforce multifactor authentication for all accounts.

Control 3.5.4: Employ Replay-Resistant Authentication Mechanisms¶

Control Summary¶

Field	Value
Control ID	3.5.4
Control Title	Employ Replay-Resistant Authentication Mechanisms
Control Family	Identification and Authentication
Status	IMPLEMENTED
Primary Responsibility	Self
Primary Components	Microsoft Entra ID

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.5.4[a]	replay-resistant authentication mechanisms are implemented for network account access to privileged and non-privileged accounts.	Microsoft Entra ID	Microsoft	Self	Replay-resistant MFA is enforced for all users. They are required to either use Microsoft Authenticator push notification, passkey, or a security key.

Control 3.5.5: Prevent Reuse of Identifiers¶

Control Summary¶

Field	Value
Control ID	3.5.5
Control Title	Prevent Reuse of Identifiers
Control Family	Identification and Authentication
Status	IMPLEMENTED
Primary Responsibility	Self
Primary Components	Microsoft Entra ID

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.5.5[a]	a period within which identifiers cannot be reused is defined.	Microsoft Entra ID	Microsoft	Self	A minimum of 365 days is required before identifiers can be reassigned to different individuals. When access is removed for a user, their user account within Entra is disabled and placed within a disabled user group for at least one year to prevent identifier reuse.
3.5.5[b]	reuse of identifiers is prevented within the defined period.	Microsoft Entra ID	Microsoft	Self	A minimum of 365 days is required before identifiers can be reassigned to different individuals. When access is removed for a user, their user account within Entra is disabled and placed within a disabled user group for at least one year to prevent identifier reuse.

Control 3.5.6: Disable Identifiers After a Defined Period¶

Control Summary¶

Field	Value
Control ID	3.5.6
Control Title	Disable Identifiers After a Defined Period
Control Family	Identification and Authentication
Status	IMPLEMENTED
Primary Responsibility	Self
Primary Components	n8n

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.5.6[a]	a period of inactivity after which an identifier is disabled is defined.	n8n	n8n	Self	n8n automatically disables users accounts after 90 days of inactivity within Microsoft Entra.
3.5.6[b]	identifiers are disabled after the defined period of inactivity.	n8n	n8n	Self	n8n automatically disables users accounts after 90 days of inactivity within Microsoft Entra.

Control 3.5.7: Enforce a Minimum Password Complexity¶

Control Summary¶

Field	Value
Control ID	3.5.7
Control Title	Enforce a Minimum Password Complexity
Control Family	Identification and Authentication
Status	IMPLEMENTED
Primary Responsibility	Inherited
Primary Components	Microsoft Entra ID

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.5.7[a]	password complexity requirements are defined.	Microsoft Entra ID	Microsoft	Inherited	Password complexity requirements are inherited through Microsoft Entra's default password complexity requirement.
3.5.7[b]	password change of character requirements are defined.	Microsoft Entra ID	Microsoft	Inherited	Password policy is inherited through Microsoft Entra's default policy, which enforces a minimum of 8 characters.
3.5.7[c]	minimum password complexity requirements as defined are enforced when new passwords are created.	Microsoft Entra ID	Microsoft	Inherited	Password complexity requirements are inherited through Microsoft Entra's default password complexity requirement.
3.5.7[d]	minimum password change of character requirements as defined are enforced when new passwords are created.	Microsoft Entra ID	Microsoft	Inherited	Password policy is inherited through Microsoft Entra's default policy, which enforces a minimum of 8 characters.

Control 3.5.8: Prohibit Password Reuse¶

Control Summary¶

Field	Value
Control ID	3.5.8
Control Title	Prohibit Password Reuse
Control Family	Identification and Authentication
Status	IMPLEMENTED
Primary Responsibility	Inherited
Primary Components	Microsoft Entra ID

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.5.8[a]	the number of generations during which a password cannot be reused is specified.	Microsoft Entra ID	Microsoft	Inherited	Password policy is inherited through Microsoft Entra's default policy. The last password can't be used again when the user changes a password.
3.5.8[b]	reuse of passwords is prohibited during the specified number of generations.	Microsoft Entra ID	Microsoft	Inherited	Password policy is inherited through Microsoft Entra's default policy. The last password can't be used again when the user changes a password.

Control 3.5.9: Allow Temporary Password Use¶

Control Summary¶

Field	Value
Control ID	3.5.9
Control Title	Allow Temporary Password Use
Control Family	Identification and Authentication
Status	IMPLEMENTED
Primary Responsibility	Shared
Primary Components	Microsoft Entra ID

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.5.9[a]	an immediate change to a permanent password is required when a temporary password is used for system logon.	Microsoft Entra ID	Microsoft	Hybrid	Microsoft Entra requires immediate password change upon first logon when temporary passwords are assigned through administrative reset.

Control 3.5.10: Store and Transmit Passwords¶

Control Summary¶

Field	Value
Control ID	3.5.10
Control Title	Store and Transmit Passwords
Control Family	Identification and Authentication
Status	IMPLEMENTED
Primary Responsibility	Inherited
Primary Components	Microsoft Entra ID

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.5.10[a]	passwords are cryptographically protected in storage.	Microsoft Entra ID	Microsoft	Inherited	This control is inherited. Microsoft Entra cryptographically protects stored passwords.
3.5.10[b]	passwords are cryptographically protected in transit.	Microsoft Entra ID	Microsoft	Inherited	This control is inherited. Microsoft Entra cryptographically protects data in transit.

Control 3.5.11: Obscure Feedback of Authentication Information¶

Control Summary¶

Field	Value
Control ID	3.5.11
Control Title	Obscure Feedback of Authentication Information
Control Family	Identification and Authentication
Status	IMPLEMENTED
Primary Responsibility	Inherited
Primary Components	Microsoft Entra ID

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.5.11[a]	authentication information is obscured during the authentication process.	Microsoft Entra ID	Microsoft	Inherited	This control is inherited. Microsoft Entra ID obscures all authenticator feedback.

6. INCIDENT RESPONSE (IR)¶

Control 3.6.1: Establish an Operational Incident-Handling Capability¶

Control Summary¶

Field	Value
Control ID	3.6.1
Control Title	Establish an Operational Incident-Handling Capability
Control Family	Incident Response
Status	IMPLEMENTED
Primary Responsibility	Self
Primary Components	Incident Response Plan

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.6.1[a]	an operational incident-handling capability is established.	Incident Response Plan	-	Self	An operational incident-handling capability has been established through documented incident response procedures and integration with HaloPSA for incident tracking. The capability includes defined roles, responsibilities, and escalation procedures documented in the incident response plan.
3.6.1[b]	the operational incident-handling capability includes preparation.	Incident Response Plan	-	Self	Preparation activities include: maintaining current incident response plan and procedures, conducting annual tabletop exercises, ensuring incident response tools (Huntress, Defender XDR) are deployed and updated, and providing annual incident response training to all team members.
3.6.1[c]	the operational incident-handling capability includes detection.	Incident Response Plan	-	Self	Detection capabilities include: continuous monitoring through Defender XDR and Huntress EDR services providing 24x7 threat detection, automated alerting for suspicious activities and IOCs, log aggregation and analysis from Cloud PC instances, user reporting mechanisms integrated with HaloPSA ticketing.
3.6.1[d]	the operational incident-handling capability includes analysis.	Incident Response Plan	-	Self	Analysis capabilities include: Huntress threat analysis and investigation services, Defender XDR analysis tools for Cloud PC and endpoint examination, log correlation across multiple sources to identify attack patterns, and threat intelligence integration for IOC matching and attribution. All analysis activities are logged in HaloPSA for tracking.
3.6.1[e]	the operational incident-handling capability includes containment.	Incident Response Plan	-	Self	Containment capabilities include but are not limited to: Cloud PC session termination through Intune, device isolation through Microsoft Defender XDR, and account suspension through Microsoft Entra.
3.6.1[f]	the operational incident-handling capability includes recovery.	Incident Response Plan	-	Self	Recovery capabilities include but are not limited to: reprovisioning the Cloud PC instance, account recovery procedures through Microsoft Entra, and post-recovery monitoring via Huntress to confirm threat elimination.
3.6.1[g]	the operational incident-handling capability includes user response activities.	Incident Response Plan	-	Self	User response activities include: incident ticket creation in HaloPSA for affected users, self-service password reset capabilities through Microsoft Entra, user awareness materials on incident reporting procedures, and dedicated helpdesk support during incidents. Users receive training through Huntress on recognizing and reporting security incidents.

Control 3.6.2: Track, Document, and Report Incidents¶

Control Summary¶

Field	Value
Control ID	3.6.2
Control Title	Track, Document, and Report Incidents
Control Family	Incident Response
Status	IMPLEMENTED
Primary Responsibility	Self
Primary Components	Incident Response Plan, HaloPSA

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.6.2[a]	incidents are tracked.	Incident Response Plan	-	Self	All incidents are tracked from initial detection through resolution using HaloPSA as the primary tracking system. Each incident receives a unique identifier, priority classification, and is assigned to responsible personnel. Huntress alerts automatically create tracking tickets.
3.6.2[b]	incidents are documented.	HaloPSA	Halo	Self	Incidents are documented in HaloPSA including: initial detection details, timeline of events and actions taken, affected systems and data (especially CUI), analysis findings and root cause, containment and recovery actions, and lessons learned.
3.6.2[c]	authorities to whom incidents are to be reported are identified.	Incident Response Plan	-	Self	External reporting authorities are identified in the incident response plan including: DIB-CS for CUI-related incidents (within 72 hours), FBI/IC3 for cyber crimes, state breach notification requirements where applicable, and contractual notification requirements to prime contractors. Contact information is maintained in the Incident Response Plan and reviewed annually.
3.6.2[d]	organizational officials to whom incidents are to be reported are identified.	Incident Response Plan	-	Self	Internal reporting structure includes: immediate notification to the Security Manager, escalation to executive leadership for high-impact incidents, legal counsel for potential data breaches, and affected department heads.
3.6.2[e]	identified authorities are notified of incidents.	Incident Response Plan	-	Self	External authorities are notified according to regulatory and contractual requirements using secure communication channels. DIB-CS reporting is completed through the DIBNet portal, law enforcement notification follows established procedures.
3.6.2[f]	identified organizational officials are notified of incidents.	HaloPSA	Halo	Self	Internal notifications occur through HaloPSA tickets, sending immediate alerts to designated officials based on incident severity. Email and SMS notifications ensure rapid awareness, with escalation procedures if initial notifications are not acknowledged within defined timeframes. All notifications are logged for compliance verification.

Control 3.6.3: Test the Incident Response Capability¶

Control Summary¶

Field	Value
Control ID	3.6.3
Control Title	Test the Incident Response Capability
Control Family	Incident Response
Status	IMPLEMENTED
Primary Responsibility	Self
Primary Components	HaloPSA

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.6.3[a]	the incident response capability is tested.	HaloPSA	Halo	Self	The incident response capability is tested annually through tabletop exercises.

7. MAINTENANCE (MA)¶

Control 3.7.1: Perform Maintenance on Systems¶

Control Summary¶

Field	Value
Control ID	3.7.1
Control Title	Perform Maintenance on Systems
Control Family	Maintenance
Status	IMPLEMENTED
Primary Responsibility	Self
Primary Components	Intune

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.7.1[a]	system maintenance is performed.	Intune	Microsoft	Self	System maintenance is performed on Cloud PC instances. Maintenance includes automated OS patching via Intune policies.

Control 3.7.2: Provide Controls on Tools¶

Control Summary¶

Field	Value
Control ID	3.7.2
Control Title	Provide Controls on Tools
Control Family	Maintenance
Status	IMPLEMENTED
Primary Responsibility	Self
Primary Components	Microsoft Entra ID, Intune

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.7.2[a]	tools used to conduct system maintenance are controlled.	Microsoft Entra ID	Microsoft	Self	Access to Intune is controlled through Microsoft Entra. Only authorized personnel with privileged access perform maintenance
3.7.2[b]	techniques used to conduct system maintenance are controlled.	Intune	Microsoft	Self	Maintenance techniques are controlled through Intune and include automated OS patching policies and updates to third-party applications if applicable.
3.7.2[c]	mechanisms used to conduct system maintenance are controlled.	Intune	Microsoft	Self	Maintenance mechanisms are controlled through Intune and include automated OS patching policies and updates to third-party applications if applicable.
3.7.2[d]	personnel used to conduct system maintenance are controlled.	Microsoft Entra ID	Microsoft	Self	Only authorized personnel with privileged access perform maintenance through Intune, which is controlled through Microsoft Entra.

Control 3.7.3: Ensure Equipment Removed for Off-Site Maintenance is Sanitized¶

Control Summary¶

Field	Value
Control ID	3.7.3
Control Title	Ensure Equipment Removed for Off-Site Maintenance is Sanitized
Control Family	Maintenance
Status	NOT APPLICABLE
Primary Responsibility	N/A
Primary Components	N/A

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.7.3[a]	equipment removed for off-site maintenance is sanitized of any CUI.	N/A	-	N/A	This control is not applicable. The organization utilizes cloud-based Windows 365 Cloud PCs hosted entirely in Microsoft's Azure Government environment. There is no physical equipment containing CUI under organizational control that would require off-site maintenance. All hardware maintenance is performed by Microsoft within FedRAMP High authorized facilities. User endpoint devices (personal computers, tablets, phones) do not store CUI as all data resides in the cloud environment accessed remotely.

Control 3.7.4: Check Media with Diagnostic and Test Programs for Malicious Code¶

Control Summary¶

Field	Value
Control ID	3.7.4
Control Title	Check Media with Diagnostic and Test Programs for Malicious Code
Control Family	Maintenance
Status	NOT APPLICABLE
Primary Responsibility	N/A
Primary Components	N/A

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.7.4[a]	media containing diagnostic and test programs are checked for malicious code before being used in organizational systems that process, store, or transmit CUI.	N/A	-	N/A	This control is not applicable. The organization does not utilize removable diagnostic or test media for system maintenance.

Control 3.7.5: Require Multifactor Authentication for Remote Maintenance¶

Control Summary¶

Field	Value
Control ID	3.7.5
Control Title	Require Multifactor Authentication for Remote Maintenance
Control Family	Maintenance
Status	IMPLEMENTED
Primary Responsibility	Self
Primary Components	Microsoft Entra ID, Privileged Identity Management

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.7.5[a]	multifactor authentication is used to establish nonlocal maintenance sessions via external network connections.	Microsoft Entra ID	Microsoft	Self	All remote maintenance sessions require MFA through Microsoft Entra using Microsoft Authenticator, passkey, or security keys.
3.7.5[b]	nonlocal maintenance sessions established via external network connections are terminated when nonlocal maintenance is complete.	Privileged Identity Management	Microsoft	Self	Remote maintenance sessions are terminated upon completion.

Control 3.7.6: Supervise Maintenance Personnel¶

Control Summary¶

Field	Value
Control ID	3.7.6
Control Title	Supervise Maintenance Personnel
Control Family	Maintenance
Status	NOT APPLICABLE
Primary Responsibility	N/A
Primary Components	N/A

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.7.6[a]	maintenance personnel without required access authorization are supervised during maintenance activities.	N/A	-	N/A	This control is not applicable. There is no maintenance unauthorized personnel conducting maintenance on systems within the boundary.

8. MEDIA PROTECTION (MP)¶

Control 3.8.1: Protect System Media¶

Control Summary¶

Field	Value
Control ID	3.8.1
Control Title	Protect System Media
Control Family	Media Protection
Status	NOT APPLICABLE
Primary Responsibility	N/A
Primary Components	N/A

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.8.1[a]	system media containing CUI is physically controlled.	N/A	-	N/A	This control is not applicable. The organization operates in a cloud-native environment where CUI is stored exclusively in Microsoft's Government cloud infrastructure. There is no physical system media (hard drives, USB drives, backup tapes, optical media, or printed documents) containing CUI under organizational physical control. All CUI resides in encrypted cloud storage within the FedRAMP High authorized environment.
3.8.1[b]	system media containing CUI is securely stored.	N/A	-	N/A	This control is not applicable. Physical storage of CUI media is not required as the organization maintains no physical media containing CUI.

Control 3.8.2: Limit Access to Media to Authorized Users¶

Control Summary¶

Field	Value
Control ID	3.8.2
Control Title	Limit Access to Media to Authorized Users
Control Family	Media Protection
Status	NOT APPLICABLE
Primary Responsibility	N/A
Primary Components	N/A

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.8.2[a]	access to CUI on system media is limited to authorized users.	N/A	-	N/A	This control is not applicable. The organization does not maintain physical system media containing CUI.

Control 3.8.3: Sanitize or Destroy System Media¶

Control Summary¶

Field	Value
Control ID	3.8.3
Control Title	Sanitize or Destroy System Media
Control Family	Media Protection
Status	NOT APPLICABLE
Primary Responsibility	N/A
Primary Components	N/A

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.8.3[a]	system media is sanitized or destroyed prior to disposal or release for reuse.	N/A	-	N/A	This control is not applicable. The organization does not maintain physical system media containing CUI.

Control 3.8.4: Mark Media¶

Control Summary¶

Field	Value
Control ID	3.8.4
Control Title	Mark Media
Control Family	Media Protection
Status	NOT APPLICABLE
Primary Responsibility	N/A
Primary Components	N/A

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.8.4[a]	media containing CUI is marked with applicable CUI markings.	N/A	-	N/A	This control is not applicable. The organization does not maintain physical system media containing CUI.
3.8.4[b]	media containing CUI is marked with distribution limitations.	N/A	-	N/A	This control is not applicable. The organization does not maintain physical system media containing CUI.

Control 3.8.5: Control Access and Maintain Accountability During Transport¶

Control Summary¶

Field	Value
Control ID	3.8.5
Control Title	Control Access and Maintain Accountability During Transport
Control Family	Media Protection
Status	NOT APPLICABLE
Primary Responsibility	N/A
Primary Components	N/A

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.8.5[a]	access to media containing CUI is controlled.	N/A	-	N/A	This control is not applicable. The organization does not maintain physical system media containing CUI.
3.8.5[b]	accountability for media containing CUI is maintained during transport outside of controlled areas.	N/A	-	N/A	This control is not applicable. The organization does not maintain physical system media containing CUI.

Control 3.8.6: Implement Cryptographic Mechanisms to Protect CUI on Portable Storage¶

Control Summary¶

Field	Value
Control ID	3.8.6
Control Title	Implement Cryptographic Mechanisms to Protect CUI on Portable Storage
Control Family	Media Protection
Status	NOT APPLICABLE
Primary Responsibility	N/A
Primary Components	N/A

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.8.6[a]	the confidentiality of CUI stored on digital media is protected during transport using cryptographic mechanisms or alternative physical safeguards.	N/A	-	N/A	This control is not applicable. The organization does not store CUI on portable digital storage devices (USB drives, external hard drives, optical media, or removable storage.

Control 3.8.7: Control Use of Removable Media¶

Control Summary¶

Field	Value
Control ID	3.8.7
Control Title	Control Use of Removable Media
Control Family	Media Protection
Status	IMPLEMENTED
Primary Responsibility	Self
Primary Components	Intune

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.8.7[a]	the use of removable media on system components is controlled.	Intune	Microsoft	Self	Use of portable storage devices is prohibited and enforced through Intune.

Control 3.8.8: Prohibit Use of Portable Storage¶

Control Summary¶

Field	Value
Control ID	3.8.8
Control Title	Prohibit Use of Portable Storage
Control Family	Media Protection
Status	IMPLEMENTED
Primary Responsibility	Self
Primary Components	Intune

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.8.8[a]	the use of portable storage devices is prohibited when such devices have no identifiable owner.	Intune	Microsoft	Self	Use of portable storage devices is prohibited and enforced through Intune.

Control 3.8.9: Protect Backups of CUI¶

Control Summary¶

Field	Value
Control ID	3.8.9
Control Title	Protect Backups of CUI
Control Family	Media Protection
Status	IMPLEMENTED
Primary Responsibility	Inherited
Primary Components	Cloud PC, SharePoint, OneDrive, Teams, Exchange Online

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.8.9[a]	the confidentiality of backup CUI is protected at storage locations.	Cloud PC	Microsoft	Inherited	This control is inherited. CUI is only stored within SharePoint Online, OneDrive and MS Teams, and Cloud PCs, which are managed by Microsoft.
3.8.9[a]	the confidentiality of backup CUI is protected at storage locations.	SharePoint	Microsoft	Inherited	This control is inherited. CUI is only stored within SharePoint Online, OneDrive, Exchange Online, and MS Teams, and Cloud PCs, which are managed by Microsoft.
3.8.9[a]	the confidentiality of backup CUI is protected at storage locations.	OneDrive	Microsoft	Inherited	This control is inherited. CUI is only stored within SharePoint Online, OneDrive, Exchange Online, and MS Teams, and Cloud PCs, which are managed by Microsoft.
3.8.9[a]	the confidentiality of backup CUI is protected at storage locations.	Teams	Microsoft	Inherited	This control is inherited. CUI is only stored within SharePoint Online, OneDrive, Exchange Online, and MS Teams, and Cloud PCs, which are managed by Microsoft.
3.8.9[a]	the confidentiality of backup CUI is protected at storage locations.	Exchange Online	Microsoft	Inherited	This control is inherited. CUI is only stored within SharePoint Online, OneDrive, Exchange Online, and MS Teams, and Cloud PCs, which are managed by Microsoft.

9. PERSONNEL SECURITY (PS)¶

Control 3.9.1: Screen Individuals¶

Control Summary¶

Field	Value
Control ID	3.9.1
Control Title	Screen Individuals
Control Family	Personnel Security
Status	IMPLEMENTED
Primary Responsibility	Self
Primary Components	Information Security Policy and Procedures

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.9.1[a]	individuals are screened prior to authorizing access to organizational systems containing CUI.	Information Security Policy and Procedures	-	Self	Personnel screening includes background checks, detailed in the PS Policy.

Control 3.9.2: Ensure CUI and Systems are Protected During and After Personnel Actions¶

Control Summary¶

Field	Value
Control ID	3.9.2
Control Title	Ensure CUI and Systems are Protected During and After Personnel Actions
Control Family	Personnel Security
Status	IMPLEMENTED
Primary Responsibility	Self
Primary Components	Information Security Policy and Procedures, Microsoft Entra ID, HaloPSA

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.9.2[a]	a policy and/or process for terminating system access and any credentials coincident with personnel actions is established.	Information Security Policy and Procedures	-	Self	The organizational personnel security policy defines the process for terminating system access.
3.9.2[b]	system access and credentials are terminated consistent with personnel actions such as termination or transfer.	Microsoft Entra ID	Microsoft	Self	Access termination is executed through Microsoft Entra account disabling, Cloud PC device termination and license removal.
3.9.2[c]	the system is protected during and after personnel transfer actions.	HaloPSA	Halo	Self	System protection during personnel changes includes access review and adjustment based on new role requirements, data ownership transfer procedures in SharePoint, and exit interview documentation of knowledge transfer. HaloPSA maintains the user access change history.

10. PHYSICAL PROTECTION (PE)¶

Control 3.10.1: Limit Physical Access to Systems¶

Control Summary¶

Field	Value
Control ID	3.10.1
Control Title	Limit Physical Access to Systems
Control Family	Physical Protection
Status	IMPLEMENTED
Primary Responsibility	Inherited
Primary Components	All CUI Components

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.10.1[a]	authorized individuals allowed physical access are identified.	All CUI Components	Microsoft	Inherited	CUI components are cloud-based services provided and managed by Microsoft. There are no physical locations within this authorization boundary. This control is inherited through the cloud service provider.
3.10.1[b]	physical access to organizational systems is limited to authorized individuals.	All CUI Components	Microsoft	Inherited	CUI components are cloud-based services provided and managed by Microsoft. There are no physical locations within this authorization boundary. This control is inherited through the cloud service provider.
3.10.1[c]	physical access to equipment is limited to authorized individuals.	All CUI Components	Microsoft	Inherited	CUI components are cloud-based services provided and managed by Microsoft. There are no physical locations within this authorization boundary. This control is inherited through the cloud service provider.
3.10.1[d]	physical access to operating environments is limited to authorized individuals.	All CUI Components	Microsoft	Inherited	CUI components are cloud-based services provided and managed by Microsoft. There are no physical locations within this authorization boundary. This control is inherited through the cloud service provider.

Control 3.10.2: Protect and Monitor Physical Facility¶

Control Summary¶

Field	Value
Control ID	3.10.2
Control Title	Protect and Monitor Physical Facility
Control Family	Physical Protection
Status	IMPLEMENTED
Primary Responsibility	Inherited
Primary Components	All CUI Components

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.10.2[a]	the physical facility where organizational systems reside is protected.	All CUI Components	Microsoft	Inherited	CUI components are cloud-based services provided and managed by Microsoft. There are no physical locations within this authorization boundary. This control is inherited through the cloud service provider.
3.10.2[b]	the support infrastructure for organizational systems is protected.	All CUI Components	Microsoft	Inherited	CUI components are cloud-based services provided and managed by Microsoft. There are no physical locations within this authorization boundary. This control is inherited through the cloud service provider.
3.10.2[c]	the physical facility where organizational systems reside is monitored.	All CUI Components	Microsoft	Inherited	CUI components are cloud-based services provided and managed by Microsoft. There are no physical locations within this authorization boundary. This control is inherited through the cloud service provider.
3.10.2[d]	the support infrastructure for organizational systems is monitored.	All CUI Components	Microsoft	Inherited	CUI components are cloud-based services provided and managed by Microsoft. There are no physical locations within this authorization boundary. This control is inherited through the cloud service provider.

Control 3.10.3: Escort Visitors and Monitor Visitor Activity¶

Control Summary¶

Field	Value
Control ID	3.10.3
Control Title	Escort Visitors and Monitor Visitor Activity
Control Family	Physical Protection
Status	IMPLEMENTED
Primary Responsibility	Inherited
Primary Components	All CUI Components

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.10.3[a]	visitors are escorted.	All CUI Components	Microsoft	Inherited	CUI components are cloud-based services provided and managed by Microsoft. There are no physical locations within this authorization boundary. This control is inherited through the cloud service provider.
3.10.3[b]	visitor activity is monitored.	All CUI Components	Microsoft	Inherited	CUI components are cloud-based services provided and managed by Microsoft. There are no physical locations within this authorization boundary. This control is inherited through the cloud service provider.

Control 3.10.4: Maintain Audit Logs of Physical Access¶

Control Summary¶

Field	Value
Control ID	3.10.4
Control Title	Maintain Audit Logs of Physical Access
Control Family	Physical Protection
Status	IMPLEMENTED
Primary Responsibility	Inherited
Primary Components	All CUI Components

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.10.4[a]	audit logs of physical access are maintained.	All CUI Components	Microsoft	Inherited	CUI components are cloud-based services provided and managed by Microsoft. There are no physical locations within this authorization boundary. This control is inherited through the cloud service provider.

Control 3.10.5: Control and Manage Physical Access Devices¶

Control Summary¶

Field	Value
Control ID	3.10.5
Control Title	Control and Manage Physical Access Devices
Control Family	Physical Protection
Status	IMPLEMENTED
Primary Responsibility	Inherited
Primary Components	All CUI Components

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.10.5[a]	physical access devices are identified.	All CUI Components	Microsoft	Inherited	CUI components are cloud-based services provided and managed by Microsoft. There are no physical locations within this authorization boundary. This control is inherited through the cloud service provider.
3.10.5[b]	physical access devices are controlled.	All CUI Components	Microsoft	Inherited	CUI components are cloud-based services provided and managed by Microsoft. There are no physical locations within this authorization boundary. This control is inherited through the cloud service provider.
3.10.5[c]	physical access devices are managed.	All CUI Components	Microsoft	Inherited	CUI components are cloud-based services provided and managed by Microsoft. There are no physical locations within this authorization boundary. This control is inherited through the cloud service provider.

Control 3.10.6: Enforce Safeguarding Measures for CUI¶

Control Summary¶

Field	Value
Control ID	3.10.6
Control Title	Enforce Safeguarding Measures for CUI
Control Family	Physical Protection
Status	IMPLEMENTED
Primary Responsibility	Inherited
Primary Components	All CUI Components

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.10.6[a]	safeguarding measures for CUI are defined for alternate work sites.	All CUI Components	Microsoft	Inherited	CUI components are cloud-based services provided and managed by Microsoft. There are no physical locations within this authorization boundary. This control is inherited through the cloud service provider.
3.10.6[b]	safeguarding measures for CUI are enforced for alternate work sites.	All CUI Components	Microsoft	Inherited	CUI components are cloud-based services provided and managed by Microsoft. There are no physical locations within this authorization boundary. This control is inherited through the cloud service provider.

11. RISK ASSESSMENT (RA)¶

Control 3.11.1: Periodically Assess Risk¶

Control Summary¶

Field	Value
Control ID	3.11.1
Control Title	Periodically Assess Risk
Control Family	Risk Assessment
Status	IMPLEMENTED
Primary Responsibility	Self
Primary Components	HaloPSA

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.11.1[a]	the frequency to assess risk to organizational operations, organizational assets, and individuals is defined.	HaloPSA	Halo	Self	Risk assessments are performed annually, with additional assessments triggered by major system changes, significant security incidents, or emergence of new threat intelligence. The annual frequency ensures comprehensive evaluation while allowing for responsive assessments when conditions warrant.
3.11.1[b]	risk to organizational operations, organizational assets, and individuals resulting from the operation of an organizational system that processes, stores, or transmits CUI is assessed with the defined frequency.	HaloPSA	Halo	Self	Annual risk assessments evaluate threats to organizational operations, assets, and individuals from CUI processing systems. The assessment follows NIST SP 800-30 methodology, considering threat sources, vulnerabilities identified through Huntress and Microsoft Defender scans, likelihood of occurrence, and potential impacts. Risk assessment findings are tracked in HaloPSA.

Control 3.11.2: Scan for Vulnerabilities¶

Control Summary¶

Field	Value
Control ID	3.11.2
Control Title	Scan for Vulnerabilities
Control Family	Risk Assessment
Status	IMPLEMENTED
Primary Responsibility	Self
Primary Components	Microsoft Defender XDR, n8n

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.11.2[a]	the frequency to scan for vulnerabilities in organizational systems and applications is defined.	Microsoft Defender XDR	Microsoft	Self	Device operating systems and applications are scanned continually for vulnerabilities by Microsoft Defender XDR and imported in HaloPSA through n8n automation workflows on a monthly basis.
3.11.2[a]	the frequency to scan for vulnerabilities in organizational systems and applications is defined.	n8n	n8n	Self	Device operating systems and applications are scanned continually for vulnerabilities by Microsoft Defender XDR and imported in HaloPSA through n8n automation workflows on a monthly basis.
3.11.2[b]	vulnerability scans are performed on organizational systems with the defined frequency.	Microsoft Defender XDR	Microsoft	Self	Device operating systems and applications are scanned continually for vulnerabilities by Microsoft Defender XDR and imported in HaloPSA through n8n automation workflows on a monthly basis.
3.11.2[b]	vulnerability scans are performed on organizational systems with the defined frequency.	n8n	n8n	Self	Device operating systems and applications are scanned continually for vulnerabilities by Microsoft Defender XDR and imported in HaloPSA through n8n automation workflows on a monthly basis.
3.11.2[c]	vulnerability scans are performed on applications with the defined frequency.	Microsoft Defender XDR	Microsoft	Self	Device operating systems and applications are scanned continually for vulnerabilities by Microsoft Defender XDR and imported in HaloPSA through n8n automation workflows on a monthly basis.
3.11.2[c]	vulnerability scans are performed on applications with the defined frequency.	n8n	n8n	Self	Device operating systems and applications are scanned continually for vulnerabilities by Microsoft Defender XDR and imported in HaloPSA through n8n automation workflows on a monthly basis.
3.11.2[d]	vulnerability scans are performed on organizational systems when new vulnerabilities are identified.	Microsoft Defender XDR	Microsoft	Self	Emergency vulnerability scanning is triggered when new vulnerabilities are identified through CISA Known Exploited Vulnerabilities Catalog alerts, Microsoft Security Update releases, Huntress threat intelligence feeds, or industry security advisories.
3.11.2[d]	vulnerability scans are performed on organizational systems when new vulnerabilities are identified.	n8n	n8n	Self	Emergency vulnerability scanning is triggered when new vulnerabilities are identified through CISA Known Exploited Vulnerabilities Catalog alerts, Microsoft Security Update releases, Huntress threat intelligence feeds, or industry security advisories.
3.11.2[e]	vulnerability scans are performed on applications when new vulnerabilities are identified.	Microsoft Defender XDR	Microsoft	Self	Emergency vulnerability scanning is triggered when new vulnerabilities are identified through CISA Known Exploited Vulnerabilities Catalog alerts, Microsoft Security Update releases, Huntress threat intelligence feeds, or industry security advisories.
3.11.2[e]	vulnerability scans are performed on applications when new vulnerabilities are identified.	n8n	n8n	Self	Emergency vulnerability scanning is triggered when new vulnerabilities are identified through CISA Known Exploited Vulnerabilities Catalog alerts, Microsoft Security Update releases, Huntress threat intelligence feeds, or industry security advisories.

Control 3.11.3: Remediate Vulnerabilities¶

Control Summary¶

Field	Value
Control ID	3.11.3
Control Title	Remediate Vulnerabilities
Control Family	Risk Assessment
Status	IMPLEMENTED
Primary Responsibility	Self
Primary Components	Microsoft Defender XDR, HaloPSA, n8n

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.11.3[a]	vulnerabilities are identified.	Microsoft Defender XDR	Microsoft	Self	Device operating systems and applications are scanned continually for vulnerabilities by Microsoft Defender XDR and imported in HaloPSA through n8n automation workflows on a monthly basis.
3.11.3[a]	vulnerabilities are identified.	HaloPSA	Halo	Self	Device operating systems and applications are scanned continually for vulnerabilities by Microsoft Defender XDR and imported in HaloPSA through n8n automation workflows on a monthly basis.
3.11.3[a]	vulnerabilities are identified.	n8n	n8n	Self	Device operating systems and applications are scanned continually for vulnerabilities by Microsoft Defender XDR and imported in HaloPSA through n8n automation workflows on a monthly basis.
3.11.3[b]	vulnerabilities are remediated in accordance with risk assessments.	Microsoft Defender XDR	Microsoft	Self	Vulnerability remediation follows risk-based timelines: Critical/High severity (CVSS 7.0+) remediated within 30 days or less, Medium severity (CVSS 4.0-6.9) within 90 days, Low severity (CVSS below 4.0) within 180 days. Remediation priority considers exploitability, system criticality for CUI processing, and compensating controls. HaloPSA tickets track remediation progress with n8n workflows ticket closure after remediation has occurred. Exceptions require documented risk acceptance approved by leadership.
3.11.3[b]	vulnerabilities are remediated in accordance with risk assessments.	HaloPSA	Halo	Self	Vulnerability remediation follows risk-based timelines: Critical/High severity (CVSS 7.0+) remediated within 30 days or less, Medium severity (CVSS 4.0-6.9) within 90 days, Low severity (CVSS below 4.0) within 180 days. Remediation priority considers exploitability, system criticality for CUI processing, and compensating controls. HaloPSA tickets track remediation progress with n8n workflows ticket closure after remediation has occurred. Exceptions require documented risk acceptance approved by leadership.
3.11.3[b]	vulnerabilities are remediated in accordance with risk assessments.	n8n	n8n	Self	Vulnerability remediation follows risk-based timelines: Critical/High severity (CVSS 7.0+) remediated within 30 days or less, Medium severity (CVSS 4.0-6.9) within 90 days, Low severity (CVSS below 4.0) within 180 days. Remediation priority considers exploitability, system criticality for CUI processing, and compensating controls. HaloPSA tickets track remediation progress with n8n workflows ticket closure after remediation has occurred. Exceptions require documented risk acceptance approved by leadership.

12. SECURITY ASSESSMENT (CA)¶

Control 3.12.1: Periodically Assess Security Controls¶

Control Summary¶

Field	Value
Control ID	3.12.1
Control Title	Periodically Assess Security Controls
Control Family	Security Assessment
Status	IMPLEMENTED
Primary Responsibility	Self
Primary Components	HaloPSA

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.12.1[a]	the frequency of security control assessments is defined.	HaloPSA	Halo	Self	Security control assessments are performed annually. Additional assessments are triggered by major system changes, security incidents, or significant threat intelligence. The annual frequency aligns with CMMC certification requirements and DoD NIST SP 800-171 assessment methodology. Assessment schedule is maintained in HaloPSA through scheduled tickets.
3.12.1[b]	security controls are assessed with the defined frequency to determine if the controls are effective in their application.	HaloPSA	Halo	Self	Annual security control assessments follow DoD NIST SP 800-171 assessment methodology. Assessments evaluate all 110 Level 2 controls through examination of documentation, interviews with personnel, and technical testing. Microsoft Azure Government and Microsoft 365 GCC High inherited controls are validated through FedRAMP attestations. Assessment results are documented in Security Assessment Reports stored in HaloPSA with findings tracked in HaloPSA for remediation.

Control 3.12.2: Develop and Implement Plans of Action¶

Control Summary¶

Field	Value
Control ID	3.12.2
Control Title	Develop and Implement Plans of Action
Control Family	Security Assessment
Status	IMPLEMENTED
Primary Responsibility	Self
Primary Components	HaloPSA

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.12.2[a]	deficiencies and vulnerabilities to be addressed by the plan of action are identified.	HaloPSA	Halo	Self	Deficiencies and vulnerabilities are identified through: annual security control assessments revealing control gaps, continuous monitoring via Huntress and Microsoft Defender detecting weaknesses, vulnerability scanning results from monthly reports, and incident response findings. All findings are consolidated in HaloPSA with risk ratings based on CVSS scores and business impact. POA&M items are prioritized based on risk level and CMMC requirements.
3.12.2[b]	a plan of action is developed to correct identified deficiencies and reduce or eliminate identified vulnerabilities.	HaloPSA	Halo	Self	POA&Ms are developed following organizational procedures with: detailed remediation plans for each finding, resource requirements and responsible parties identified, milestone dates based on risk (30/90/180 days), compensating controls documented where applicable, and dependencies tracked between related items. POA&M templates in HaloPSA ensure consistency with n8n workflows automating status updates.
3.12.2[c]	the plan of action is implemented to correct identified deficiencies and reduce or eliminate identified vulnerabilities.	HaloPSA	Halo	Self	POA&M implementation follows established timelines: Critical/High findings remediated within 30 days, Medium within 90 days, Low within 180 days. Implementation tracked through HaloPSA tickets with progress updates for critical items. n8n workflows automate remediation where possible (patches, configuration changes). Closure requires validation. CMMC POA&M requirements limit items to 180-day maximum resolution.

Control 3.12.3: Monitor Security Controls on an Ongoing Basis¶

Control Summary¶

Field	Value
Control ID	3.12.3
Control Title	Monitor Security Controls on an Ongoing Basis
Control Family	Security Assessment
Status	IMPLEMENTED
Primary Responsibility	Inherited
Primary Components	Microsoft Defender XDR, Huntress

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.12.3[a]	security controls are monitored on an ongoing basis to ensure the continued effectiveness of those controls.	Microsoft Defender XDR	Microsoft	Hybrid	Continuous monitoring program validates control effectiveness through: findings and alerts within Microsoft Defender XDR and Huntress. Microsoft maintains continuous monitoring for all Azure Government and Microsoft 365 GCC High services per shared responsibility model.
3.12.3[a]	security controls are monitored on an ongoing basis to ensure the continued effectiveness of those controls.	Huntress	Huntress	Inherited	Continuous monitoring program validates control effectiveness through: findings and alerts within Microsoft Defender XDR and Huntress. Huntress provides a 24/7 managed SOC service to monitor for threats and indications of compromise.

Control 3.12.4: Develop, Document, and Periodically Update System Security Plans¶

Control Summary¶

Field	Value
Control ID	3.12.4
Control Title	Develop, Document, and Periodically Update System Security Plans
Control Family	Security Assessment
Status	IMPLEMENTED
Primary Responsibility	Self
Primary Components	System Security Plan (SSP)

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.12.4[a]	a system security plan is developed.	System Security Plan (SSP)	-	Self	The System Security Plan (SSP) has been developed. The SSP documents all security controls, implementation details, and system architecture for operations. Document is maintained in HaloPSA with restricted access. SSP development involved all system stakeholders with security requirements mapped to technical implementations.
3.12.4[b]	the system boundary is described and documented in the system security plan.	System Security Plan (SSP)	-	Self	System boundary is clearly defined in the SSP with detailed network diagrams showing: Cloud PC in scope, Azure Government components, Microsoft 365 GCC High services utilized, and data flow paths for CUI.
3.12.4[c]	the system environment of operation is described and documented in the system security plan.	System Security Plan (SSP)	-	Self	SSP documents the operational environment including: cloud-based architecture using Azure Government, remote workforce accessing via Cloud PC, FedRAMP authorized service providers, and integration points with external systems. Environment description covers technical, management, and operational aspects with specific focus on CUI processing, storage, and transmission.
3.12.4[d]	the security requirements identified and approved by the designated authority as non-applicable are identified.	System Security Plan (SSP)	-	Self	Non-applicable requirements are documented in SSP with justification: VoIP controls marked N/A as the environment does not host VoIP services, physical datacenter controls inherited from Microsoft, and any controls not required based on system architecture. Non-applicability determinations reviewed annually and updated based on system changes.
3.12.4[e]	the method of security requirement implementation is described and documented in the system security plan.	System Security Plan (SSP)	-	Self	Each security requirement implementation is detailed in the SSP.
3.12.4[f]	the relationship with or connection to other systems is described and documented in the system security plan.	System Security Plan (SSP)	-	Self	System interconnections documented in SSP include: connections to Microsoft Azure Government (inherited controls), integration with Microsoft 365 GCC High for collaboration, API connections to HaloPSA and n8n for operations, and Huntress agent communications for security monitoring. Each connection includes data flow description, ports/protocols used, and security controls applied.
3.12.4[g]	the frequency to update the system security plan is defined.	System Security Plan (SSP)	-	Self	SSP update frequency defined as annually per organizational policy, with additional updates triggered by: significant system changes requiring change control, new or modified interconnections, changes to security control implementations, and updates to CMMC requirements. Update schedule maintained in HaloPSA through scheduled tickets.
3.12.4[h]	system security plan is updated with the defined frequency.	System Security Plan (SSP)	-	Self	SSP undergoes annual review and update as documented in revision history.

13. SYSTEM AND COMMUNICATIONS PROTECTION (SC)¶

Control 3.13.1: Monitor, Control, and Protect Communications¶

Control Summary¶

Field	Value
Control ID	3.13.1
Control Title	Monitor, Control, and Protect Communications
Control Family	System and Communications Protection
Status	IMPLEMENTED
Primary Responsibility	Self
Primary Components	System Security Plan (SSP), Intune, Microsoft Defender XDR

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.13.1[a]	the external system boundary is defined.	System Security Plan (SSP)	-	Self	The external system boundary is defined in the System Security Plan and network diagrams maintained in HaloPSA. The boundary encompasses all Cloud PC instances, Azure Government platform, Microsoft 365 GCC High services, and authorized cloud services. External boundaries include user access points through Cloud PC authenticated sessions.
3.13.1[b]	key internal system boundaries are defined.	System Security Plan (SSP)	-	Self	Key internal boundaries are defined between: CUI processing environments and non-CUI systems, Cloud PC instances and Azure infrastructure services, production and development environments, and user segments based on role-based access. Internal boundaries are documented in the SSP boundary diagram.
3.13.1[c]	communications are monitored at the external system boundary.	Intune	Microsoft	Self	Windows Defender Firewall, configured through Intune, and Defender XDR and Huntress monitor and protect all communications at external and internal boundaries and are configured on each Cloud PC instance.
3.13.1[c]	communications are monitored at the external system boundary.	Microsoft Defender XDR	Microsoft	Inherited	Windows Defender Firewall, configured through Intune, and Defender XDR monitor and protect all communications at external and internal boundaries and are configured on each Cloud PC instance.
3.13.1[d]	communications are monitored at key internal boundaries.	Intune	Microsoft	Self	Windows Defender Firewall, configured through Intune, and Defender XDR and Huntress monitor and protect all communications at external and internal boundaries and are configured on each Cloud PC instance.
3.13.1[d]	communications are monitored at key internal boundaries.	Microsoft Defender XDR	Microsoft	Inherited	Windows Defender Firewall, configured through Intune, and Defender XDR monitor and protect all communications at external and internal boundaries and are configured on each Cloud PC instance.
3.13.1[e]	communications are controlled at the external system boundary.	Intune	Microsoft	Self	Windows Defender Firewall, configured through Intune, and Defender XDR and Huntress monitor and protect all communications at external and internal boundaries and are configured on each Cloud PC instance.
3.13.1[e]	communications are controlled at the external system boundary.	Microsoft Defender XDR	Microsoft	Inherited	Windows Defender Firewall, configured through Intune, and Defender XDR monitor and protect all communications at external and internal boundaries and are configured on each Cloud PC instance.
3.13.1[f]	communications are controlled at key internal boundaries.	Intune	Microsoft	Self	Windows Defender Firewall, configured through Intune, and Defender XDR and Huntress monitor and protect all communications at external and internal boundaries and are configured on each Cloud PC instance.
3.13.1[f]	communications are controlled at key internal boundaries.	Microsoft Defender XDR	Microsoft	Inherited	Windows Defender Firewall, configured through Intune, and Defender XDR monitor and protect all communications at external and internal boundaries and are configured on each Cloud PC instance.
3.13.1[g]	communications are protected at the external system boundary.	Intune	Microsoft	Self	Windows Defender Firewall, configured through Intune, and Defender XDR and Huntress monitor and protect all communications at external and internal boundaries and are configured on each Cloud PC instance.
3.13.1[g]	communications are protected at the external system boundary.	Microsoft Defender XDR	Microsoft	Inherited	Windows Defender Firewall, configured through Intune, and Defender XDR monitor and protect all communications at external and internal boundaries and are configured on each Cloud PC instance.
3.13.1[h]	communications are protected at key internal boundaries.	Intune	Microsoft	Self	Windows Defender Firewall, configured through Intune, and Defender XDR and Huntress monitor and protect all communications at external and internal boundaries and are configured on each Cloud PC instance.
3.13.1[h]	communications are protected at key internal boundaries.	Microsoft Defender XDR	Microsoft	Inherited	Windows Defender Firewall, configured through Intune, and Defender XDR monitor and protect all communications at external and internal boundaries and are configured on each Cloud PC instance.

Control 3.13.2: Employ Architectural Designs¶

Control Summary¶

Field	Value
Control ID	3.13.2
Control Title	Employ Architectural Designs
Control Family	System and Communications Protection
Status	IMPLEMENTED
Primary Responsibility	Self
Primary Components	System Security Plan (SSP), System Design Document

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.13.2[a]	architectural designs that promote effective information security are identified.	System Security Plan (SSP)	-	Self	Security architecture follows defense-in-depth principles including Zero Trust network architecture with Microsoft Entra conditional access, layered security controls at application/network/infrastructure levels, segregation of duties through Microsoft Entra RBAC, and least privilege access design. Architecture decisions are documented in the SSP and design documents maintained in HaloPSA.
3.13.2[c]	systems engineering principles that promote effective information security are identified.	System Design Document	-	Self	Systems engineering principles include fail-secure defaults in all configurations, redundancy and resilience for critical components, modularity enabling security updates without system-wide impact, and security-by-design in all architecture decisions. Principles are documented in the System Design Document maintained in HaloPSA.
3.13.2[d]	identified architectural designs that promote effective information security are employed.	System Design Document	-	Self	Defense-in-depth architecture is implemented through multiple security layers: Windows Firewall at perimeter, endpoint protection via Microsoft Defender XDR and Huntress, data protection through Microsoft Purview, and identity security via Microsoft Entra.
3.13.2[f]	identified systems engineering principles that promote effective information security are employed.	System Design Document	-	Self	Defense-in-depth architecture is implemented through multiple security layers: Windows Firewall at perimeter, endpoint protection via Microsoft Defender XDR and Huntress, data protection through Microsoft Purview, and identity security via Microsoft Entra.

Control 3.13.3: Separate User and Privileged Functions¶

Control Summary¶

Field	Value
Control ID	3.13.3
Control Title	Separate User and Privileged Functions
Control Family	System and Communications Protection
Status	IMPLEMENTED
Primary Responsibility	Self
Primary Components	Information Security Policy and Procedures, System Security Plan (SSP), Microsoft Entra ID

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.13.3[a]	user functionality is identified.	Information Security Policy and Procedures	-	Self	User functionality includes: accessing CUI through Cloud PC sessions, using Microsoft 365 applications for document processing, collaborating via Teams and SharePoint, submitting requests through HaloPSA self-service portal, and consuming read-only reports. User functions are mapped to Microsoft Entra roles with defined permissions documented in the roles and responsibilities matrix within the Access Control Policy and Procedures.
3.13.3[b]	system management functionality is identified.	System Security Plan (SSP)	-	Self	System management functionality encompasses: Microsoft Azure and M365 GCC High administration, Intune, security tool management (Defender XDR and Huntress), and HaloPSA and n8n management.
3.13.3[c]	user functionality is separated from system management functionality.	Microsoft Entra ID	Microsoft	Self	Separation is enforced through distinct Microsoft Entra roles preventing privilege escalation. Just-In-Time access is required for elevated permissions and audit logging of all administrative actions to Microsoft Defender XDR. Users cannot execute system management functions from standard user roles.

Control 3.13.4: Prevent Unauthorized and Unintended Information Transfer¶

Control Summary¶

Field	Value
Control ID	3.13.4
Control Title	Prevent Unauthorized and Unintended Information Transfer
Control Family	System and Communications Protection
Status	IMPLEMENTED
Primary Responsibility	Self
Primary Components	SharePoint

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.13.4[a]	unauthorized and unintended information transfer via shared system resources is prevented.	SharePoint	Microsoft	Self	Microsoft SharePoint is a shared system resource and access to its repositories is restricted to only authorized personnel. Microsoft SharePoint repositories can only be accessed through isolated Cloud PC sessions.

Control 3.13.5: Implement Subnetworks for Publicly Accessible Systems¶

Control Summary¶

Field	Value
Control ID	3.13.5
Control Title	Implement Subnetworks for Publicly Accessible Systems
Control Family	System and Communications Protection
Status	IMPLEMENTED
Primary Responsibility	Inherited
Primary Components	All CUI Components

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.13.5[a]	publicly accessible system components are identified.	All CUI Components	Microsoft	Inherited	All CUI components are public cloud services, however access to the organization's tenant is controlled.
3.13.5[b]	subnetworks for publicly accessible system components are physically or logically separated from internal networks.	All CUI Components	Microsoft	Inherited	All CUI components are public cloud services, however access to the organization's tenant is controlled.

Control 3.13.6: Deny Network Traffic by Default¶

Control Summary¶

Field	Value
Control ID	3.13.6
Control Title	Deny Network Traffic by Default
Control Family	System and Communications Protection
Status	IMPLEMENTED
Primary Responsibility	Self
Primary Components	Intune

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.13.6[a]	network communications traffic is denied by default.	Intune	Microsoft	Self	Windows Defender Firewall on Cloud PC instances are configured to block all inbound traffic.
3.13.6[b]	network communications traffic is allowed by exception.	Intune	Microsoft	Self	Windows Defender Firewall on Cloud PC instances are configured to allow outbound traffic for approved services.

Control 3.13.7: Prevent Split Tunneling¶

Control Summary¶

Field	Value
Control ID	3.13.7
Control Title	Prevent Split Tunneling
Control Family	System and Communications Protection
Status	NOT APPLICABLE
Primary Responsibility	N/A
Primary Components	N/A

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.13.7[a]	remote devices are prevented from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks (i.e., split tunneling).	N/A	-	N/A	This control is not applicable. The organization does not implement VPN connections for CUI access.

Control 3.13.8: Implement Cryptographic Mechanisms¶

Control Summary¶

Field	Value
Control ID	3.13.8
Control Title	Implement Cryptographic Mechanisms
Control Family	System and Communications Protection
Status	IMPLEMENTED
Primary Responsibility	Inherited
Primary Components	Intune, SharePoint, OneDrive, Teams, Microsoft Entra ID, Exchange Online

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.13.8[a]	cryptographic mechanisms intended to prevent unauthorized disclosure of CUI are identified.	Intune	Microsoft	Self	Intune configures Cloud PC for TLS 1.2 and FIPS encryption.
3.13.8[a]	cryptographic mechanisms intended to prevent unauthorized disclosure of CUI are identified.	SharePoint	Microsoft	Inherited	This control is inherited. All communications to SharePoint Online, OneDrive, Exchange Online, and Teams are cryptographically protected by the cloud service provider.
3.13.8[a]	cryptographic mechanisms intended to prevent unauthorized disclosure of CUI are identified.	OneDrive	Microsoft	Inherited	This control is inherited. All communications to SharePoint Online, OneDrive, Exchange Online, and Teams are cryptographically protected by the cloud service provider.
3.13.8[a]	cryptographic mechanisms intended to prevent unauthorized disclosure of CUI are identified.	Teams	Microsoft	Inherited	This control is inherited. All communications to SharePoint Online, OneDrive, Exchange Online, and Teams are cryptographically protected by the cloud service provider.
3.13.8[a]	cryptographic mechanisms intended to prevent unauthorized disclosure of CUI are identified.	Exchange Online	Microsoft	Inherited	This control is inherited. All communications to SharePoint Online, OneDrive, Exchange Online, and Teams are cryptographically protected by the cloud service provider.
3.13.8[b]	alternative physical safeguards intended to prevent unauthorized disclosure of CUI are identified.	Microsoft Entra ID	Microsoft	Self	While cryptographic mechanisms are primary, alternative safeguards include isolated Cloud PC sessions that only authorized personnel may access through secure controls established through Microsoft Entra.
3.13.8[c]	either cryptographic mechanisms or alternative physical safeguards are implemented to prevent unauthorized disclosure of CUI during transmission.	Intune	Microsoft	Self	Intune configures Cloud PC for TLS 1.2 and FIPS encryption.
3.13.8[c]	either cryptographic mechanisms or alternative physical safeguards are implemented to prevent unauthorized disclosure of CUI during transmission.	SharePoint	Microsoft	Inherited	This control is inherited. All communications to SharePoint Online, OneDrive, Exchange Online, and Teams are cryptographically protected by the cloud service provider.
3.13.8[c]	either cryptographic mechanisms or alternative physical safeguards are implemented to prevent unauthorized disclosure of CUI during transmission.	OneDrive	Microsoft	Inherited	This control is inherited. All communications to SharePoint Online, OneDrive, Exchange Online, and Teams are cryptographically protected by the cloud service provider.
3.13.8[c]	either cryptographic mechanisms or alternative physical safeguards are implemented to prevent unauthorized disclosure of CUI during transmission.	Teams	Microsoft	Inherited	This control is inherited. All communications to SharePoint Online, OneDrive, Exchange Online, and Teams are cryptographically protected by the cloud service provider.
3.13.8[c]	either cryptographic mechanisms or alternative physical safeguards are implemented to prevent unauthorized disclosure of CUI during transmission.	Exchange Online	Microsoft	Inherited	This control is inherited. All communications to SharePoint Online, OneDrive, Exchange Online, and Teams are cryptographically protected by the cloud service provider.

Control 3.13.9: Terminate Network Connections¶

Control Summary¶

Field	Value
Control ID	3.13.9
Control Title	Terminate Network Connections
Control Family	System and Communications Protection
Status	IMPLEMENTED
Primary Responsibility	Self
Primary Components	Intune

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.13.9[a]	a period of inactivity to terminate network connections associated with communications sessions is defined.	Intune	Microsoft	Self	Cloud PC sessions are disconnected after 15 minutes of inactivity. A disconnected session is ended after 1 hour.
3.13.9[b]	network connections associated with communications sessions are terminated at the end of the sessions.	Intune	Microsoft	Self	Cloud PC sessions are disconnected after 15 minutes of inactivity. A disconnected session is ended after 1 hour.
3.13.9[c]	network connections associated with communications sessions are terminated after the defined period of inactivity.	Intune	Microsoft	Self	Cloud PC sessions are disconnected after 15 minutes of inactivity. A disconnected session is ended after 1 hour.

Control 3.13.10: Establish and Manage Cryptographic Keys¶

Control Summary¶

Field	Value
Control ID	3.13.10
Control Title	Establish and Manage Cryptographic Keys
Control Family	System and Communications Protection
Status	IMPLEMENTED
Primary Responsibility	Inherited
Primary Components	Cloud PC, SharePoint, OneDrive, Teams, Exchange Online

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.13.10[a]	cryptographic keys are established whenever cryptography is employed.	Cloud PC	Microsoft	Inherited	This control is inherited. Microsoft manages the cryptographic keys employed.
3.13.10[a]	cryptographic keys are established whenever cryptography is employed.	SharePoint	Microsoft	Inherited	This control is inherited. Microsoft manages the cryptographic keys employed.
3.13.10[a]	cryptographic keys are established whenever cryptography is employed.	OneDrive	Microsoft	Inherited	This control is inherited. Microsoft manages the cryptographic keys employed.
3.13.10[a]	cryptographic keys are established whenever cryptography is employed.	Teams	Microsoft	Inherited	This control is inherited. Microsoft manages the cryptographic keys employed.
3.13.10[a]	cryptographic keys are established whenever cryptography is employed.	Exchange Online	Microsoft	Inherited	This control is inherited. Microsoft manages the cryptographic keys employed.
3.13.10[b]	cryptographic keys are managed whenever cryptography is employed.	Cloud PC	Microsoft	Inherited	This control is inherited. Microsoft manages the cryptographic keys employed.
3.13.10[b]	cryptographic keys are managed whenever cryptography is employed.	SharePoint	Microsoft	Inherited	This control is inherited. Microsoft manages the cryptographic keys employed.
3.13.10[b]	cryptographic keys are managed whenever cryptography is employed.	OneDrive	Microsoft	Inherited	This control is inherited. Microsoft manages the cryptographic keys employed.
3.13.10[b]	cryptographic keys are managed whenever cryptography is employed.	Teams	Microsoft	Inherited	This control is inherited. Microsoft manages the cryptographic keys employed.
3.13.10[b]	cryptographic keys are managed whenever cryptography is employed.	Exchange Online	Microsoft	Inherited	This control is inherited. Microsoft manages the cryptographic keys employed.

Control 3.13.11: Employ FIPS-Validated Cryptography¶

Control Summary¶

Field	Value
Control ID	3.13.11
Control Title	Employ FIPS-Validated Cryptography
Control Family	System and Communications Protection
Status	IMPLEMENTED
Primary Responsibility	Inherited
Primary Components	Cloud PC, SharePoint, OneDrive, Teams, Exchange Online

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.13.11[a]	FIPS-validated cryptography is employed to protect the confidentiality of CUI.	Cloud PC	Microsoft	Hybrid	The operating system on the Cloud PC instances are configured to use FIPS cryptography through Intune. The underlying infrastructure is managed through Microsoft making this partially inherited.
3.13.11[a]	FIPS-validated cryptography is employed to protect the confidentiality of CUI.	SharePoint	Microsoft	Inherited	This control is inherited. Microsoft is responsible for employing FIPS cryptography for the infrastructure supporting Cloud PC and Microsoft 365 GCC High services.
3.13.11[a]	FIPS-validated cryptography is employed to protect the confidentiality of CUI.	OneDrive	Microsoft	Inherited	This control is inherited. Microsoft is responsible for employing FIPS cryptography for the infrastructure supporting Cloud PC and Microsoft 365 GCC High services.
3.13.11[a]	FIPS-validated cryptography is employed to protect the confidentiality of CUI.	Teams	Microsoft	Inherited	This control is inherited. Microsoft is responsible for employing FIPS cryptography for the infrastructure supporting Cloud PC and Microsoft 365 GCC High services.
3.13.11[a]	FIPS-validated cryptography is employed to protect the confidentiality of CUI.	Exchange Online	Microsoft	Inherited	This control is inherited. Microsoft is responsible for employing FIPS cryptography for the infrastructure supporting Cloud PC and Microsoft 365 GCC High services.

Control 3.13.12: Control and Monitor Collaborative Computing Devices¶

Control Summary¶

Field	Value
Control ID	3.13.12
Control Title	Control and Monitor Collaborative Computing Devices
Control Family	System and Communications Protection
Status	NOT APPLICABLE
Primary Responsibility	N/A
Primary Components	N/A

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.13.12[a]	collaborative computing devices are identified.	N/A	-	N/A	This control is not applicable. The organization does not utilize collaborative computing devices (webcams, microphones, conference room systems with remote activation capabilities) within the CMMC assessment scope that could create CUI disclosure risks. Microsoft Teams meetings accessed through Windows 365 Cloud PCs utilize user-controlled devices without remote activation capabilities. Users manually activate their own webcam and microphone for meetings. There are no organizational conference room systems, dedicated video conferencing units, or remotely-activatable collaborative devices that process, store, or transmit CUI.
3.13.12[b]	collaborative computing devices provide indication to users of devices in use.	N/A	-	N/A	This control is not applicable. The organization does not maintain collaborative computing devices requiring usage indicators as all such devices are user-controlled personal equipment.
3.13.12[c]	remote activation of collaborative computing devices is prohibited.	N/A	-	N/A	This control is not applicable. Remote activation is not possible as the organization does not deploy remotely-activatable collaborative computing devices in CUI processing environments.

Control 3.13.13: Control and Monitor Use of Mobile Code¶

Control Summary¶

Field	Value
Control ID	3.13.13
Control Title	Control and Monitor Use of Mobile Code
Control Family	System and Communications Protection
Status	IMPLEMENTED
Primary Responsibility	Self
Primary Components	Intune, Microsoft Defender XDR, Huntress

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.13.13[a]	use of mobile code is controlled.	Intune	Microsoft	Self	Mobile code control is implemented through Attack Surface Reduction rules blocking macro threats and Network Protection preventing connections to malicious sites.
3.13.13[b]	use of mobile code is monitored.	Microsoft Defender XDR	Microsoft	Self	Defender for Endpoint monitors activity and executions performed on the Cloud PC instances.
3.13.13[b]	use of mobile code is monitored.	Huntress	Huntress	Inherited	Huntress monitors activity and executions performed on the Cloud PC instances.

Control 3.13.14: Control and Monitor Voice over Internet Protocol¶

Control Summary¶

Field	Value
Control ID	3.13.14
Control Title	Control and Monitor Voice over Internet Protocol
Control Family	System and Communications Protection
Status	NOT APPLICABLE
Primary Responsibility	N/A
Primary Components	N/A

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.13.14[a]	use of Voice over Internet Protocol (VoIP) technologies is controlled.	N/A	-	N/A	This control is not applicable. The organization does not implement VoIP telephony systems within the CMMC assessment scope.
3.13.14[b]	use of Voice over Internet Protocol (VoIP) technologies is monitored.	N/A	-	N/A	This control is not applicable. VoIP-specific monitoring is not required as the organization does not implement dedicated VoIP telephony infrastructure.

Control 3.13.15: Protect Authenticity of Communications Sessions¶

Control Summary¶

Field	Value
Control ID	3.13.15
Control Title	Protect Authenticity of Communications Sessions
Control Family	System and Communications Protection
Status	IMPLEMENTED
Primary Responsibility	Inherited
Primary Components	Cloud PC, SharePoint, OneDrive, Teams, Exchange Online

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.13.15[a]	the authenticity of communications sessions is protected.	Cloud PC	Microsoft	Inherited	This control is inherited. Microsoft is responsible for the authenticity of communications involving Cloud PC instances and Microsoft 365 GCC High services.
3.13.15[a]	the authenticity of communications sessions is protected.	SharePoint	Microsoft	Inherited	This control is inherited. Microsoft is responsible for the authenticity of communications involving Cloud PC instances and Microsoft 365 GCC High services.
3.13.15[a]	the authenticity of communications sessions is protected.	OneDrive	Microsoft	Inherited	This control is inherited. Microsoft is responsible for the authenticity of communications involving Cloud PC instances and Microsoft 365 GCC High services.
3.13.15[a]	the authenticity of communications sessions is protected.	Teams	Microsoft	Inherited	This control is inherited. Microsoft is responsible for the authenticity of communications involving Cloud PC instances and Microsoft 365 GCC High services.
3.13.15[a]	the authenticity of communications sessions is protected.	Exchange Online	Microsoft	Inherited	This control is inherited. Microsoft is responsible for the authenticity of communications involving Cloud PC instances and Microsoft 365 GCC High services.

Control 3.13.16: Protect Confidentiality of CUI at Rest¶

Control Summary¶

Field	Value
Control ID	3.13.16
Control Title	Protect Confidentiality of CUI at Rest
Control Family	System and Communications Protection
Status	IMPLEMENTED
Primary Responsibility	Inherited
Primary Components	Cloud PC, SharePoint, OneDrive, Teams, Exchange Online

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.13.16[a]	the confidentiality of CUI at rest is protected.	Cloud PC	Microsoft	Inherited	This control is inherited. Microsoft is responsible for protection and encryption of CUI at rest for Cloud PC instances and the Microsoft 365 GCC High platform.
3.13.16[a]	the confidentiality of CUI at rest is protected.	SharePoint	Microsoft	Inherited	This control is inherited. Microsoft is responsible for protection and encryption of CUI at rest for Cloud PC instances and the Microsoft 365 GCC High platform.
3.13.16[a]	the confidentiality of CUI at rest is protected.	OneDrive	Microsoft	Inherited	This control is inherited. Microsoft is responsible for protection and encryption of CUI at rest for Cloud PC instances and the Microsoft 365 GCC High platform.
3.13.16[a]	the confidentiality of CUI at rest is protected.	Teams	Microsoft	Inherited	This control is inherited. Microsoft is responsible for protection and encryption of CUI at rest for Cloud PC instances and the Microsoft 365 GCC High platform.
3.13.16[a]	the confidentiality of CUI at rest is protected.	Exchange Online	Microsoft	Inherited	This control is inherited. Microsoft is responsible for protection and encryption of CUI at rest for Cloud PC instances and the Microsoft 365 GCC High platform.

14. SYSTEM AND INFORMATION INTEGRITY (SI)¶

Control 3.14.1: Identify, Report, and Correct System Flaws¶

Control Summary¶

Field	Value
Control ID	3.14.1
Control Title	Identify, Report, and Correct System Flaws
Control Family	System and Information Integrity
Status	IMPLEMENTED
Primary Responsibility	Self
Primary Components	Microsoft Defender XDR, HaloPSA

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.14.1[a]	the time within which to identify system flaws is specified.	Microsoft Defender XDR	Microsoft	Self	System flaws are identified on a monthly basis.
3.14.1[a]	the time within which to identify system flaws is specified.	HaloPSA	Halo	Self	System flaws are identified on a monthly basis.
3.14.1[b]	system flaws are identified within the specified time frame.	Microsoft Defender XDR	Microsoft	Self	Microsoft Defender for Endpoint is used to discover system vulnerabilities within Cloud PC instances. Scans are performed daily, with reports generated monthly within HaloPSA.
3.14.1[b]	system flaws are identified within the specified time frame.	HaloPSA	Halo	Self	Microsoft Defender for Endpoint is used to discover system vulnerabilities within Cloud PC instances. Scans are performed daily, with reports generated monthly within HaloPSA.
3.14.1[c]	the time within which to report system flaws is specified.	Microsoft Defender XDR	Microsoft	Self	The organization specifies monthly as the time frame within which to report system flaws.
3.14.1[c]	the time within which to report system flaws is specified.	HaloPSA	Halo	Self	The organization specifies monthly as the time frame within which to report system flaws.
3.14.1[d]	system flaws are reported within the specified time frame.	Microsoft Defender XDR	Microsoft	Self	System flaws are reported on a monthly basis.
3.14.1[d]	system flaws are reported within the specified time frame.	HaloPSA	Halo	Self	System flaws are reported on a monthly basis.
3.14.1[e]	the time within which to correct system flaws is specified.	Microsoft Defender XDR	Microsoft	Self	High risk vulnerabilities must be remediated within 30 days, moderate risk vulnerabilities must be remediated with 90 days, and low risk vulnerabilities must be remediated with 180 days.
3.14.1[e]	the time within which to correct system flaws is specified.	HaloPSA	Halo	Self	High risk vulnerabilities must be remediated within 30 days, moderate risk vulnerabilities must be remediated with 90 days, and low risk vulnerabilities must be remediated with 180 days.
3.14.1[f]	system flaws are corrected within the specified time frame.	Microsoft Defender XDR	Microsoft	Self	HaloPSA issue tickets are created for each system flaw or vulnerability and their lifecycle is tracked.
3.14.1[f]	system flaws are corrected within the specified time frame.	HaloPSA	Halo	Self	HaloPSA issue tickets are created for each system flaw or vulnerability and their lifecycle is tracked.

Control 3.14.2: Provide Protection from Malicious Code¶

Control Summary¶

Field	Value
Control ID	3.14.2
Control Title	Provide Protection from Malicious Code
Control Family	System and Information Integrity
Status	IMPLEMENTED
Primary Responsibility	Self
Primary Components	Microsoft Defender XDR, Huntress

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.14.2[a]	designated locations for malicious code protection are identified.	Microsoft Defender XDR	Microsoft	Self	Designated locations for malicious code protection include all Cloud PC instances.
3.14.2[a]	designated locations for malicious code protection are identified.	Huntress	Huntress	Self	Designated locations for malicious code protection include all Cloud PC instances.
3.14.2[b]	protection from malicious code at designated locations is provided.	Microsoft Defender XDR	Microsoft	Self	Microsoft Defender for Endpoint and Huntress provide malicious code protection on all Cloud PC instances.
3.14.2[b]	protection from malicious code at designated locations is provided.	Huntress	Huntress	Self	Microsoft Defender for Endpoint and Huntress provide malicious code protection on all Cloud PC instances.

Control 3.14.3: Monitor System Security Alerts and Advisories¶

Control Summary¶

Field	Value
Control ID	3.14.3
Control Title	Monitor System Security Alerts and Advisories
Control Family	System and Information Integrity
Status	IMPLEMENTED
Primary Responsibility	Self
Primary Components	HaloPSA, Microsoft Defender XDR, Huntress

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.14.3[a]	response actions to system security alerts and advisories are identified.	HaloPSA	Halo	Self	If system security alerts or advisories are applicable to the organization's systems, an incident ticket is submitted through HaloPSA so that pertinent actions can be tracked and implemented.
3.14.3[b]	system security alerts and advisories are monitored.	Microsoft Defender XDR	Microsoft	Self	The Security Administrator monitors system security alerts from the following sources: CISA Known Exploited Vulnerabilities Catalog, CISA Cybersecurity Advisories, CISA Vulnerability Bulletins, and Huntress and Defender threat intelligence feeds.
3.14.3[b]	system security alerts and advisories are monitored.	Huntress	Huntress	Self	The Security Administrator monitors system security alerts from the following sources: CISA Known Exploited Vulnerabilities Catalog, CISA Cybersecurity Advisories, CISA Vulnerability Bulletins, and Huntress and Defender threat intelligence feeds.
3.14.3[c]	actions in response to system security alerts and advisories are taken.	HaloPSA	Halo	Self	Actions taken in response to security alerts are based on incident tickets tracked in HaloPSA.

Control 3.14.4: Update Malicious Code Protection Mechanisms¶

Control Summary¶

Field	Value
Control ID	3.14.4
Control Title	Update Malicious Code Protection Mechanisms
Control Family	System and Information Integrity
Status	IMPLEMENTED
Primary Responsibility	Self
Primary Components	Microsoft Defender XDR, Huntress

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.14.4[a]	malicious code protection mechanisms are updated when new releases are available.	Microsoft Defender XDR	Microsoft	Hybrid	Defender and Huntress agents are configured for automatic updates. Definition updates are applied automatically through Windows Update and Huntress cloud services.
3.14.4[a]	malicious code protection mechanisms are updated when new releases are available.	Huntress	Huntress	Self	Defender and Huntress agents are configured for automatic updates. Definition updates are applied automatically through Windows Update and Huntress cloud services.

Control 3.14.5: Perform Periodic Scans and Real-Time Scans¶

Control Summary¶

Field	Value
Control ID	3.14.5
Control Title	Perform Periodic Scans and Real-Time Scans
Control Family	System and Information Integrity
Status	IMPLEMENTED
Primary Responsibility	Self
Primary Components	Microsoft Defender XDR

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.14.5[a]	the frequency for malicious code scans is defined.	Microsoft Defender XDR	Microsoft	Self	The frequency for malicious code scans is defined as daily with real-time monitoring enabled.
3.14.5[b]	malicious code scans are performed with the defined frequency.	Microsoft Defender XDR	Microsoft	Self	The frequency for malicious code scans is configured as daily with real-time monitoring enabled.
3.14.5[c]	real-time malicious code scans of files from external sources as files are downloaded, opened, or executed are performed.	Microsoft Defender XDR	Microsoft	Self	Defender for Endpoint performs real-time monitoring on all Cloud PC instances.

Control 3.14.6: Monitor, Control, and Protect Organizational Communications¶

Control Summary¶

Field	Value
Control ID	3.14.6
Control Title	Monitor, Control, and Protect Organizational Communications
Control Family	System and Information Integrity
Status	IMPLEMENTED
Primary Responsibility	Shared
Primary Components	Microsoft Defender XDR, Huntress

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.14.6[a]	the system is monitored to detect attacks and indicators of potential attacks.	Microsoft Defender XDR	Microsoft	Self	The organization monitors systems using Microsoft Defender for Endpoint and Huntress EDR to detect attacks and indicators of potential attacks.
3.14.6[a]	the system is monitored to detect attacks and indicators of potential attacks.	Huntress	Huntress	Self	The organization monitors systems using Microsoft Defender for Endpoint and Huntress EDR to detect attacks and indicators of potential attacks.
3.14.6[b]	inbound communications traffic is monitored to detect attacks and indicators of potential attacks.	Microsoft Defender XDR	Microsoft	Inherited	Inbound communications traffic is monitored through Defender for Endpoint network monitoring capabilities.
3.14.6[c]	outbound communications traffic is monitored to detect attacks and indicators of potential attacks.	Microsoft Defender XDR	Microsoft	Inherited	Outbound communications traffic is monitored through Defender for Endpoint network monitoring capabilities.

Control 3.14.7: Identify Unauthorized Use¶

Control Summary¶

Field	Value
Control ID	3.14.7
Control Title	Identify Unauthorized Use
Control Family	System and Information Integrity
Status	IMPLEMENTED
Primary Responsibility	Self
Primary Components	System Security Plan (SSP), Microsoft Defender XDR, Huntress

Control Objectives¶

Objective ID	Objective Description	Component	Provider	Responsibility	Implementation Statement
3.14.7[a]	authorized use of the system is defined.	System Security Plan (SSP)	-	Self	Authorized use is defined as use of the system by an authorized user that is compliant with organizational policies and procedures.
3.14.7[b]	unauthorized use of the system is identified.	Microsoft Defender XDR	Microsoft	Self	Unauthorized use is identified through continuous monitoring via Microsoft Defender for Endpoint and Huntress behavioral detection, Microsoft Entra sign-in logs, and automated alerts.
3.14.7[b]	unauthorized use of the system is identified.	Huntress	Huntress	Self	Unauthorized use is identified through continuous monitoring via Microsoft Defender for Endpoint and Huntress behavioral detection, Microsoft Entra sign-in logs, and automated alerts.