Master Microsoft & CIS Benchmark Best Practices to Secure Your Environment

Organizations are increasingly incorporating technology into the very foundation of their companies, revolutionizing the way they do business. While this technological integration can provide new levels of efficiency, productivity, and growth, increased reliance on technology can also leave these organizations more vulnerable to cyber-attacks. While advanced technology such as firewalls and endpoint detection can go a long way in protecting critical systems from malicious agents, these measures alone are not enough to ward off increasingly sophisticated (and prevalent) cybersecurity threats.

One step that you can take to increase your organization’s cybersecurity posture would be to implement the Center for Internet Security’s (CIS) benchmarks to help you secure your Microsoft 365 environment. CIS Benchmarks are a set of community-developed best practices for securing IT systems, and they can be used to support your NIST 800-171 and CMMC compliance efforts by providing detailed configuration guidelines to help your organization meet the security requirements outlined in the CMMC framework.

Keep reading to learn more about the CIS Microsoft 365 Foundations Benchmark, what it is, why it’s important, and how it can help you maintain CMMC compliance.

What Are CIS Benchmarks?

Of course, the first thing you may find yourself asking is what CIS Benchmarks are. The CIS Benchmarks are a set of community-developed secure configuration recommendations for hardening an organization’s technologies against cyber-attacks. Mapped to the CIS Critical Security Controls, the CIS Benchmarks help to elevate the security defenses of cloud provider platforms and cloud services, containers, databases, software, network devices, and operating systems, and they can also be used to help organizations demonstrate compliances with industry regulations and frameworks. The CIS currently has over 100 CIS Benchmarks across 25+ product vendor families, with one of the most beneficial Benchmarks being the Microsoft 365 Foundations Benchmark.

What is the CIS Microsoft 365 Foundations Benchmark?

If your organization operates in a Microsoft environment, you likely already know that Microsoft 365 is a suite of powerful cloud services that help enable collaboration, security, compliance, and mobility within an organization. While Microsoft goes to great lengths to ensure the security of the data its users store and transmit within its cloud environment, users must also implement the appropriate architecture and enable the right set of configuration settings to ensure their data is properly secured. This is where the CIS Microsoft 365 Foundations Benchmark comes into play.

Developed by the CIS in partnership with Microsoft, the CIS Microsoft 365 Foundations Benchmark provides prescriptive guidance for establishing a secure baseline configuration for Microsoft Cloud. It is designed to assist organizations in establishing the foundation level of security when adopting Microsoft 365, and it acts as a starting point to help organizations secure their data and achieve compliance with industry security standards.

CIS Benchmark Levels

Within the CIS Benchmark are two levels of security guidelines, each with different technical specifications depending on the level of data security your organization is trying to achieve. These levels are outlined below:

• Level 1: Provides recommended minimum security settings that should be configured on any system and should cause little or no interruption of service or reduced functionality.
• Level 2: Recommends advanced security settings for environments requiring greater data security. This could result in some reduced functionality.

Microsoft 365 CIS Security Benchmark Sections

What makes the Microsoft 365 Foundations Benchmark so beneficial for any organization operating in a Microsoft 365 environment is that it goes beyond basic security settings and helps organizations boost their security posture to protect their sensitive data from the most pervasive attacks. This benchmark includes 60 recommended security controls divided into 7 sections including:

• Account and Authentication Policies: This section covers measures to help strengthen login credentials such as enforcing multi-factor authentication (MFA) and managing privileged accounts.
• Application Permissions: Provides recommendations for configuring application permissions within Microsoft 365. It addresses how applications within Microsoft 365 interact with user data and system resources, minimizing potential risks.
• Data Management: This section provides recommendations for setting data management policies, ensuring proper data classification, encryption, and access controls to safeguard sensitive data.
• Email Security/Exchange Online: These controls help organizations configure Exchange Online and email security to protect sensitive user information and company data.
• Auditing Policies: Provides recommendations for setting auditing policies on your Microsoft 365 tenant.
• Storage Policies: This focuses on providing recommendations for securely configuring storage policies and securing access to data to prevent unauthorized access and data breaches.
• Mobile Device Management: Provides recommendations for securely managing mobile devices connecting to Microsoft 365 to ensure data security. This can be particularly important if you have bring your own device (BYOD) policies.

Implementation and Assessment Tools

Upon reading through the CIS Microsoft 365 Foundation Benchmark, you may find yourself unsure where to start. One place you can start when implementing this benchmark is with the Microsoft 365 security roadmap provided by Microsoft to help organizations minimize the potential of a data breach or compromised account. You can also use the Microsoft Purview Compliance Manager feature in the Microsoft Purview compliance portal to help you assess your current security posture against the CIS Benchmarks. This can help streamline the implementation process by identifying areas for improvement, allowing you to take a targeted approach to security hardening by focusing on the most critical areas first.

Regular Updates

Of course, it is important to note that CIS Benchmark implementation is not a one-time thing. It is an ongoing process, as the CIS regularly revises benchmarks based on community feedback and developing cybersecurity threats. The frequency of these updates can vary, so you may find it helpful to register for the CIS Workbench, as this will ensure that you receive CIS’s monthly reports that announce new benchmarks and updates to existing benchmarks, which can ensure you keep up with evolving cybersecurity best practices.

Using CIS Benchmarks as a Starting Point

Another thing to note when using the Microsoft 365 Foundations Benchmark to enhance your cybersecurity posture is that this benchmark is not an exhaustive guide. While the CIS’s benchmarks are thorough, they are meant to be a starting point, not a one-size-fits-all solution. The fact is that while they provide great guidelines for securing your Microsoft 365 environment, every organization has unique security needs based on its industry, data sensitivity, and compliance requirements. This is particularly true of DoD contractors who must comply with CMMC guidelines. While the CIS Microsoft 365 Foundations Benchmark provides a solid foundation, your organization may need to make adjustments to it to meet your needs and ensure NIST 800-171 and CMMC compliance.

This is where you may find it beneficial to consult a CMMC-certified managed service provider (MSP). An experienced managed service provider can assess your organization’s security needs and help create a roadmap to guide you through the CMMC certification process.

Choose AgileDefend - Your MSP for CMMC

If you’re facing CMMC certification, you need an experienced MSP by your side who can address your security, and compliance needs and help you stay ahead of evolving threats and regulatory requirements. When you choose AgileDefend by Agile IT, you gain a trusted partner who is dedicated to helping you enhance your compliance posture and protect your organization’s valuable data. AgileDefend is specifically designed to help government contractor organizations meet changing security and compliance requirements so that they can seamlessly obtain and maintain NIST 800-171 and CMMC compliance.

Our tailored approach can empower your growth and security goals, help you achieve compliance, and ensure you get the most out of your IT investments. Contact us today to start building your long-term success!