CMMC Level 1 — M365 Hardening & Rollout

✅ Enable MFA for ALL users — no exceptions

Use Conditional Access (preferred) or Security Defaults. Every account, including service accounts where possible.

✅ Block legacy authentication protocols

IMAP, POP3, SMTP AUTH, basic auth — these bypass MFA. Block via Conditional Access. Confirm no printers/apps depend on these first.

✅ No shared accounts

Every user gets their own login. "reception@" or "shared@" mailboxes must use shared mailbox (no license, no login) not shared credentials.

✅ Privileged Identity Management (PIM)

Admins request elevation when needed, not permanently Global Admin. Requires Entra ID P2 (included in M365 Business Premium).

✅ Stale account removal

Disable accounts within 24 hrs of termination. Quarterly review of all active accounts against HR roster.

✅ Password complexity + spray protection

12-char min, Entra Smart Lockout enabled, Entra ID Password Protection deployed (blocks "Password1", "Welcome1" etc.)

✅ Sign-in risk policies

Entra ID Protection: block high-risk sign-ins, require MFA for medium-risk. Requires Entra ID P2.

✅ Defender for Office 365 — Safe Attachments

Scan all attachments in a detonation sandbox before delivery. Apply to all domains. Set unknown action to "Block".

✅ Defender for Office 365 — Safe Links

Rewrite all URLs, scan at click-time. Enable for email + Teams. Block "do not rewrite" list abuse.

✅ Anti-phishing — impersonation protection

Add key executives and domains to impersonation protection list. Set spoof intelligence to enabled. Use Strict preset if possible.

✅ SPF record verified

Confirm v=spf1 record in DNS includes all sending IPs/services. Hard fail (-all) preferred.

✅ DKIM signing enabled

Enable DKIM for all accepted domains in M365 Security portal. Verify CNAME records in DNS propagated.

✅ DMARC policy published

Start at p=none for visibility, move to p=quarantine within 30 days. Add rua= reporting address.

✅ DLP policy — FCI keyword detection

Create policy detecting contract numbers, FCI labels, or sensitive terms. Block external email with FCI, alert on internal oversharing.

✅ Auto-forward to external blocked

Create outbound spam policy or transport rule blocking auto-forwarding to external addresses. Common attack vector.

✅ Disable anonymous sharing links

Org-wide setting: Sharing → Anyone links = OFF. "Anyone with the link" must be disabled at tenant level.

✅ External sharing = Specific people only (or Off)

SharePoint admin center → Policies → Sharing. Set to "Specific people" or "Only people in your org" for max security.

✅ FCI library — restricted site

Create a dedicated SharePoint site for FCI files. Limit membership to only those who need access. No broad "Everyone" permissions.

✅ Sensitivity labels (optional but recommended)

Apply "FCI - Confidential" label to FCI documents. Label can auto-apply encryption and restrict printing/forwarding.

✅ OneDrive sync restrictions

Block sync on unmanaged/personal devices. Allow sync only from Intune-compliant or Entra-joined devices.

✅ Versioning enabled on FCI libraries

Ensure version history is on (50+ versions). This is also your ransomware recovery safety net.

✅ Evidence repo site created + locked down

Private site: CMMC evidence only. Permissions: MSP admin + customer Senior Official. No broad internal access.

✅ Device Compliance Policy

Require: OS min version (Win 11 22H2+), BitLocker = required, Defender = required, Firewall = required, no jailbreak, secure boot on

✅ BitLocker encryption profile

Full disk encryption on OS drive, AES 256-bit, recovery key escrowed to Entra ID. Startup PIN optional but adds security.

✅ Windows Defender Antivirus profile

Real-time protection ON, tamper protection ON, cloud-delivered protection ON, automatic sample submission ON, PUA protection ON

✅ Defender for Endpoint onboarding

Deploy MDE onboarding package via Intune. Verify in MDE portal that all devices show as "Active". Set EDR in block mode.

✅ Windows Update rings

Quality/security updates: 0–7 day deferral. Feature updates: 30-day deferral. Deadline enforcement: 3 days after deferral ends.

✅ Firewall config profile

Windows Firewall ON for all profiles (Domain, Private, Public). Inbound connections blocked by default. Log dropped packets.

✅ Screen lock / idle timeout

Screen lock after 15 min inactivity, require password to unlock, enforce via Device Restrictions config profile

✅ USB/removable storage restriction

Block or audit USB mass storage. Use Device Control policy in MDE or Intune Device Restrictions profile. Maps to MP.1.118.

✅ Local admin restrictions

Remove standard users from local admin group. Use Windows LAPS (Local Admin Password Solution) for managed local admin accounts.

✅ Conditional Access — compliant device required

Require device marked "Compliant" in Intune before allowing M365 access. Blocks non-enrolled devices from accessing FCI.

✅ Unified Audit Log — ON

Purview compliance portal → Audit → confirm enabled. Captures sign-ins, file access, admin changes, mailbox events.

✅ Mailbox auditing — ON for all users

Run: Set-OrganizationConfig -AuditDisabled $false in Exchange Online PowerShell. Verify per-mailbox audit actions.

✅ Sign-in logs retained 90+ days

Default Entra sign-in logs: 30 days (P1) or 7 days (free). Export to Log Analytics or Storage Account for longer retention.

✅ Microsoft Secure Score — baseline documented

Screenshot Secure Score dashboard as evidence. Target 70%+ before attestation. Export improvement actions as your gap list.

✅ Defender for Endpoint alerts configured

Set up email notifications for high-severity alerts to MSP security mailbox. Review MDE incidents weekly at minimum.

✅ Failed login monitoring

Entra ID Protection or Smart Lockout handles automated response. Review risky users report weekly. Document review cadence in SSP.

✅ Admin activity alerts

Set alert policies for: new Global Admin added, bulk file deletion, mail forwarding rule created, suspicious sign-in. Built into Purview.