Beyond basic security, many organizations also use a number of risk management frameworks to better understand and mitigate risks to themselves and their data. To that end, this feature is meant to provide a mapping between the M365 secure baselines and one or more common risk management frameworks or other security configuration baselines.
Steps to completing this epic include:
Identifying which framework(s) and baseline{s) to map against
Analyzing the controls within the frameworks to map between M365 SCBs and the candidate framework(s)
Update the M365 SCBs to include mapping information on a policy item level
Initiative / Goal
The goal is to create an easy to use reference to map policy items in the M365 SCB to security controls or configuration items in other baselines or risk management frameworks.
Hypothesis
Adding mapping information to the M365 SCBs will provide value to additional sets of stakeholders, such as risk managers and security analysts and support organizational risk management activities by providing a clear relationship between SCB policy configuration items and security controls.
Acceptance criteria
Criteria that are considered must have for feature launch and in-scope for this epic include:
[ ] New field formatting to contain mapping information for the SCBs has been proposed and agreed upon
[ ] Risk management framework control sets and/or baseline policy items have been identified for mapping
[ ] All of the M365 SCBs have been mapped to the identified frameworks/baselines
[ ] Updated M365 SCBs with mapping information have been published
Stakeholders / Resources
Include CISA decision makers and dev team members in discussions about this epic. Resources needed for this epic include access to risk management framework and candidate baseline documentation.
Timeline
The current projected timeline for delivery of this epic feature is currently in the June timeframe.
Description
Beyond basic security, many organizations also use a number of risk management frameworks to better understand and mitigate risks to themselves and their data. To that end, this feature is meant to provide a mapping between the M365 secure baselines and one or more common risk management frameworks or other security configuration baselines.
Steps to completing this epic include:
Initiative / Goal
The goal is to create an easy to use reference to map policy items in the M365 SCB to security controls or configuration items in other baselines or risk management frameworks.
Hypothesis
Adding mapping information to the M365 SCBs will provide value to additional sets of stakeholders, such as risk managers and security analysts and support organizational risk management activities by providing a clear relationship between SCB policy configuration items and security controls.
Acceptance criteria
Criteria that are considered must have for feature launch and in-scope for this epic include:
Stakeholders / Resources
Include CISA decision makers and dev team members in discussions about this epic. Resources needed for this epic include access to risk management framework and candidate baseline documentation.
Timeline
The current projected timeline for delivery of this epic feature is currently in the June timeframe.
Associated Tasks
See details in the following issues: