Security & Compliance
Gap Analysis
CISA Baseline
Safeguarding your organization’s data, infrastructure, and users.
Gap Analysis
Microsoft SharePoint Online
Microsoft 365 (M365) SharePoint Online is a web-based collaboration and document management platform. It is primarily used to collaborate on documents and communicate information in projects. M365 OneDrive is a cloud-based file storage system primarily used to store a user’s personal files, but it can also be used to share documents with others. This secure configuration baseline (SCB) provides specific policies to strengthen the security of both services.
The Cybersecurity and Infrastructure Security Agency (CISA), provides guidance and capabilities to secure federal civilian executive branch agencies’ cloud business application environments and protect federal information that is created, accessed, shared, and stored in those environments.
The License Requirements sections of this document assume the organization is using an M365 E3 license level at a minimum. Therefore, only licenses not included in E3 are listed.
The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” in this document are to be interpreted as described in RFC 2119.
Security Solutions
1. External Sharing
This section helps reduce security risks related to sharing files with users external to the agency. This includes guest users, users who use a verification code, and users who access an Anyone link.
MS.SHAREPOINT.1.1v1 – External sharing for SharePoint SHALL be limited to Existing guests or Only people in your organization.
- Rationale: Sharing information outside the organization via SharePoint increases the risk of unauthorized access. By limiting external sharing, administrators decrease the risk of access to information.
- Last modified: June 2023
- MITRE ATT&CK TTP Mapping:
MS.SHAREPOINT.1.2v1 – External sharing for OneDrive SHALL be limited to Existing guests or Only people in your organization.
- Rationale: Sharing files outside the organization via OneDrive increases the risk of unauthorized access. By limiting external sharing, administrators decrease the risk of unauthorized unauthorized access to information.
- Last modified: June 2023
- MITRE ATT&CK TTP Mapping:
MS.SHAREPOINT.1.3v1 – External sharing SHALL be restricted to approved external domains and/or users in approved security groups per interagency collaboration needs.
- Rationale: By limiting sharing to domains or approved security groups used for interagency collaboration purposes, administrators help prevent sharing with unknown organizations and individuals.
- Last modified: March 2025
- Note: This policy is only applicable if the external sharing slider in the SharePoint admin center is not set to Only people in your organization.
- MITRE ATT&CK TTP Mapping:
Overview of external sharing in SharePoint and OneDrive in Microsoft 365 | Microsoft Documents
Manage sharing settings for SharePoint and OneDrive in Microsoft 365 | Microsoft Documents
- N/A
Security Solutions
2. File and Folder Default Sharing Settings
This section provides policies to set the scope and permissions for sharing links to secure default values.
MS.SHAREPOINT.2.1v1 – File and folder default sharing scope SHALL be set to Specific people (only the people the user specifies).
- Rationale: By making the default sharing the most restrictive, administrators prevent accidentally sharing information too broadly.
- Last modified: June 2023
- MITRE ATT&CK TTP Mapping:
MS.SHAREPOINT.2.2v1 – File and folder default sharing permissions SHALL be set to View.
- Rationale: Edit access to files and folders could allow a user to make unauthorized changes. By restricting default permissions to View, administrators prevent unintended or malicious modification.
- Last modified: June 2023
- MITRE ATT&CK TTP Mapping:
- N/A
Security Solutions
3. Securing Anyone Links and Verification Code Users
Sharing files with external users via the usage of Anyone links or Verification codes is strongly discouraged because it provides access to data within a tenant with weak or no authentication. If these features are used, this section details some access restrictions that could provide limited security risk mitigations.
Note: The settings in this section are only applicable if an agency is using Anyone links or Verification code sharing. See each policy below for details.
MS.SHAREPOINT.3.1v1 – Expiration days for Anyone links SHALL be set to 30 days or less.
- Rationale: Links may be used to provide access to information for a short period of time. Without expiration, however, access is indefinite. By setting expiration timers for links, administrators prevent unintended sustained access to information.
- Last modified: March 2025
- Note: This policy is only applicable if the external sharing slider in the SharePoint admin center is set to Anyone.
- MITRE ATT&CK TTP Mapping:
MS.SHAREPOINT.3.2v1 – The allowable file and folder permissions for links SHALL be set to View only.
- Rationale: Unauthorized changes to files can be made if permissions allow editing by anyone. By restricting permissions on links to View only, administrators prevent anonymous file changes.
- Last modified: March 2025
- Note: This policy is only applicable if the external sharing slider in the SharePoint admin center is set to Anyone.
- MITRE ATT&CK TTP Mapping:
MS.SHAREPOINT.3.3v1 – Reauthentication days for people who use a verification code SHALL be set to 30 days or less.
- Rationale: A verification code may be given out to provide access to information for a short period of time. By setting expiration timers for verification code access, administrators prevent unintended sustained access to information.
- Last modified: March 2025
- Note: This policy is only applicable if the external sharing slider in the SharePoint admin center is set to Anyone or New and existing guests.
- MITRE ATT&CK TTP Mapping:
- N/A
Our Expertise
Why Choose
Crimson Line?
01.
Crimson Line
Innovation
We stay ahead of the curve by embracing AI-driven tools like Copilot.
02.
Crimson Line
Expertise
Our experienced team architects and manages cloud-native solutions.
03.
Crimson Line
Cost-Effective
Enjoy the benefits of PaaS with minimal risk.
04.
Crimson Line
Flexibility
We tailor solutions to meet your unique needs.
Get Started
Create a Customized
Security Strategy
At Crimson Line, security is not just a product—it’s our commitment to your peace of mind.