May 29, 2025
Exostar’s Managed Microsoft 365 for CMMC - CMMC v 2.0 L2/NIST SP 800-171r2 Compliance Support Matrix
The purpose of this document is to describe how Exostar’s Managed Microsoft 365 for CMMC solution reduces the effort of a Subscriber to support the compliance requirements within CMMC v 2.0 L2 / NIST SP 800-171, Protecting Controlled Unclassified Information (CUI) in Non-federal Information Systems and Organizations, Revision 2. Specific Subscriber scenarios may necessitate additional compensating controls to meet regulations. Some requirements are outside of the responsibility/scope of Exostar’s software and systems.
Definitions
Subscriber
An organization that purchases this solution and stores content within Exostar’s systems.
Full Compliance Status
Exostar’s systems comply with the CMMC v 2.0 L2/NIST 800-171r2 regulations when content is stored within the system
Shared Compliance Status
For the Subscriber to be fully compliant with the CMMC v 2.0 L2/NIST 800-171r2 regulations, the Subscriber must comply with its independent obligations regarding the controls beyond Exostar’s processes or technology. This Subscriber compliance obligation is true for any product a subscriber will purchase.
References
252.204-7021 Cybersecurity Maturity Model Certification
Requirements
Full Compliance
Shared Compliance
| Family | Req ID | Requirement Text | Responsibilities | Shared or Full Compliance |
|---|---|---|---|---|
| Access Control | 3.1.1 | Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems). | Exostar has implemented an access management system that limits system access to authenticated authorized users, processes, and systems. Authorized users, devices, systems, and services are issued unique account identifiers suitable for the access level required. | |
| Access Control | 3.1.2 | Limit system access to the types of transactions and functions that authorized users are permitted to execute. | Exostar has implemented role-based access controls to limit user access to specific functions. System administrators are assigned the minimum access roles to perform their job’s transactions and functions. Identifiers associated with users, devices, systems, and services are assigned roles within the system that control access to system functions and data. Application roles control the transactions and functions authorized users are permitted to execute. | |
| Access Control | 3.1.3 | Control the flow of CUI in accordance with approved authorizations. | Exostar and Microsoft have implemented technical controls within Managed Microsoft 365 for CMMC and Teams that restrict the flow of CUI within the system and only allow authorized user accounts access to specific teams and information stores. | |
| Access Control | 3.1.4 | Separate the duties of individuals to reduce the risk of malevolent activity without collusion. | There is separation of duties between Exostar’s application administrators, engineers, and data owners in both IAM and Exostar’s Managed Microsoft 365 for CMMC. Separation of duties is implemented at multiple levels in all computing environments. Administrative control of the platform is separated from administration of the system event logging / auditing platform, from compliance reporting functions, and from application administrative / user access control management. | |
| Access Control | 3.1.5 | Employ the principle of least privilege, including for specific security functions and privileged accounts. | The IAM platform and Exostar’s Managed Microsoft 365 for CMMC implement the principle of least privilege throughout the system. Users and administrators must be explicitly granted access to privileged accounts and security functions. The information system has Role Based Access Control (RBAC) structure implemented to limit the data and functions that the role holders may perform. Individual roles are designed to limit users’ access to the minimum set of functions and data to perform their job functions. | |
| Access Control | 3.1.6 | Use non-privileged accounts or roles when accessing non-security functions. | Exostar personnel are provisioned with separate system accounts for use when performing privileged security functions and non-privileged user functions. System administrators limit the assignment of roles to each account commensurate with the users’ job functions. Subscriber personnel cannot be assigned to M365 privileged roles, which are restricted to the compute tenant’s service account. *Disclaimer – Subscriber has discretion to assign two accounts to users with both privileged and non-privileged job functions. | |
| Access Control | 3.1.7 | Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs. | The system prevents the performance of privileged tasks by non-privileged users through the use of system roles that prevent access to privileged data and functions. Exostar personnel without privileged job functions are restricted to being assigned roles that do not allow access to privileged security functions. When privileged functions are performed by any user, an event is written to the audit logs, including user identity data, to permit detection of unauthorized system operation. | |
| Access Control | 3.1.8 | Limit unsuccessful logon attempts. | The system limits users to five (5) unsuccessful attempts in a set time-period before locking the account from use for a subsequent 15 minutes. The user account cannot be used to access the system until the lockout period has expired. | |
| Access Control | 3.1.9 | Provide privacy and security notices consistent with applicable CUI rules. | Privacy and security notices are configurable within the application to applicable CUI/CDI rules. | |
| Access Control | 3.1.10 | Use session lock with pattern-hiding displays to prevent access/viewing of data after period of inactivity. | After a session has been idle for a preset time period, the session will timeout and log the user out of the system. The system then displays the general login screen and prevents access/viewing system data. The MAG/IAM platform has a session time-out of 30 minutes. Exostar’s Managed Microsoft for CMMC has an 8-hour session time-out. | |
| Access Control | 3.1.11 | Terminate (automatically) a user session after a defined condition. | User sessions are automatically terminated after specific conditions are encountered in the system, including session timeout discussed in 3.1.10. | |
| Access Control | 3.1.12 | Monitor and control remote access sessions. | Remote sessions are monitored and controlled at managed system entry points from the Internet to internal system resources. System access controls restrict remote session access to authorized traffic / use patterns and session traffic is monitored and analyzed continuously for anomalous activity. | |
| Access Control | 3.1.13 | Employ cryptographic mechanisms to protect the confidentiality of remote access sessions. | Exostar uses TLS 1.2 / 1.3 using FIPS 140-2 validated ciphers to protect remote access sessions. Devices providing encryption services are listed in the system security plan with their CMVP certificate number. | |
| Access Control | 3.1.14 | Route remote access via managed access control points. | Exostar restricts system user access to secure managed access points implemented in Azure App Gateway and Firewall services exposed to the Internet. Remote access to the solution’s platform (hosts) is restricted to managed bastions that can only be accessed through a company managed VPN system. | |
| Access Control | 3.1.15 | Authorize remote execution of privileged commands and remote access to security-relevant information. | The system restricts remote execution of privileged functions and access to system security information to users that have been pre-authorized and granted privileged administrative system roles. Privileged and non-privileged roles with each role’s access permission(s) is detailed in system documentation. | |
| Access Control | 3.1.16 | Authorize wireless access prior to allowing such connections. | Access to Exostar’s employee wireless network is restricted to authorized company issued laptops and mobile computing devices. Authorized devices are issued a PKI certificate for identification / authentication purposes. Devices lacking a valid PKI certificate are not allowed to connect to the employee wireless network. Subscribers are responsible for authorizing use of wireless access for the subscriber’s devices. Exostar does not have control over subscriber’s wireless infrastructure or configuration. | |
| Access Control | 3.1.17 | Protect wireless access using authentication and encryption. | Internal Exostar employee wireless network traffic is encrypted throughout Exostar’s offices. Subscribers are responsible for configuration and control of their wireless connections. Exostar does not have control over subscriber’s wireless infrastructure or configuration. | |
| Access Control | 3.1.18 | Control connection of mobile devices. | Exostar manages company smart phone devices using an MDM solution. Subscribers are responsible for control and management of their mobile devices. Exostar does not have control over subscriber’s mobile devices or device management. | |
| Access Control | 3.1.19 | Encrypt CUI on mobile devices and mobile computing platforms. | Although Exostar employees do not have access to Subscriber data, and it is never stored on external information systems, data on company laptops (mobile computing devices) is protected by full disk encryption. Subscribers are responsible for content on their user’s mobile devices. Exostar does not have control over subscriber’s mobile devices or device management. | |
| Access Control | 3.1.20 | Verify and control/limit connections to and use of external information systems. | Exostar’s Managed Microsoft 365 is an external information system and Exostar verifies and controls user access. Connections from the system to external information systems, including Microsoft 365, are controlled and restricted to authorized systems and communications paths. | |
| Access Control | 3.1.21 | Limit use of organizational portable storage devices on external information systems. | Exostar employees do not have access to subscriber data. System hosts use an endpoint protection product that provides a means to restrict connection of portable storage devices. The endpoint software will allow connection to / use of known, authorized portable storage devices to specific, authorized company laptops. Subscribers are responsible for information transferred to or stored on external information systems by their users. Exostar has no control over information transfers, processing, or storage after the information has been removed from the system. | |
| Access Control | 3.1.22 | Control CUI posted or processed on publicly accessible systems. | Exostar prohibits personnel from storing, posting, or processing CUI on unauthorized, publicly accessible systems. Exostar has implemented a process to review information before posting to publicly accessible systems and captures approvals of information releases. Subscribers are responsible for information posted or processed on publicly accessible systems by their users. Exostar has no control over information transfers or redistribution by subscriber’s users after the information has been removed from the system. | |
| Awareness and Training | 3.2.1 | Ensure that managers, systems administrators, and users of organizational information systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of organizational information systems. | Exostar provides annual security policy, standards, and practices training to Exostar personnel. The training focuses on making personnel aware of the security risks of their activities and the policies, standards, and procedures that govern the firm’s information systems. Subscribers are responsible for training its organizational users. Exostar has no control over subscriber’s user training. | |
| Awareness and Training | 3.2.2 | Ensure that organizational personnel are adequately trained to carry out their assigned information security-related duties and responsibilities. | Exostar provides job role-specific training for personnel including the role’s information security-related duties and responsibilities. Subscribers are responsible for training its organizational users. Exostar has no control over subscriber’s user training. | |
| Awareness and Training | 3.2.3 | Provide security awareness training on recognizing and reporting potential indicators of insider threat. | Exostar’s annual security awareness training is reinforced through periodic internal security newsletters addressing specific, timely security issues within the environment. Subscribers are responsible for training its organizational users. Exostar has no control over subscriber’s user training. | |
| Audit and Accountability | 3.3.1 | Create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity. | Exostar’s Managed Microsoft 365 for CMMC and MAG/IAM send event logs to a central security event monitoring system (SIEM) for analysis, alerting, and forensic capabilities. The SIEM system analyzes event data streams for unlawful, unauthorized, or inappropriate information system activity and will generate alerts for SOC staff / stakeholders for anomalous conditions. Event logs are retained for over one year for audit and forensic purposes. MM365 generates authentication event log messages upon receiving an identity assertion / successful login message from the authenticating IAM system. | |
| Audit and Accountability | 3.3.2 | Ensure that the actions of individual information system users can be uniquely traced to those users so they can be held accountable for their actions. | System users are issued unique account IDs; group accounts are not issued or permitted. User authentication events, security related events, and key user actions are logged with the users account ID to support full accountability for actions performed. | |
| Audit and Accountability | 3.3.3 | Review and update audited events. | Audit logs are available on-demand to designated administrators for authorized purposes. Content audits are available to Subscriber administrators according to their subscriber agreement terms and conditions. | |
| Audit and Accountability | 3.3.4 | Alert in the event of an audit process failure. | Exostar security event monitoring and audit logging systems generate alerts if logging processes fail throughout the environment. The security operations team monitor alerts and logs 24×7. | |
| Audit and Accountability | 3.3.5 | Use automated mechanisms to integrate and correlate audit review, analysis, and reporting processes for investigation and response to indications of inappropriate, suspicious, or unusual activity. | In the case of audit review/analysis Exostar uses a SIEM to integrate and correlate. Exostar’s SIEM system provides automated audit log review, analysis, and reporting processes. These processes support incident investigations and responses to indicators of system compromise. | |
| Audit and Accountability | 3.3.6 | Provide audit reduction and report generation to support on-demand analysis and reporting. | System audit logs are available on-demand to designated, authorized administrators. | |
| Audit and Accountability | 3.3.7 | Provide an information system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records. | Exostar’s computing environments synchronize system clocks with a Tier 1 time source provided by NIST. MS Azure provides and manages time synchronization for system components that are deployed on Azure Platform as a Service products. Both utilize authoritative time reference sources for system event audit record time stamps. | |
| Audit and Accountability | 3.3.8 | Protect audit information and audit tools from unauthorized access, modification, and deletion. | Event logging and audit systems are protected from unauthorized information access, modification, and deletion by restricting access to a limited group of authorized audit administrators. Authorized administrators gain access to audit systems through the use of a privileged access MFA credential / authentication system that provides access control / authorization controls for sensitive systems and resources. Audit system access requires assignment of a specific, reserved privileged role. | |
| Audit and Accountability | 3.3.9 | Limit management of audit functionality to a subset of privileged users. | Event logging and audit systems are protected from unauthorized information access, modification, and deletion by restricting access to a limited group of authorized audit administrators. Authorized administrators gain access to audit systems through the use of a privileged access MFA credential / authentication system that provides access control / authorization controls for sensitive systems and resources. Audit system access requires assignment of a specific, reserved privileged role. | |
| Configuration Management | 3.4.1 | Establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. | Exostar maintains inventory and configuration baselines for system components. Subscribers are responsible for managing and maintaining their equipment inventory and configurations. Exostar cannot control subscriber’s equipment configuration and inventory management practices. | |
| Configuration Management | 3.4.2 | Establish and enforce security configuration settings for information technology products employed in organizational information systems. | Exostar has established and enforces security configuration baseline settings for system components and organizational systems. Subscribers are responsible for managing and maintaining their equipment inventory and configurations. Exostar cannot control subscriber’s equipment configuration and inventory management practices. | |
| Configuration Management | 3.4.3 | Track, review, approve/disapprove, and audit changes to information systems. | Exostar tracks, reviews, and approves or disapproves audit changes to Exostar information systems via the company change management process / system. Subscribers are responsible for managing and maintaining their equipment inventory and configurations. Exostar cannot control subscriber’s equipment configuration and inventory management practices. | |
| Configuration Management | 3.4.4 | Analyze the security impact of changes prior to implementation. | Exostar analyzes the security impact of system changes as part of the change control process. System changes are reviewed and approved or rejected by the Product Owner, Security Office, and Operations prior to implementation. Subscribers are responsible for analyzing security impact for changes on their systems. Exostar cannot assess the security impact of system changes on subscribers’ processes and security controls. | |
| Configuration Management | 3.4.5 | Define, document, approve, and enforce physical and logical access restrictions associated with changes to the information system. | Exostar has defined, documented, and approved enforcement of physical and logical access to the company’s information systems. Exostar utilizes Microsoft Azure Commercial, Government, and GCC High environments and has inherited Microsoft’s FedRAMP High certification as assurance of the effectiveness of physical and logical cloud access controls. | |
| Configuration Management | 3.4.6 | Employ the principle of least functionality by configuring the information system to provide only essential capabilities. | Exostar designs, configures, and implements systems using only the components, software, and functions required for operation and removes non-essential functions / components from systems. | |
| Configuration Management | 3.4.7 | Restrict, disable, and prevent the use of nonessential programs, functions, ports, protocols, and services. | Exostar has implemented access controls at the perimeter and key internal network control points to restrict / prevent the use of non-essential ports, protocols, and services within the system enclave. Endpoint control software, firewalls, network security groups, and host intrusion prevention / detection software have been implemented to control the use of unauthorized software and services. | |
| Configuration Management | 3.4.8 | Apply deny-by-exception (blacklist) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software. | Exostar has implemented a software execution whitelisting / allowlisting system to restrict execution of unauthorized software on system hosts. The execution whitelisting system is configured to enforce deny-all / permit-by-exception strategy of restricting use of only authorized software. | |
| Configuration Management | 3.4.9 | Control and monitor user-installed software. | Exostar has implemented two complementary systems for controlling the use of user installed software on system hosts: software execution whitelisting system and an endpoint protection system that monitors approved software for unauthorized changes / malware. Subscribers are responsible for monitoring and controlling user-installed software on their systems. Exostar cannot control the management or configuration of subscriber computing devices. | |
| Identification and Authentication | 3.5.1 | Identify system users, processes acting on behalf of users, and devices. | Exostar Products utilize unique account identifiers to each system user and service. Account identifier uniqueness is enforced by the system application, cloud, and application identity management systems. All users, devices, and processes acting on behalf of users must use a valid account identifier to gain access to system resources. | |
| Identification and Authentication | 3.5.2 | Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems. | Exostar employees and contractors are screened prior to employment and subjected to NIST SP800-63-compliant identity proofing prior to allowing access to organization information systems. Subscribers are responsible for performing pre-employment identity verification before allowing access to their organizational information systems. Exostar cannot control subscribers’ personnel screening processes. | |
| Identification and Authentication | 3.5.3 | Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts. | Exostar employees and contractors use multifactor authenticators with FIPS 140-2-validated encryption to authenticate to privileged and non-privileged system accounts via remote, local, and network connections. | |
| Identification and Authentication | 3.5.4 | Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts. | Exostar uses multiple replay-resistant multifactor authenticators to control authentication to network access for privileged and non-privileged accounts. | |
| Identification and Authentication | 3.5.5 | Prevent reuse of identifiers for a defined period. | The identity and access management components of Exostar’s Managed Microsoft 365 for CMMC prevents reuse of account identifiers in addition to the identifier reuse prevention built into the Microsoft 365 platform. Identifier reuse prohibitions are configured from two years to indefinitely, depending upon the authenticator. | |
| Identification and Authentication | 3.5.6 | Disable identifiers after a defined period of inactivity. | Organization Account Identifier: Organization deactivated after 180 days of inactivity if the account holder has not yet logged in and accepted the system Terms and Conditions; Permanently deactivated after 760 days of inactivity. User Account Identifier: Identifier is suspended after 180 days of not accessing the Microsoft 365 application (default); Identifier is deleted after having been suspended for 185 days (default). | |
| Identification and Authentication | 3.5.7 | Enforce a minimum password complexity and change of characters when new passwords are created. | Exostar’s MAG/IAM platform enforces password complexity and password change of characters controls for the system. Passwords must be 15 to 64 characters long, include characters from three of these four categories: lower case alphabetic, upper case alphabetic, numbers 0-9, and special characters. | |
| Identification and Authentication | 3.5.8 | Prohibit password reuse for a specified number of generations. | Exostar’s MAG/IAM platform is configured to prohibit reuse of the past ten (10) generations of passwords for the information system as part of the password complexity and management logic within the system. | |
| Identification and Authentication | 3.5.9 | Allow temporary password use for system logons with an immediate change to a permanent password. | Exostar’s MAG/IAM platform supports the use of one-time, temporary passwords that must be changed upon first login. | |
| Identification and Authentication | 3.5.10 | Store and transmit only cryptographically-protected passwords | Exostar’s MAG/IAM platform and Microsoft Entra AD encrypt passwords using FIPS 140-2 validated encryption at rest and in transit. | |
| Identification and Authentication | 3.5.11 | Obscure feedback of authentication information. | During the authentication process, Exostar’s MAG/IAM platform obscures sensitive authentication data fields and failure feedback to prevent unauthorized disclosure of key user authentication data. | |
| Incident Response | 3.6.1 | Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities. | Exostar has established robust incident-handling capabilities to detect, triage/analyze, and respond to potential incidents. Exostar’s Incident response team and associated processes are patterned after NIST SP 800-61 and US-CERT. The company’s incident response includes provisions for handling all incident phases including preparation, detection, analysis, containment, recovery, user response, and external notification/communications. Subscribers are responsible for their own incident handling capabilities and processes. | |
| Incident Response | 3.6.2 | Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization. | Exostar has mechanisms in place through its incident response process to track, document, and report incidents to the appropriate subscriber, law enforcement, and other governmental organizations within the prescribed timeframes. Subscribers are responsible for establishing and managing their own incident reporting processes and timeframes. | |
| Incident Response | 3.6.3 | Test the organizational incident response capability. | Exostar has proven robust and well tested incident response capabilities. Executive and legal incident response team training is in place and incident response is tested at least annually. Subscribers are responsible for their own incident response plan and training activities. | |
| Maintenance | 3.7.1 | Perform maintenance on organizational systems. | Exostar performs ongoing maintenance on its systems under secure conditions that maintain the confidentiality, integrity, and availability of the system and subscriber data. | |
| Maintenance | 3.7.2 | Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance. | System maintenance is conducted by only authorized Exostar engineers using vetted, authorized software and techniques. Maintenance activities are reviewed, approved/disapproved, and tracked through the company’s change control process. | |
| Maintenance | 3.7.3 | Ensure equipment removed for off-site maintenance is sanitized of any CUI. | Exostar and Microsoft Azure Government and GCC High follow NIST 800-88 sanitization guidelines when erasing data, including CUI, prior to removing system components from the company-controlled areas for maintenance. | |
| Maintenance | 3.7.4 | Check media containing diagnostic and test programs for malicious code before the media are used in organizational systems. | Any new media is checked for malware and unauthorized programs/files before the media is used in an information system. | |
| Maintenance | 3.7.5 | Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete. | Exostar requires the use of an authorized multifactor authenticator to authenticate local, remote, and network access to the application and associated systems. Non-local maintenance session connections are terminated upon completion of maintenance activities. | |
| Maintenance | 3.7.6 | Supervise the maintenance activities of maintenance personnel without required access authorization. | Authorized Exostar engineers supervise the maintenance activities on the system by personnel lacking the required access authorizations or credentials. Exostar relies upon Microsoft Azure Government and GCC High Environments FedRAMP High certification as evidence that they enforce this control in an effective, compliant manner. | |
| Media Protection | 3.8.1 | Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital. | System data, including subscriber CUI stored in the Managed Microsoft 365 for CMMC system, is encrypted with FIPS 140-2 validated encryption and securely stored on Microsoft Azure Government cloud Storage accounts. Microsoft has physical custody and control of mass storage devices used by the system. Exostar relies on Microsoft Azure Government cloud’s FedRAMP High certification as evidence that Microsoft’s controls on system media in all forms are handled and stored securely in accordance with FedRAMP / government requirements. | |
| Media Protection | 3.8.2 | Limit access to CUI on system media to authorized users. | Exostar’s Managed Microsoft 365 for CMMC securely stores CUI and provides access to it only to those authorized by the subscriber. Exostar engineers do not have access to subscriber data. | |
| Media Protection | 3.8.3 | Sanitize or destroy system media containing CUI before disposal or release for reuse. | Exostar and Microsoft Azure Government and GCC High data sanitation procedure is aligned with US DOD standards. Exostar destroys system media that may have contained subscriber information, including CUI, when disposing of the media. | |
| Media Protection | 3.8.4 | Mark media with necessary CUI markings and distribution limitations | Exostar labels removable system media containing known CUI with applicable security labels or markings, distribution limitations, and handling instructions. Subscribers or the organization that originated the CUI data are responsible for marking CUI data stored in the system. It is the Subscriber’s responsibility to manage/grant/revoke user access to CUI data. Exostar has no control over information transfers, media marking, or distribution by subscriber’s users after the information has been removed from the system. | |
| Media Protection | 3.8.5 | Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas. | Exostar’s Managed Microsoft 365 for CMMC controls access to and accountability for media when the data is transported outside the solution. Subscribers are responsible for the data downloaded to their own systems or otherwise copied from the system. Exostar has no control over information transfers, media marking, or distribution by subscriber’s users after the information has been removed from the system. | |
| Media Protection | 3.8.6 | Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards. | Exostar’s Managed Microsoft 365 for CMMC encrypts system data at rest with FIPS 140-2 validated encryption. System media being physically transported to an alternate location is likewise encrypted. Subscribers are responsible for data encryption and protection on their own systems. Exostar has no control over information transfers, media marking, or distribution by subscriber’s users after the information has been removed from the system. | |
| Media Protection | 3.8.7 | Control the use of removable media on system components. | Exostar does not allow any unauthorized removable media nor does Microsoft Azure Government or GCC High. | |
| Media Protection | 3.8.8 | Prohibit the use of portable storage devices when such devices have no identifiable owner. | Exostar does not allow any unauthorized removable media use with the system, has implemented a removable media authorization program, and has technical controls preventing connection of portable storage devices to endpoints. Microsoft Azure Government and GCC High prohibit the use of unauthorized portable storage devices. | |
| Media Protection | 3.8.9 | Protect the confidentiality of backup CUI at storage locations. | System backups inside and outside the Microsoft Azure clouds are encrypted with FIPS 140-2 validated encryption to protect the confidentiality of system information. | |
| Personnel Security | 3.9.1 | Screen individuals prior to authorizing access to information systems containing CUI. | Exostar performs background checks and in-person identity proofing of employees and contractors prior to authorizing access to production system resources. Subscribers are responsible for screening their personnel prior to authorizing system access. | |
| Personnel Security | 3.9.2 | Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers. | Exostar reassesses and revises authorized system access for personnel undergoing a transfer to another role and promptly removes system access for terminations. Subscribers are responsible for managing their employees’ access to their systems during and after personnel actions including terminations and transfers. Exostar has no control over subscribers’ personnel processes. | |
| Physical Protection | 3.10.1 | Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals. | Exostar limits physical access to system components to authorized personnel and then only under two-person control. Microsoft Azure Government and GCC High limit physical access to all systems hosted in the Azure-based solution components. | |
| Physical Protection | 3.10.2 | Protect and monitor the physical facility and support infrastructure for organizational systems. | Microsoft Azure Government and GCC High are FedRAMP High certified which attests to the physical facility protections. System components deployed outside the Azure cloud are similarly physically protected in an assessed secure facility that includes multiple layers of physical access controls, including biometric authentication, to restrict data center and system access to authorized individuals, and full-time monitoring/control by guards. | |
| Physical Protection | 3.10.3 | Escort visitors and monitor visitor activity. | Exostar personnel & Microsoft Azure escort and monitor visitors in all data centers. Exostar escorts visitors within company offices as well. | |
| Physical Protection | 3.10.4 | Maintain audit logs of physical access. | Exostar’s colocation space provider and Microsoft maintain independent operational and security access logs. Exostar audits physical access logs to company equipment cage within colocation hosting facilities. | |
| Physical Protection | 3.10.5 | Control and manage physical access devices. | Exostar’s colocation data center management controls and manages physical access to the facility and individual equipment cages within the space. Exostar enforces two-person control to gain access to system components deployed within the colocation facility. Microsoft controls and manages physical access to Azure data center facilities per the requirements of their FedRAMP High certification. | |
| Physical Protection | 3.10.6 | Enforce safeguarding measures for CUI at alternate work sites. | Exostar protects system information at alternate work sites via policy and technical means. Company policy prohibits copying subscriber information to devices outside the production computing environment and requires sensitive, non-subscriber information be processed and stored on only company issued laptops. Technical controls include full disk encryption on all company laptops, remote and network access to system resources restricted to an authorized VPN that encrypts data in transit with FIPS 140-2 validated encryption. Access to production resources is authenticated with FIPS 140-2 validated multifactor authenticators. Subscribers are responsible for implementing means of protecting system information at alternate work spaces. Exostar has no control over subscribers’ alternate work spaces or the information protections implemented there. | |
| Risk Assessment | 3.11.1 | Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI. | Exostar has a risk assessment process for the overall enterprise and individual information systems. This process is guided by NIST 800-39 and NIST 800-30. Exostar security risks are incorporated into the overall company risk portfolio and managed with other business risks. Subscribers are responsible for their own overall Risk Assessment and mitigation processes related to protecting system information. | |
| Risk Assessment | 3.11.2 | Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. | Exostar actively scans infrastructure, application, and databases for vulnerabilities at least weekly and when new applicable vulnerabilities are identified. System infrastructure components are scanned continuously/daily depending on the component, while dynamic application scanning is performed weekly. System components/applications are scanned on demand in response to changes in the threat landscape. | |
| Risk Assessment | 3.11.3 | Remediate vulnerabilities in accordance with risk assessments. | Exostar’s vulnerability management program identifies vulnerabilities and works with the system owners to remediate them in a prioritized approach within the remediation timelines established in Exostar information security policy. | |
| Security Assessment | 3.12.1 | Periodically assess the security controls in organizational systems to determine if the controls are effective in their application. | Exostar has internal and external assessment/audit programs that provide visibility and governance into the adequacy and effectiveness of system controls being applied to the system. Subscribers are responsible for assessing their controls regarding system access and data management within the application. Exostar has no control over subscribers’ frequency and processes for assessing the effectiveness of the subscribers’ information security controls. | |
| Security Assessment | 3.12.2 | Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems. | Exostar’s assessment/audit programs identify control weaknesses and work with the system owners to remediate them in a prioritized approach within the remediation timelines established in Exostar information security policy. | |
| Security Assessment | 3.12.3 | Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls. | Exostar’s continuous monitoring process assesses security control effectiveness on an ongoing basis. The observations of the monitoring process are used to revise controls as needed throughout the year between external audits/assessments. | |
| Security Assessment | 3.12.4 | Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems. | Exostar’s system security plan outlines the system and operating environment, security requirements, describes how controls are implemented, and how the in-scope system connects with other internal and external information systems and operating environments. | |
| System and Communications Protection | 3.13.1 | Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. | Microsoft controls, protects, and monitors the Azure Government and GCC High management and data communications networks within their cloud environments, as documented in their FedRAMP High Certification package. Exostar has implemented Internet boundary network communications monitoring, access controls, and intrusion prevention systems to protect system communications and protects the private virtual networks within the company’s computing environments. | |
| System and Communications Protection | 3.13.2 | Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems. | Exostar has utilized secure architectural designs, systems engineering, and software development practices throughout the information system. Microsoft has implemented processes to promote and maintain effective security controls within the Azure Government and GCC High environments, per their FedRAMP High certification. | |
| System and Communications Protection | 3.13.3 | Separate user functionality from system management functionality. | Exostar has implemented effective separation of duties controls to separate system engineering and administration functions from general user access within information systems. System infrastructure and communications engineering team/roles are strictly separated from the team/roles with application administration and management. | |
| System and Communications Protection | 3.13.4 | Prevent unauthorized and unintended information transfer via shared system resources. | Exostar prevents unauthorized and unintended information transfer via shared system resources by leveraging the inherent process isolation features in Windows and Linux operating systems, Java virtual machines, and Azure App Services PaaS product. | |
| System and Communications Protection | 3.13.5 | Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. | Exostar has implemented a multi-tier architecture of VNETs, VLANs, and subnets using firewalls and network security groups to separate publicly accessible resources from internal networks. | |
| System and Communications Protection | 3.13.6 | Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). | Exostar employs a deny all / least privilege network communications model for access and communications allowing only planned ports, protocols, and resources to communicate with each other. | |
| System and Communications Protection | 3.13.7 | Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (i.e., split tunneling). | Exostar employee laptop access to internal systems is routed through the VPN, which prohibits split tunneling for all laptops / computing devices used to remotely maintain and administer the system. | |
| System and Communications Protection | 3.13.8 | Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. | System information, including CUI, is protected from unauthorized disclosure during transmission via TLS 1.2 / 1.3 encryption using FIPS 140-2 validated encryption. | |
| System and Communications Protection | 3.13.9 | Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity. | At the end of a session or after a session has been idle for a preset time period, the user is logged out, and the session’s network connection is terminated by the system. | |
| System and Communications Protection | 3.13.10 | Establish and manage cryptographic keys for cryptography employed in organizational systems. | Exostar cryptographic key management processes impose strict controls on the requesting, approval, generation, distribution, and retirement of keys throughout Exostar information systems. Cryptographic keys for Exostar’s solution are managed and stored in hardware security module systems and Azure Government Key Vaults, depending upon the system component. | |
| System and Communications Protection | 3.13.11 | Employ FIPS-validated cryptography when used to protect the confidentiality of CUI. | The cryptographic keys used in the solution are created using FIPS 140-2 validated encryption ciphers / systems. | |
| System and Communications Protection | 3.13.12 | Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device. | N/A — collaborative computing devices are prohibited within Exostar’s production computing environments. | |
| System and Communications Protection | 3.13.13 | Control and monitor the use of mobile code. | The system application runs the user interface in the user’s remote browser window. The user interface is written in TypeScript, HTML, and CSS to be processed by the browser’s JavaScript engine. The user interface is deployed in immutable packages to prevent unauthorized modifications to the code. | |
| System and Communications Protection | 3.13.14 | Control and monitor the use of Voice over Internet Protocol (VoIP) technologies | N/A — VOIP technologies/protocols are not used and are blocked within Exostar’s production computing environments. | |
| System and Communications Protection | 3.13.15 | Protect the authenticity of communications sessions | The authenticity of system communications sessions are protected through the use of TLS 1.2 / 1.3 using FIPS 140-2 validated encryption and system sessions / API calls are authenticated with either the user’s system-generated identity token or comparable system-to-system API authenticator from known external parties / IP addresses. | |
| System and Communications Protection | 3.13.16 | Protect the confidentiality of CUI at rest. | Exostar configured the solution to encrypt system data at rest with FIPS 140-2 validated cipher suites. System information stored in Azure clouds are encrypted at the storage level by default, documented in Azure’s FedRAMP High certification package. System data at rest outside the Azure cloud is encrypted at the storage array/drive level automatically by the storage area network control system. Select sensitive information stored within the system is further protected by the application code by hashing the data element with a salt string or encrypting the data element with AES prior to writing the data to the system database. | |
| System and Information Integrity | 3.14.1 | Identify, report, and correct system flaws in a timely manner. | Identified system flaws are discovered through multiple industry/vendor sources, vulnerability scanning tools, and operational monitoring systems that utilize synthetic sessions/transactions. The operations group or security intelligence and operations teams report identified flaws to system stakeholders/engineers in a timely manner for remediation. Stakeholders prioritize the flaw correction in accordance with operational requirements and information security policy-mandated timelines. | |
| System and Information Integrity | 3.14.2 | Provide protection from malicious code at designated locations within organizational systems. | Malicious code protection is implemented at the platform level by endpoint protection software and software execution whitelisting software on each system host. The endpoint protection software scans files/executables for malicious content on upload to the system and pre-execution file opening and blocks execution of any malicious code found. The software execution whitelisting system adds to the protections by restricting the software that is allowed to execute on system hosts. All document- and other active file-based malicious content being checked-in or checked-out of Exostar’s Managed Microsoft 365 for CMMC is scanned by the malicious software scanner system integrated into the Microsoft 365 platform. | |
| System and Information Integrity | 3.14.3 | Monitor system security alerts and advisories and take action in response. | Exostar’s central SIEM system is monitored 24×7 and staff respond to security alerts and advisories according to established policy and incident response procedures. Microsoft provides 24×7 monitoring for Azure clouds and Microsoft 365 GCC High environments and responds to alerts according to their incident response procedures, per their FedRAMP High certification. | |
| System and Information Integrity | 3.14.4 | Update malicious code protection mechanisms when new releases are available. | Updates to the malicious code protection systems are automatically updated when new releases are made available by the manufacturer/vendor. | |
| System and Information Integrity | 3.14.5 | Perform periodic scans of organizational systems and real-time scans of files from external sources as files are downloaded, opened, or executed. | Exostar scans information systems for malware and vulnerabilities at least weekly using external and host-based products. Real-time malicious code protection is implemented at the platform level by endpoint protection software and software execution whitelisting software on each system host. All document- and other active file-based malicious content being checked-in or checked-out of Exostar’s Managed Microsoft 365 for CMMC is scanned by the malicious software scanner system integrated into the Microsoft 365 platform. | |
| System and Information Integrity | 3.14.6 | Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. | Exostar has implemented Internet boundary network communications monitoring to protect system communications and protects the private virtual networks within the company’s computing environments. The external boundary controls limit system connections to authorized endpoints, protocols, expected traffic sources in both inbound and outbound communications traffic. Microsoft controls, protects, and monitors the Azure Government and GCC High management and data communications networks within their cloud environments, as documented in their FedRAMP High Certification package. | |
| System and Information Integrity | 3.14.7 | Identify unauthorized use of organizational systems. | Exostar monitors system activity at the network perimeter, application function, and operational levels to identify unauthorized use of information system and responds promptly per established monitoring and incident investigation and response policies and procedures. Exostar’s SIEM system is key to identifying unauthorized use as it provides automated audit log review, analysis, and reporting processes. Unauthorized use can be traced to individual user accounts since system users are issued unique account IDs and group accounts are not issued or permitted. User authentication events, security related events, and key user actions are logged by the application with the users account ID to support full accountability for actions performed. | |