A county runs on Microsoft 365 now. The clerk’s office, the recorder, the assessor, the sheriff’s records unit, public works, the board of commissioners — they are all in the same Exchange Online tenant, the same SharePoint, the same Teams. Most of them are running on whatever license the prior IT director negotiated, configured to whatever defaults Microsoft shipped, monitored by whoever happens to be on call this week. The IT shop is two people. One of them is also the GIS administrator. The other one is also the phone system.
This is not a complaint. It is the operating reality of small and mid-size local government in 2026, and it is exactly why counties are the soft target. The threat actors know it. RaccoonO365’s phishing-as-a-service kit alone harvested at least 5,000 Microsoft credentials across 94 countries before Microsoft seized 338 of its domains in September 20251. OAuth device code phishing campaigns have been actively targeting U.S. government, transportation, and academic tenants since the second half of 2024, and the actors behind them — including a Russia-aligned cluster tracked as UNK_AcademicFlare — are specifically using compromised government and military mailboxes to chain into adjacent organizations2. Ransomware crews are now picking up the phone, calling Teams, and walking helpdesks through their own compromise3.
The good news is that you do not have to design a defense for any of this from first principles. The previous post on this site argued that you should stop inventing security and use the benchmarks. The same argument applies here, and the work has already been done specifically for Microsoft 365. CISA’s Secure Cloud Business Applications (SCuBA) baselines and the CIS Microsoft 365 Foundations Benchmark are sitting on the table, free, peer-reviewed, and updated. What changes, in a county, is the licensing — because the controls those baselines describe are not all available at every tier, and the right baseline for your environment is the one your license can actually enforce.
This post is for two readers at the same time. The first half is for elected officials, finance directors, and CIOs deciding what to fund. The second half is for the IT staff who have to turn the funded license into a configured tenant. If you are the first reader, skim the licensing decision and the budget framing and stop. If you are the second reader, the baseline section is where the work is.
What counties are actually getting attacked for
Before any licensing or configuration discussion, it helps to be specific about what the threat looks like, because it shapes the controls you need.
County tenants attract attackers for four reasons, in roughly this order. They hold Criminal Justice Information (CJI) — sheriff’s records, dispatch logs, NCIC queries — which is regulated, valuable, and resold readily. They hold property and tax records, which underwrite a steady trade in title fraud and tax-refund schemes. They have direct payment authority — accounts payable, payroll, vendor onboarding — which makes them a high-yield target for business email compromise. And they have trust relationships with state and federal agencies, school districts, and other counties, which means a compromised county mailbox is a credible launching pad for the next step.
The attacks reaching those targets are not exotic. They are the same techniques running against every M365 tenant in the country, and they exploit the same gaps. Adversary-in-the-middle phishing kits proxy the entire Microsoft login sequence, including the MFA prompt, and walk away with a session cookie that is good until it expires. Device code phishing tricks a user into entering an attacker-supplied code into the legitimate Microsoft device-login page, which authorizes the attacker’s session. OAuth consent phishing convinces a user to grant a malicious application permission to read their mail and files indefinitely, with no further credential exchange required. Helpdesk social engineering — including the Teams-based incidents Sophos documented in late 2024 — works against the people in your tenant rather than the tenant itself3.
The controls that defeat these attacks are not exotic either. Phishing-resistant MFA. Conditional access. Strict OAuth app governance. Tight external-collaboration policies. Real audit logs reviewed by someone with authority to act. All of those exist in Microsoft 365 today. Whether your license includes them is the part that varies.
The licensing fork: commercial, GCC, or GCC High
Counties land in one of three Microsoft 365 environments, and the choice between them is structural — not a configuration option you can flip later.
Microsoft 365 Commercial is the standard cloud. It is what every business and most local governments run. Its data centers are global, its support staff are global, and its compliance certifications are broad but generic. It is fine for the great majority of municipal data — minutes, agendas, public records, internal email, payroll, the clerk’s recordings — and it is the least expensive of the three.
Microsoft 365 Government Community Cloud (GCC) is a separate cloud built specifically for U.S. federal, state, local, and tribal governments. Data centers are inside the continental United States, screened U.S. personnel handle support, and the cloud is contractually attested to meet FedRAMP High, the FBI’s CJIS Security Policy, and IRS Publication 10754. It is the cloud you want if any part of your operation handles CJI — the sheriff’s office, dispatch, the prosecutor’s office, the jail. GCC pricing is a modest premium over commercial, and the feature gap with commercial closed substantially in 2024 and 2025.
Microsoft 365 GCC High is an isolated cloud, hosted on Azure Government infrastructure, supported by a U.S.-based and security-cleared team. It is built for organizations handling Controlled Unclassified Information (CUI) under DFARS 252.204-7012, ITAR, and CMMC Level 2 or higher5. For a county, GCC High is almost always the wrong answer. It is roughly 30 to 50 percent more expensive than commercial, the feature parity lag is real, and very few county functions actually require it. The exceptions are narrow: a county directly executing defense contracts, or a sheriff’s office in a host-state arrangement that has been told by the federal partner to operate in GCC High specifically. Microsoft launched a GCC High Business Premium SKU in November 20256, which softens the price hit if you have determined you need it — but the threshold for needing it is high, and most counties never cross it.
The decision tree, simplified: do you process, store, or transmit CJI in any tenant service — including unstructured copies in someone’s OneDrive? If yes, GCC. If no, commercial is appropriate. Do you handle CUI under federal contract or ITAR-controlled material? If yes, GCC High. If no, do not pay for it.
Two practical traps in this decision are worth flagging. The first is that “we don’t have CJI in M365” is often wrong. Sheriff’s deputies forward NCIC printouts to the clerk for a court packet. Dispatch sends shift summaries containing license plate runs. The prosecutor’s office stores discovery on SharePoint. CJI tends to spread, and if your tenant is commercial when CJI lands in it, you have a non-compliant configuration and a notification obligation, not a tooling problem. The second trap is the inverse — provisioning the entire county into GCC because the sheriff is in scope, when the rest of the county would be perfectly served by commercial. Many counties run a hybrid: GCC for the agencies that need it, commercial for the rest, with strictly governed federation between them. That is a more complex configuration but a defensible one.
The license tier inside the cloud
Once the cloud is decided, the next question is what license tier the users sit on, because the security controls described later in this post are gated by SKU. The mapping is the same in commercial and GCC; the SKU names are slightly different.
Business Premium / GCC High Business Premium is the small-business tier. As of 2026, it includes Microsoft Entra ID P1 (with conditional access), Defender for Office 365 Plan 1, Defender for Endpoint Plan 1, Intune mobile device and application management, Azure Information Protection, and a meaningful chunk of Purview — at a price point that is genuinely accessible for small counties7. Microsoft caps it at 300 users in commercial, which means it is a fit for small counties and unworkable for medium ones. For a 200-employee county with no plan to grow past 300, Business Premium is the most security-per-dollar in the catalog, and it is enough to enforce the great majority of the SCuBA baseline.
E3 (commercial) / G3 (GCC) / G3 (GCC High) is the enterprise mid-tier. It scales past 300 users and adds full Office on enterprise terms. It includes Entra ID P1, Defender for Endpoint P1, and the same conditional access engine as Business Premium. It does not include Defender for Office 365 P1 — that is a $2/user add-on, and one you should buy if you stop at G3. Without it, you are missing Safe Attachments, Safe Links, and the anti-phishing engine that the SCuBA Defender baseline assumes is present.
E5 / G5 / G5 is the top tier and is where the more sophisticated controls live: Microsoft Entra ID P2 (which includes Privileged Identity Management and Identity Protection’s risk-based conditional access), Defender for Office 365 Plan 2 (with attack simulation training and automated investigation/response), Defender for Endpoint Plan 2 (advanced hunting, threat analytics), Defender for Cloud Apps (the CASB that finds shadow IT and enforces session policies), Defender for Identity (which surfaces on-premises Active Directory attacks), and the full Purview stack including DLP, sensitivity labels, and insider risk8. E5 is where defense in depth becomes operationally feasible at the level CISA’s most rigorous baseline assumes.
The honest framing for counties: most should run G3 plus Defender for Office 365 P1 as the floor. The agencies with the highest risk surface — the sheriff’s records unit, finance, the IT department itself — should sit on G5 or, more economically, on G3 with E5 Security as an add-on, which buys the security stack of E5 without the productivity premium. This kind of split-tier licensing is unloved by procurement because it complicates the renewal, but it is how you fit a defensible posture inside a real budget.
A note on the Microsoft 365 E5 Security add-on specifically. It is roughly $12/user/month and bundles Entra ID P2, Defender for Endpoint P2, Defender for Cloud Apps, Defender for Identity, and Defender for Office 365 P2 onto an E3/G3 base7. For a county where leadership has been quoted the full E5 jump and recoiled at the price, E5 Security is the conversation to have. The number of counties that need all of E5 — including the analytics and voice components — is small. The number that need the security side of E5 is much larger.
The baseline, anchored to consensus
What follows is the technical baseline. It is organized by service area, anchored to two published documents that you should read in full before deciding any of this is correct: CISA’s Secure Configuration Baselines for Microsoft 365 (with ongoing updates tracked in the SCuBAGear GitHub repository9) and the CIS Microsoft 365 Foundations Benchmark, currently at v6.0.1 — the v6 line released October 31, 2025 expanded to 140 controls across Exchange Online, SharePoint Online, OneDrive for Business, Teams, Power BI, and Microsoft Entra ID10. Where the two disagree, the disagreement is informative — but for a county environment, both should be in scope.
This is not a complete replication of either document. It is the spine — the controls that, if absent, leave a county tenant exposed to the attacks above, and that, if present, make the rest of a defensible posture possible.
Identity (Microsoft Entra ID)
Identity is the front door, and the great majority of M365 incidents in the past two years have entered through it. The baseline here is not optional, and most of it is achievable on Entra ID P1, which is included in Business Premium and E3/G3.
Phishing-resistant MFA for all administrative accounts. Microsoft authenticator with number matching is acceptable for the user population at large; for global administrators, exchange administrators, security administrators, and privileged role assignments, the baseline is FIDO2 hardware keys or Windows Hello for Business — credentials an adversary-in-the-middle proxy cannot replay9. SMS as a second factor should be off entirely. The cost of a fistful of YubiKeys for the privileged population is trivial compared to the cost of a recovered global admin.
MFA enforced on the entire user population, with no exceptions for “service accounts” or “shared mailboxes” — both of which should be migrated off interactive sign-in entirely. Service accounts for line-of-business integrations should use managed identities or workload identity federation; if a vendor cannot support either, that is a vendor problem to be raised under the vendor vetting framework before signing the next renewal, not a security exception.
Legacy authentication — SMTP AUTH, IMAP, POP, ActiveSync without modern auth — disabled tenant-wide via conditional access. Legacy auth bypasses MFA entirely and remains a primary vector. Microsoft has been deprecating it for years; finish the job.
Conditional access policies that, at minimum: require compliant or hybrid-joined devices for access to Exchange Online and SharePoint Online from outside the corporate network; block access from unsupported countries (most counties have a known geographic footprint and no legitimate access from anywhere else); require phishing-resistant MFA for administrative roles; and apply session controls (sign-in frequency, persistent browser session restrictions) to high-risk applications. The SCuBA Entra baseline lays out a full reference set; treat it as the starting point.
OAuth application governance. Block user consent to applications by default, route consent requests through admin review, and monitor for over-privileged application registrations. The OAuth consent attacks running against M365 in 2025 and 2026 specifically depend on a tenant policy that lets users self-approve applications. Turn it off. Enable the admin consent workflow. This is a Defender for Cloud Apps capability at full strength, but the baseline policy switch is in Entra and is available at all tiers.
Privileged role management. Standing global administrator assignments are the single largest blast-radius problem in most county tenants. The baseline is no permanent assignments to privileged roles — Privileged Identity Management activates them on demand, time-bound, with approval and justification. PIM requires Entra ID P2 (E5/G5 or E5 Security add-on), which is the strongest single argument for putting at least the IT staff on that tier even if the rest of the county is not.
Email (Exchange Online and Defender for Office 365)
Email is still the highest-volume entry point. Three layers matter.
The first is authentication of inbound mail. SPF, DKIM, and DMARC for every domain you send from, including the ones you do not send from. The DMARC policy starts at p=none for visibility, then moves through p=quarantine to p=reject once you have a clean picture of legitimate sending sources from the aggregate reports. Without DMARC at enforcement, anyone on the internet can send mail that looks like it came from your-county.gov, and your residents will be the ones receiving it. This is foundational and free; it is not a Microsoft licensing question.
The second is authentication of outbound mail. Sign all outbound mail with DKIM, configured to use your own domain rather than the default *.onmicrosoft.com. Publish the SPF record and keep it under the 10-DNS-lookup limit. Sign mail with DKIM-signing keys you can rotate.
The third is content inspection on inbound mail, which is where Defender for Office 365 lives. The baseline is preset security policies set to “Strict” for the user population that warrants it, and “Standard” for everyone else. Safe Attachments enabled with dynamic delivery. Safe Links enabled, including for internal mail and Teams. Anti-phishing impersonation protection configured for the actual humans most likely to be impersonated — the elected officials, the finance director, the IT director — not the default policy that protects nobody by name. External sender warnings on every inbound message from outside the tenant, applied at the transport layer, not just rendered in Outlook. Outbound spam policies that block automatic forwarding to external addresses by default and alert on attempts.
Mail flow rules that enforce policy at the transport layer rather than at the inbox. Quarantine mail with mismatched SPF/DKIM/DMARC results, and quarantine mail from newly-registered domains — both behaviors that the SCuBA baseline calls out and that catch a meaningful fraction of credential phishing.
If you are at G3 without the Defender for Office 365 add-on, you have anti-spam and basic phishing protection only. The Safe Attachments / Safe Links engine — which is what catches modern phishing — is not in the box. Add it. The cost is minor relative to the gap.
Collaboration (SharePoint Online, OneDrive, Teams)
The default sharing posture in M365 is “anyone with the link.” That is a reasonable default for a marketing agency and a non-starter for a county. The baseline is to set the tenant sharing default to “Specific people” or, depending on your CJI scope, “Only people in your organization.”
External sharing is then explicitly enabled for sites that need it, scoped to specific external domains (your cooperating counties, the state agencies you exchange records with, the contracted IT vendor) via the allow-list rather than blocked through the deny-list. Guest accounts created through external sharing should expire automatically after a set window — 60 to 90 days is reasonable for most counties — and should be disabled from logging into anything beyond the resource that was actually shared with them.
Teams external access (federation with other M365 tenants) and guest access are two different switches with two different threat models. External access lets your users find and chat with users in other tenants; guest access lets external users into your teams as members. Both should be configured with intent. The default of “everyone everywhere” is the configuration that allowed the Sophos-documented Teams-based ransomware attacks of late 20243 — attackers spun up their own M365 tenant, called helpdesk staff via Teams, and walked them through compromise. The fix is allow-listed external access, guest access scoped to defined business cases, and a notification banner to staff on every external chat.
OneDrive sync restricted to compliant devices via conditional access. Without that restriction, a compromised personal device with a user’s credentials can pull the full contents of their OneDrive in minutes.
Sensitivity labels applied at the tenant level (Purview, requires E5 / G5 or E5 Compliance add-on for the full feature set) give you a way to classify documents at creation and enforce policies — encryption, watermarking, copy-paste restrictions — that follow the document downstream. For counties handling CJI, this is not optional; for counties that do not, it is the next reach after the identity and email baseline.
Devices (Microsoft Intune)
Every device that touches the tenant should be enrolled, compliant, and managed. The baseline is conditional-access-enforced device compliance for all access to corporate resources, with compliance defined as: BitLocker on, firewall on, antivirus on (Defender or equivalent EDR with current definitions), encryption at rest, and a known operating system version above the support floor.
Mobile devices — including BYOD — go through Intune mobile application management, which protects the corporate data inside the M365 apps without needing to fully manage the personal device. This is a real lever for counties whose elected officials and field staff are using personal phones; it solves the political problem of “I’m not letting IT wipe my personal phone” without giving up control of the corporate data.
Defender for Endpoint deployed in active mode (not passive, not “just installed”), with attack surface reduction rules enabled. Plan 1 is enough to cover the configuration and prevention surface; Plan 2 (E5 / G5) adds advanced hunting and automated investigation that you will need if anything ever goes wrong.
Logging and detection (Purview Audit, Defender, Sentinel)
The baseline that nobody loves and nobody can do without. Audit logging on for the entire tenant, with retention extended past the default — Purview Audit Premium gives you one year of retention on E5/G5, ten years optional9. The default ninety days is not enough to investigate the kind of incident that gets discovered six months in.
Sign-in logs, audit logs, and Defender alerts streamed to a SIEM — Microsoft Sentinel if you are already inside the Microsoft estate, or whatever the state’s MS-ISAC engagement covers, which for many states includes a SOC service. The benchmarks article on this site discussed MS-ISAC’s transition to a paid model; for counties without their own SOC, the MS-ISAC SOC offering is generally the fastest way to get logs reviewed by someone other than the shop that generated them.
Alert policies for the things that should never be normal: impossible travel, mass downloads from SharePoint or OneDrive, the creation of inbox forwarding rules, role assignments to privileged groups, mailbox audit log changes, and the registration of new applications. Most of these are available out of the box and should be tuned to actually generate notifications — silenced alerts are worse than no alerts.
A logging review cadence that someone is named for. CIS Control 8 — Audit Log Management — exists because logs you do not look at are not security; they are storage costs.
Data protection and DLP
For counties with regulated data — and almost all counties have at least some — Purview Data Loss Prevention policies are the layer that catches CJI, PII, and HIPAA-regulated data leaving the tenant. The baseline includes default templates for U.S. PII, financial data, and HIPAA, applied across Exchange, SharePoint, OneDrive, and Teams. Run them in test mode first to see what fires; tune; then move to enforce. The learning curve is real but the work is bounded.
DLP requires the Purview DLP capability, which is in E5/G5 or available in lighter form via the Microsoft 365 E5 Compliance add-on. Below that tier, you have transport-rule-based pattern matching, which is brittle and bypassable but better than nothing.
The CJIS overlay
If any part of your tenant handles CJI — and most counties’ do, somewhere — three things change about the baseline.
First, the cloud changes. The SCuBA and CIS baselines apply equally to commercial and GCC, but CJIS Security Policy compliance is structurally a property of GCC, not commercial4. If you are in commercial today and CJI is in your tenant, that is the first finding to address.
Second, encryption changes. CJIS Security Policy v6.0 (released December 2024, with v6.1 expected in spring 2026 and the full compliance deadline landing October 1, 2027) and 5.9.5 before it require that CJI in transit outside a physically secure location be protected by FIPS 140-2 (now transitioning to 140-3) certified encryption, and that CJI at rest be protected by FIPS 140-2 certified or AES-256 encryption11. M365 in GCC is configured to meet that bar by default; in commercial, the picture is more nuanced and the configuration burden falls on you. Run the FIPS 140 validated cipher suites where the policy applies; document the architecture; do not assume defaults.
Third, MFA becomes a Priority 1 control with audit consequences. CJIS Security Policy 5.9.5 made MFA non-negotiable for any account with CJI access, and it has been auditable since October 1, 202412. Phishing-resistant MFA — FIDO2 keys, Windows Hello for Business, or certificate-based authentication — is the strongest interpretation; SMS-based MFA does not meet the modern interpretation of the requirement and should not be used for CJI-touching accounts.
The CJIS overlay also brings audit-evidence requirements: you should be able to demonstrate, on request, who accessed CJI, when, from what device, and under what authorization. The Purview Audit configuration above is what makes that demonstration possible. The county that cannot answer the question fails the audit; the county that can answer it from a SIEM in five minutes does not.
Operationalizing the baseline
Three concrete steps to turn the above from a wish list into a configured tenant.
Run SCuBAGear against your tenant. CISA’s tool is free, runs locally, and produces a report that scores your environment against every SCuBA baseline policy with pass/fail and rationale13. It is not a substitute for the full benchmarks, but it is the fastest way to see, today, how far your tenant is from the floor. Run it before the procurement conversation about license tiers — the gap report will inform what you actually need.
Compare your tenant to the CIS Microsoft 365 Foundations Benchmark v6.0.1 and score yourself against Level 1 first, Level 2 only after Level 1 is closed. Most counties have meaningful gaps at Level 1. Do not skip ahead.
Wire periodic reassessment into the calendar. CIS Control 15 — Service Provider Management — and the SCuBA baseline both assume continuous evaluation, not a one-time deployment. An annual review at minimum, with a triggered review on any major Microsoft baseline update or tenant change. Microsoft and CISA both publish baseline changes through the SCuBAGear release notes; subscribe.
For counties without an internal security team, the MS-ISAC engagement is the most cost-effective external pair of eyes, and the state’s homeland security office or auditor’s office may already cover some of the cost. Whether or not you keep MS-ISAC, document a named human owner for each control area in the baseline. A control without an owner is a control without a clock, and a control without a clock is a control that decays.
The political work
Most of what is above is technical, but the load-bearing decisions are political. A small county that runs Microsoft 365 has, somewhere on its budget, a line for software. If that line is “Microsoft 365” and the number is whatever the prior IT director negotiated three years ago, the conversation with the board that funds an upgrade is the work, and it is harder than the configuration work that follows it.
The framing that lands, in my experience, is not “we need to spend more on cybersecurity.” It is “we are paying for a license tier that does not include the controls our regulators now require, and the gap is the audit risk.” Replace “regulators” with whichever flavor — CJIS auditor, state SOC, cyber insurance carrier, the Office of the Inspector General, federal grant compliance — applies in your county. The conversation is no longer “should we spend money on security.” It is “should we close a known compliance gap before we are cited for it.” That is a board agenda item with a different temperature.
Cyber insurance is the other lever that has bent the conversation in most counties since 2023. Carriers now ask, on the renewal application, whether MFA is enforced for all administrative and remote access; whether email filtering is in place; whether endpoints are managed; whether logs are retained and reviewed. The questionnaire is the SCuBA baseline written in insurance vocabulary. Counties that answer “no” pay a premium they cannot afford or are non-renewed. Counties that answer “yes” pay less. The licensing conversation and the insurance conversation are now the same conversation, and the board recognizes the second one even when they do not recognize the first.
What you can actually do this quarter
If you are reading this as a county IT lead and the budget cycle is months away, four things are worth doing now, with your current license:
Enforce MFA on every administrative account, and rotate the credentials that have been around since the last director. Disable legacy authentication tenant-wide. Turn on the Microsoft preset security policies at “Standard” for the user population and “Strict” for the privileged accounts. Run SCuBAGear and read the report.
None of those cost money. All of them shorten the gap between your tenant and the baseline. The full baseline is licensing-bounded, but the floor is not.
Closing thoughts
The Microsoft 365 security story for local government is unusual in one specific way: the work is almost entirely already done. CISA wrote the baseline. CIS wrote a deeper one. Microsoft built the configuration switches. The MS-ISAC SOC is available. The SCuBAGear tool runs locally and reports on your gaps in an afternoon. What is left is the alignment work — getting the right license, configuring the controls, naming the owners, and reviewing the logs on a cadence that catches things before they catch you.
That is the harder, quieter version of the job, and it is the one that produces a tenant the next administrator can take over without a full archaeological dig. Most county IT shops are one person and a contracted MSP. The next person debugging a compromise at 2am, in that environment, is going to be one of those two — and they should not have to start from zero. The baseline, configured against the license your county can actually afford, is the rock you leave on the pile.
Footnotes
-
Microsoft seizes 338 websites to disrupt rapidly growing ‘RaccoonO365’ phishing service — Microsoft On the Issues, September 2025. ↩
-
Russia-Linked Hackers Use Microsoft 365 Device Code Phishing for Account Takeovers — The Hacker News, December 2025; and State-linked and criminal hackers use device code phishing against M365 users — Cybersecurity Dive. ↩
-
Two ransomware groups abuse Microsoft’s Office 365 platform to gain access to target organizations — Sophos research summary, late 2024. ↩ ↩2 ↩3
-
Office 365 GCC — Service Description — Microsoft Learn. FedRAMP High, CJIS, IRS 1075 attestation scope. ↩ ↩2
-
Office 365 GCC High and DoD — Service Descriptions — Microsoft Learn. ↩
-
Microsoft AOS-G GCC & GCC High Licensing — M365 For CMMC & GovCons — including the November 2025 launch of GCC High Business Premium. ↩
-
Microsoft 365 Security Plans — current SKU and add-on pricing as of 2026. ↩ ↩2
-
Microsoft Defender service description — Microsoft Learn. License-tier mapping for the Defender suite. ↩
-
CISA Secure Cloud Business Applications (SCuBA) Project and the SCuBAGear repository — current production baselines for Microsoft 365. ↩ ↩2 ↩3
-
CIS Microsoft 365 Foundations Benchmark — v6.0.1, October 2025; 140 controls across six M365 services. ↩
-
Criminal Justice Information Services (CJIS) — Microsoft Compliance — Microsoft’s CJIS attestation and FIPS 140 cipher guidance. ↩
-
CJIS Security Policy v6.0 — What Agencies and Vendors Need to Know and How to meet password and MFA requirements — CJIS 5.9.5 — overview of the MFA and audit timeline. ↩
-
ScubaGear documentation and releases — installation, scoring, and update cadence. ↩