CMMC L1 Compliant External Collaboration Automation
While there are numerous guides and placemats available for Azure CMMC compliance, few are from a developer’s perspective, i.e. code to automate the deployment of a CMMC Level 1 compliant component.
In this article we’ll walk through the Powershell to build a CMMC level 1 compliant external collaboration workspace on O365 Sharepoint, mapping each script to a set of security controls.
By the end of the article, we’ll have a Level 1 complaint workspace for collaboration with those outsides of our organization. It will push down authentication and identification requirements to external parties accessing FCI. More important relative to this topic, we’ll know what PowerShell commands map to what CMMC controls; IaC for CMMC
Understanding CMMC Level 1
CMMC Level 1 focuses on basic cyber hygiene practices that are essential to protect FCI. It includes fundamental security measures such as access control, identification, and authentication. Achieving this level of compliance is vital for organizations looking to engage in federal contracts, as it establishes a foundation for more advanced security measures in higher CMMC levels.
Automating Compliance with Azure AD and SharePoint
Our step-by-step guide shows how to set up a CMMC Level 1 compliant external collaboration SharePoint site using Infrastructure as Code (IaC). This script prompts for necessary inputs and automates the process of creating a SharePoint site, configuring external sharing, and inviting external users. Developers already use IaC to deploy security requirements across various systems, and implementing CMMC is no different—it simply involves applying compliance and security standards specific to federal contract information. Using IaC for CMMC compliance enables a consistent, repeatable deployment process that integrates seamlessly with other secure infrastructure setups.
Step 1: Prepare the Environment
Before you begin, ensure that you have the necessary modules installed and access to your Azure AD and SharePoint environment.
powershell
# Install SharePoint Online Management Shell if not already installed
if (-not (Get-Module -ListAvailable -Name Microsoft.Online.SharePoint.PowerShell)) {
Install-Module -Name Microsoft.Online.SharePoint.PowerShell -Force
}
# Prompt the user for the admin site URL
$domain = Read-Host “Enter the domain”
$adminSiteUrl = “https://$domain-admin.sharepoint.com”
# Connect to SharePoint Online
Connect-SPOService -Url $adminSiteUrl
# Prompt the user for the SharePoint site URL and owner
$siteUrl = Read-Host “Enter the SharePoint site URL”
$siteURL = “https://$domain.sharepoint.com/$siteUrl”
$owner = Read-Host “Enter the owner of the site”
# Define site variables
$siteTitle = “External Sharing Site”
$template = “STS#3” # Team site without an Office 365 group
$storageQuota = 1024 # in MB
$timezoneId = 10 # Adjust as necessary
# Create SharePoint Site
New-SPOSite -Url $siteUrl -Owner $owner -StorageQuota $storageQuota -Title $siteTitle -Template $template -TimeZoneID $timezoneId
# Allow external sharing for the document library
Set-SPOSite -Identity $siteUrl -SharingCapability ExternalUserSharingOnly
CMMC Control References:
By default Sharepoint is configured to perform the following controls
- AC.1.001: Limiting system access to authorized users, processes, or devices.
- AC.1.002: Restricting system access to the transactions and functions that authorized users are allowed to perform.
- AC.1.003: Verifying and controlling connections to, and use of, external information systems.
Step 2: Configure Conditional Access Policies
To enforce Multi-Factor Authentication (MFA) for external users, configure a Conditional Access policy using Microsoft Graph.
powershell
# Import the required modules
Import-Module Microsoft.Graph.Authentication
Import-Module Microsoft.Graph.Identity.SignIns
# Connect to Microsoft Graph
Connect-MgGraph -Scopes Policy.Read.All, Policy.ReadWrite.ConditionalAccess
# Define the conditional access policy details
$policy = @{
displayName = “Require MFA for External Users”
state = “enabled” # Set to “enabled” to activate the policy, “disabled” for testing
conditions = @{
users = @{
includeGuestsOrExternalUsers = @{
guestOrExternalUserTypes = “InternalGuest,OtherExternalUser”
externalTenants = @{
membershipKind = “all”
}
}
}
applications = @{
includeApplications = @(“Office365SharePointOnline”) # Specify SharePoint Online only
}
}
grantControls = @{
operator = “AND”
builtInControls = @(
“mfa”
)
}
}
# Create the policy
try {
New-MgIdentityConditionalAccessPolicy -BodyParameter $policy
Write-Output “Conditional Access Policy created successfully.”
} catch {
Write-Output “Failed to create Conditional Access Policy. Security defaults with MFA might be enabled.”
}
CMMC Control References:
- IA.1.077: Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
- AC.1.003: Verifying and controlling connections to, and use of, external information systems.
Step 3: Invite External Users
- Finally, invite external users to your Azure AD and SharePoint site with a customized message.
powershell
# Define the invitation message
$externalShareSite = “You have been invited to join our organization. Please click the link below to accept the invitation. Once you have accepted the invitation, you will be able to access the SharePoint site $siteURL.”
# Connect to Azure AD
Connect-AzureAD
# Prompt user to enter a comma-separated list of external users to invite to the Azure AD
$externalUsers = Read-Host “Enter a comma-separated list of external users to invite to the Azure AD”
$externalUsers = $externalUsers -split “,”
foreach ($externalUser in $externalUsers) {
# Invite external user to your Azure AD
$invitation = New-AzureADMSInvitation -InvitedUserEmailAddress $externalUser `
-InviteRedirectUrl $siteURL `
-SendInvitationMessage $true `
-InvitedUserMessageInfo @{CustomizedMessageBody = $externalShareSite}
}
CMMC Control References:
- AC.1.001: Limiting system access to authorized users, processes, or devices.
- AC.1.002: Restricting system access to the transactions and functions that authorized users are allowed to perform.
Step 4: Add External Users to the “Contribute” Group
Use Role Based Assess Control (RBAC) via an “External Contributors” group so that external users have only the appropriate permissions to collaborate effectively, add them to the “Contribute” group in your SharePoint site. This Step must be completed only after the user has accepted the invite into your AD.
Powershell
#invite external users to the site
$groupName = “External Contributors”
#import the Azure AD module if not already imported
if (-not (Get-Module -ListAvailable -Name AzureAD)) {
Install-Module -Name AzureAD -Force
}
#Connect to Azure AD
Connect-AzureAD
#configure the gruop to have contribute permissions to the contribute permissions to the site
New-SPOSiteGroup -Site $siteUrl -Group $groupName -PermissionLevels “Contribute”
# Add external users to the Contribute group
foreach ($externalUser in $externalUsers) {
Add-SPOUser -Site $siteUrl -LoginName $externalUser -Group “Contribute”
}
CMMC Control References:
- AC.1.001: Limiting system access to authorized users, processes, or devices.
- AC.1.002: Restricting system access to the transactions and functions that authorized users are allowed to perform.
Pitfalls
Using a SharePoint Team Site for external collaboration involving Federal Contract Information (FCI) comes with significant pitfalls, particularly around data spillage. Data spillage occurs when sensitive information is shared inappropriately or persists in locations where it shouldn’t, exposing an organization to compliance risks and potential breaches.
While training users to handle FCI securely is essential, it is rarely sufficient by itself; despite the best efforts, human error remains a constant factor, and sensitive data can easily end up in the wrong hands. To address this, organizations should implement a technical solution alongside training, such as a Data Spillage prevention tool, which actively monitors and prevents sensitive data from being uploaded, retained, or shared incorrectly.
By automatically identifying and isolating spillages in real-time, these tools provide a crucial layer of protection that compensates for inevitable lapses in human judgment, ensuring that sensitive information does not persist on the site and that compliance standards are upheld.
Conclusion
Automating CMMC compliance from a developer’s perspective involves leveraging Azure and SharePoint capabilities to streamline processes and ensure security. By enabling external sharing with authentication, enforcing MFA, and inviting users with customized messages, you can achieve CMMC Level 1 compliance for external collaboration efficiently. This approach not only meets compliance requirements but also simplifies security management, making it easier for developers and IT administrators to maintain a secure environment for federal contract information. If you’re looking for help with CMMC implementation automation or assessment automation, contact ronathan@esr-inc.com to explore tailored solutions for your organization.
Repo
https://github.com/ESRGH/CMMCLOneCollabSpace
