CyberGRX

The CyberGRX assessment methodology identifies both inherent and residual risk and uses near real time threat analysis and independent evidence validation to provide customers with a holistic view of their third-party cyber risk posture.

CyberGRX is the world's first and largest collaborative risk exchange. CyberGRX's analytical methodology builds threat intelligence and sophisticated risk models from just one validated assessment. With insights on risk across data security and privacy, the CyberGRX assessment features not only in-depth insights on residual risk, but combines attack scenario modeling and the MITRE ATT&CK kill chain to monitor evolving tactics and techniques in the threat landscape.

Microsoft and CyberGRX

CyberGRX, utilizing their strategic partners Deloitte and Touche and KPMG, has validated and reported on the assessment of the Microsoft Cloud, which consists of over 1,000 security questions and corresponding Microsoft responses. CyberGRX addresses inherent risk, industry-specific threat intelligence, and real-world attack scenarios. This gives customers an ability to validate Microsoft's security posture with outside-in evidence in order to generate results that are focused on risk, as opposed to simple compliance.

Microsoft understands the need our customers have to use efficient vehicles that will help their organization swiftly assess risk, to include assessing potential risks that they may assume due to using a third-party for key services, like us. As one of the largest cloud service providers in the world, Microsoft understands that our customer base is vast and diverse and that these customers have varying priorities and come from various industries. Scaling to these diverse needs requires Microsoft to look for effective methods to broaden and amplify our ability to share key knowledge that will help all customers with their their security priorities and regardless of which Microsoft Cloud services they use. Collaborating with a third-party assessment firms like CyberGRX is one way we help our customers to be nimbler in their risk assessment pursuit.

CyberGRX's model gives organizations interested in the Microsoft Cloud's security control implementation the ability to select the controls they're most interested in and provides validated responses for their review. Microsoft benefits from this model as we can also be nimble in our ability to provide updates, and our responses are available to any member of the CyberGRX exchange, providing more customer access to this key information. In short, CyberGRX helps Microsoft reach more customers with risk assessment needs and underscores our commitment to transparency and security.

In addition, customers can use CyberGRX's Framework Mapper feature to map our assessment controls and responses to well-known industry standards and frameworks, such as NIST 800-53, NIST Cybersecurity Framework (CSF), ISO 27001, PCI DSS, HIPAA, all of which can significantly reduce your due diligence burden.

Microsoft in-scope cloud platforms & services in scope

  • Azure
  • Dynamics 365
  • Microsoft 365
  • Power Platform

For a complete list of Microsoft online services in the CyberGRX audit scope, see:

Office 365 and CyberGRX

Office 365 environments

Microsoft Office 365 is a multi-tenant hyperscale cloud platform and an integrated experience of apps and services available to customers in several regions worldwide. Most Office 365 services enable customers to specify the region where their customer data is located. Microsoft may replicate customer data to other regions within the same geographic area (for example, the United States) for data resiliency, but Microsoft will not replicate customer data outside the chosen geographic area.

This section covers the following Office 365 environments:

  • Client software (Client): commercial client software running on customer devices.
  • Office 365 (Commercial): the commercial public Office 365 cloud service available globally.
  • Office 365 Government Community Cloud (GCC): the Office 365 GCC cloud service is available for United States Federal, State, Local, and Tribal governments, and contractors holding or processing data on behalf of the US Government.
  • Office 365 Government Community Cloud - High (GCC High): the Office 365 GCC High cloud service is designed according to Department of Defense (DoD) Security Requirements Guidelines Level 4 controls and supports strictly regulated federal and defense information. This environment is used by federal agencies, the Defense Industrial Base (DIBs), and government contractors.
  • Office 365 DoD (DoD): the Office 365 DoD cloud service is designed according to DoD Security Requirements Guidelines Level 5 controls and supports strict federal and defense regulations. This environment is for the exclusive use by the US Department of Defense.

Use this section to help meet your compliance obligations across regulated industries and global markets. To find out which services are available in which regions, see the International availability information and the Where your Microsoft 365 customer data is stored article. For more information about Office 365 Government cloud environment, see the Office 365 Government Cloud article.

Your organization is wholly responsible for ensuring compliance with all applicable laws and regulations. Information provided in this section does not constitute legal advice and you should consult legal advisors for any questions regarding regulatory compliance for your organization.

Office 365 applicability and in-scope services

Use the following table to determine applicability for your Office 365 services and subscription:

Applicability In-scope services
Commercial Cortana, Customer Lockbox, Exchange Online Archiving, Exchange Online Protection, Exchange Online, Kaizala Pro, Microsoft Bookings, Microsoft Forms, Microsoft MyAnalytics, Microsoft Planner, Microsoft StaffHub, Microsoft Stream, Microsoft Teams (including Bookings, Lists, and Shifts),  Microsoft To-Do, Microsoft Defender for Office 365, Office 365 Video, Office for the web, OneDrive for Business, Project, SharePoint Online, Skype for Business Online, Sway, Whiteboard, Viva Engage

Audits, reports, and certificates

For access to a complimentary CyberGRX assessment report of the Microsoft Cloud, fill out this form.

How to implement

  • Financial use cases: Use case overviews, tutorials, and other resources to build Microsoft Cloud solutions for financial services.
  • US financial services regulation: How Microsoft online services align with key regulatory expectations for US financial institutions.

Frequently asked questions

For details about how CyberGRX's validation methodology, maturity scoring model, and other related areas, see the Security Assessment FAQ.

Resources