1. System Identification
| Item | Detail |
|---|---|
| System Name | Yeap Inc. Enterprise Microsoft 365 Environment |
| CAGE Code | 09B60 |
| System Owner | Peter K. DHaiti – CEO |
| Responsible Office | IT & Cybersecurity Division |
| Version / Date | v1.0 – 06 May 2025 |
| Assessment Score | NIST 800‑171 Basic – 105 (SPRS submitted 08 May 2025) |
| CMMC Status | Level 1 Certified & Level 2 Compliant (POA&M completion 08 Aug 2025) |
2. System Description & Boundary
Yeap Inc. operates entirely in Microsoft 365 GCC High, leveraging:
- Exchange Online for corporate email
- Microsoft Teams for meetings, chat, and internal file sharing
- SharePoint Online & OneDrive for document storage / CUI repositories
- Azure Active Directory (AAD) as the authoritative IdP (MFA enforced)
No on‑premise servers host Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). All endpoints (Windows 11 Pro) are Intune‑managed with BitLocker, Defender AV, and device compliance policies. External development resources connect via AAD guest accounts with least‑privilege access.
3. Information Types & Impact Levels
| Data Type | Examples | Impact (FIPS‑199) |
| FCI | purchase orders, invoices | Low–Moderate |
| CUI | SOWs, design docs from DoD subcontract | Moderate |
CUI is stored only in SharePoint Online CUI Libraries with sensitivity labels and DLP rules.
4. Applicable Standards & Baselines
| Framework | Applicability |
| CMMC Level 1 | Fully implemented (17 FAR practices) |
| NIST 800‑171 Rev 2 | 110 controls – score 105; 5 controls in POA&M |
| NIST 800‑53 (FedRAMP Moderate) | Mapped for future SaaS offerings |
| FISMA Low‑Moderate | Inherited via Microsoft 365 GCC High |
5. Control Implementation Summary (NIST 800‑171)
5.1 Access Control (AC)
- AAD conditional access restricts login to MFA‑enabled accounts.
- SharePoint permissions mapped to project‑specific M365 Groups; guest access reviewed quarterly.
- Session time‑out: 15 min idle → re‑auth.
5.2 Awareness & Training (AT)
- Annual security awareness via Microsoft Learn; completion tracked in LMS.
5.3 Audit & Accountability (AU)
- Unified Audit Log enabled; logs retained 1 year.
- Defender for Cloud Apps alerts SOC for anomaly detection.
5.4 Configuration Management (CM)
- Intune compliance policies enforce baseline; changes documented in Azure DevOps wiki.
5.5 Identification & Authentication (IA)
- Azure MFA (Authenticator app or FIDO2 key) for all users; passwordless rollout FY 2025.
5.6 Incident Response (IR)
- IR Plan v2.1 – triage within 1 hr; escalation to CEO & legal within 24 hrs.
- Monthly tabletop w/ Microsoft Security Center simulations.
5.7 Maintenance (MA)
- Endpoints patched via Windows Update for Business; zero‑touch autopatch cadence 14 days.
5.8 Media Protection (MP)
- No removable media policy; OneDrive selective sync enforced.
5.9 Personnel Security (PS)
- Background checks and NDAs for all employees/contractors with CUI access.
5.10 Physical Protection (PE)
- All work is remote; devices protected with BitLocker & BIOS passwords.
5.11 Risk Assessment (RA)
- Annual risk assessment using Microsoft Secure Score + CIS CAT.
5.12 Security Assessment (CA)
- 3rd‑party gap audit scheduled July 2025 (POA&M closure).
5.13 System & Comms Protection (SC)
- TLS 1.2+ enforced; Sensitivity labels block external sharing of CUI.
5.14 System & Info Integrity (SI)
- Defender AV + Endpoint Detection; weekly vulnerability scans via Nessus Cloud.
POA&M Items (Score −5): AC‑3(4), CM‑2, SI‑3, SI‑4, SC‑8 scheduled by 08 Aug 2025.
6. Roles & Responsibilities
| Role | Responsibility |
| CEO / CISO | Approve SSP, oversee risk management |
| IT Manager | Implement controls, maintain AAD policies |
| Security Officer | Coordinate audits, manage POA&M |
| System Users | Follow security policies, report incidents |
7. Continuous Monitoring Plan
- Monthly Secure Score review
- Quarterly access reviews & guest account purge
- Annual tabletop IR exercise + SSP review
- Automatic alerting via Microsoft Sentinel (FY 2026 roadmap)
8. Incident Response Contacts
| Contact | Phone | |
| Peter K. DHaiti (CEO) | peter@yeapinc.com | (888) 407‑9575 x777 |
| Security Officer | security@yeapinc.com | (888) 407‑9575 x778 |
9. Approval
Approved by:
Peter K. DHaiti – Chief Executive Officer
Date: 08 May 2025