CMMC Compliance for the Microsoft Power Platform

    Microsoft’s Office 365 Suite continues to offer enterprises and end users more capabilities than ever before as the greater workforce becomes more mobile. This is also true for DoD agencies and their supply chain through the Microsoft 365 GCC and GCC High platforms. A key contributor is the Power Platform, a set of low code, workflow automation, and custom solution applications. As of today, it is included in the standard E1 thru E5 Microsoft 365 Licenses (or G3/G5 for GCC High). End Users are empowered to leverage these capabilities by simply signing into office.com (or portal.office365.us), with no additional action required.

    If you have yet to experience the Power of the Platform, below is a brief introduction. If you are familiar, feel free to skip ahead. 

    Power Platform in Microsoft 365 GCC High

    Power Apps

    Power Apps Office 365 GCC High

    Power Apps greatly reduces the amount of effort and investment required to create custom mobile and desktop apps to solve your challenges and the Government's. Integrate data from 50+ connectors and tap into the Common Data Service (CDS integration coming soon) with enterprise scale security and governance.


    Power AutomatePower Automate GCC High

    Power Automate, formerly known as Flow, has been around since 2016 and generally available in Office 365 GCC High since 2019. This particular workload is primarily a workflow engine rather than a complete end to end application developer tool like Power Apps. Users (with proper configurations) and Administrators alike can automate processes with branches, loops, and more. These workflows can trigger actions or be triggered by actions taken by users or on behalf of users. Also, Power Automate contains an array of notification integrations to alert critical process stakeholders at the right time in the right place. Many companies migrating from on-prem SharePoint to SPO choose to Automate legacy, on-prem and cloud-based applications and services.


    Power BIPower BI GCC High

    Power BI is the data analytics and dashboard tool for modern government contractors and DoD agencies. This toolset allows teams to aggregate data from multiple sources into a single pane of glass for easy and quick consumption or reporting. Since data sources may not reside in Microsoft 365, careful consideration should be give to the security and compliance of data sources as well as Power BI itself. 


    Dynamics 365 GCC High

    Dynamics 365 (D365) is a completely different animal and will not be discussed much in this blog; however, it's important to note that Microsoft many times discusses D365 with the Power Platform. Dynamics is not a part of the power platform per se, it a set of modular applications that can create ERP and CRM tools that can leverage the Power Platform. Similar to how Office 365 can.


    The Power Platform Problem

    The Power Platform allows end users to create, move, and store data in various fashions and locations. This could mean all types of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) can be stored, moved, or distributed via connections to Outlook, SharePoint, Azure, Excel, SQL Databases, and more. In fact, over 300 different connections exist for a Commercial Office 365 Tenant, to include 3rd party applications like Facebook and Twitter.

    How does this impact the organization's CMMC/NIST Compliance Strategy?

    First of all, if an organization is completely unaware and ignoring the Power Platform, there is a blind spot in the CMMC/NIST compliance.

    If the organization is leveraging the platform and does not address the handling or access to CUI within the Power Platform, the blind spot is still there…

    To see a few examples of how CMMC Controls can be applied to the Power Platform, check out the details below.

    Foundational CMMC Controls to Consider with the Power Platform 

    SC.3.181 (NIST 3.13.3) Separate user functionality from system management functionality.

    Did you know there is a Power Platform Admin Role? It’s available without additional licensing and only gives the user access to create and administer Environments without giving them access to the Environment’s database. Also, there is no need to assign Global Admin to anyone who just needs to focus on administrating the Power Platform.

    Licensing Note: In previous GCC High licensing, creating an environment was not available to those without premium licensing.

    Additional roles that provide more access and permissions for a solutions administrator include: Environment Makers and System Administrators.

    Environment Makers are users who can not only create apps but can leverage implicitly shared connections from apps shared with them. This gives them access to reuse these connections to view even more data than the original app creator intended! Solution consumers who only need to run an application, would not need to be Environment Makers.

    In the Power Platform Default environment, this is not an option. All users are an Environment Maker.

    Systems Administrator is a role only available for environments with a Common Data Service (CDS) database. This has the same permissions as Environment Maker, with the addition of the following privileges: access data within the CDS database, assign/create/edit environment security roles.

    There are also admin roles set aside for Power BI and Dynamics 365, but the above roles should suffice for most businesses on the outset.


    AT.2.056 (NIST 3.2.1) - Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.

    SC.3.193 Implement a policy restricting the publication of CUI on externally owned, publicly accessible websites (e.g., forums, LinkedIn, Facebook, Twitter)

    These two requirements are intertwined for organizations deploying the Plower Platform because education alone will not prevent the accidental release of CUI via Power Automate etc, nor will technical measures alone. As much as we should prevent users from manually publishing CUI to social media, organizations should also prevent CUI from automatically publishing to social media or sharing through a dashboard/report.

    To complicate matters, Microsoft has created a suite of tools and apps, with the flexibility to solve the same problem in a variety of ways. For instance, if you want to track performance metrics, you could leverage:

    • Excel
    • Excel + OneDrive + Power Automate
    • SharePoint Online + Power Automate
    • SharePoint Online + Power Apps
    • Power Apps + Power Automate + SharePoint Online or SQL or Common Data Services (CDS) or another data source…
    • Power BI and pretty much anything in Office 365…
    • And more…

    Because of the sheer amount of variations, your leadership needs to understand the implications of each application, connector, security role, environment setting, and sharing methods to adequately train users on appropriate behaviors when building Power Platform solutions. Connection settings to the connector itself, can play a factor in any company’s compliance strategy and governance. You may choose to block social Connectors altogether through the Power Platform Admin Center.

    MicrosoftTeams-image (1)-4

    Training and understanding of these tools, will give your organization a quick leg up and path forward to leverage the Power of the Platform in a compliant manner.


    AC.2.007 (NIST 3.1.5) - Employ the principle of least privilege, including for specific security functions and privileged accounts.

    Some NIST controls apply only to admins, and some also apply to solution creators or developers. In this particular case, this Practice/Control applies to both. It is helpful to first look at sharing and then flow types.

    Connections that allow ‘implicit sharing’, such as SQL connections, grants any user with whom the connection is shared with, access to the data source. Sharing this connection can be as simple as sharing the application itself. If the solution consumer is an Environment Maker, they can then reuse this connection in the environment to create their own solutions. If the environment and/or data source is inappropriately configured, the user will now have access to all of the data available from the initial connection, not just the data intended for distribution or more.

    Power Automate's Teams Flows and Run Only flows also need special considerations. Do you have any solutions shared with Edit rights to users who need Run only access? Ensuring your employees understand the difference and select the correct sharing option, will help the organization maintain the practice of least privilege.


    IA.1.076 (NIST 3.5.1) – Identify information system users, process acting on behalf of user, or devices.

    This control can be applied to a few different areas across the Power Platform. 

    As discussed in the last section, Power Automate allows users to create and share a “Run Only” flow with other users who do not need edit permissions. When selecting this option, be aware of the section titled, “Connections Used”. If users in your organization are unknowingly giving others the rights to their own connections, there could be an unintentional spill of CUI.

    Say Employee A created a solution, and shared this solution, leveraging their SharePoint connection, with Employee B. Employee B did not have access to the SharePoint Site used, but does now through the connection within the Flow. Although it is limited access and they are not able to directly go to the SharePoint site to view all data within, there is the scenario that a solution allows them to email themselves (or others) content from a SharePoint site that they don’t have access to. Furthermore, applying this setting to one run only user, applies it to all run only users.


    Power BI permissions also have a very small window of compliance issues to consider. It is important to be aware of the “Build” permissions available when sharing a Power BI Report. The Build option is selected by default when sharing a report, and if not de-selected, the receiver will receive access to the underlying Dataset. They can connect to this from Power BI Desktop or the Power BI Service.

    Once more, the Implicit Sharing capability relates to yet another control. To revisit the details of Implicit sharing, simply revisit the section regarding control: AC.2.007 (NIST 3.1.5) - Employ the principle of least privilege, including for specific security functions and privileged accounts.


    AC.1.002 (NIST 3.1.2) - Limit system access to the types of transactions and functions that authorized users are permitted to execute.

    AC.1.003 (NIST 3.1.20) - Verify and control/limit connections to and use of external systems.

    By default, the Power Platform permits users to create cross-tenant connections – involving authentication to/from other Azure Active Directory (AAD) instances through the Data Connections service within the platform. Although makers will typically be configuring connectors to interact with their “own” organization's Microsoft 365 applications (i.e. Outlook, SharePoint, etc.), this baseline configuration does pose an insider threat concern via the use of cross-tenant connections. It is also not limiting connections to or from external systems.

    For example, below is a screen shot of a workflow in Power Automate. Here you will find the SharePoint Connection sending data to the Outlook connector. The Outlook connector is signed into two different tenants: RWRX (internal) and DWRX (external). Both accounts can be leveraged to send an email through the same connector. Which means CUI, PII or ITAR can also be sent through an external unauthorized account, intentionally or unintentionally.

    If a user was signed into an external Outlook account within a workflow, how would you know?

    Limiting this functionality is an organization’s best chance at mitigating potential issues.


    CM.3.068 (NIST 3.4.7) - Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.

    Many of our customers are aware of Data Loss Prevention (DLP) Policies regarding Office 365, but many are unaware that the Power Platform also has a DLP capability mentioned previously. 

    The Power Platform DLP, also known as “Data Policies,” enforces rules governing which connectors can be used together and which are blocked and not usable at all. From a governance standpoint, data policies serve as guardrails to help prevent users from exposing an organization’s data.

    This is extremely helpful in managing different environments, data sets, and integrations. In speaking with Summit 7’s Business Solution’s Architect, Patrick Abel, a few other use cases for implementing the Power Platform’s DLP policies are, “ to allow you to better control the use of specific connectors to guard against shadow IT and unexpected licensing sprawl.” More on Configuration Management (CM) here.


    MP.3.122 (3.8.4) - Mark media with necessary CUI markings and distribution limitations.

    Be aware of CUI created via the Power Platform. While Office 365 offers Unified Labeling (previously Azure Information Protection (AIP) labels), the Power Platform does not currently have an out of the box solution that correlates to Unified Labeling settings for manual or automatic applications. This means any CUI requiring marking, will need to be considered and addressed separately.

    CUI could potentially be displayed within a Power BI report. Power BI also offers the capability to print to PDF or PowerPoint. Be aware of these capabilities and mark reports appropriately to meet CMMC and DFARS .

    RM.2.141 - Periodically assess the risk to organizational operations, organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI.

    Your organization needs to regularly assess how CUI access is granted to users during onboarding to the company or projects. At a high level, we should ask are we applying the appropriate access to the Power Platform Environments that contain CUI? or ITAR data? If the default Power Platform Environment contains CUI, all of the users with E1 to E5 Microsoft 365 license will automatically have access to that environment.

    While it’s not guaranteed that you will have issues, because of the multiple layers of permissions and securities, the opportunity exists for an untrained user to share an application to the entire company containing CUI. Moreover, if the application contains a data source connection with implicit sharing, your user may be granting everyone access to the source. Yikes.

    This is where a strong Environment Strategy can assist. Creating boundaries for specific solution purposes, only aids in the goal of compliance, as the appropriate location or access authorization for solutions interacting with CUI is clearly defined.


    Is Power Apps, Power Automate, or Power BI CMMC compliant out of the box? No, but they can be configured to all the applicable Practices and pass an audit. CMMC compliance is a matter of implementation and proper configuration.

    These are only a few CMMC Practices and considerations organizations in the Defense Industrial Base (DIB), MSP's, and other service and solution providers like Summit 7 must address the longstanding issues of cybersecurity and continue to modernize. To make the most out of your Office 365/Microsoft 365 investment, it is beneficial to permit users to solve operational and process issues with Power Automate, Power Apps, and Power BI - but not at the expense of compliance. A balance must be struck.

    As your organization transitions to Microsoft 365 or begins to capitalize on the Power Platform's capabilities, consider exploring the following actions or services to better your organizations chances of adoption and successful audit:

    • Governance Assistance
    • End User Training (Teams, OneDrive, Power Apps, Power BI, Power Automate, SharePoint, and more)
    • Business Solutions with Power Apps and Power Automate
    • Reconfiguration from SharePoint 2010, 2013, 2016, 2019
    • Power Platform CMMC Level 3 Assessment
    • MSP Support with Power Platform Technical Support included

    Contact us to discuss options for all of the above!


    Subscribe Here!

    Recent Posts

    Posts by Topic

    see all

    CS2 Going Live on Tue, March 7, 2023 7:45 AM CDT

    CS2 Live Countdown  Register Now