TickYouOff
Sign in
Back
🔒

Office 365 ProPlus STIG Implementation Checklist (Ver 3, Rel 7)

Hard 16 items · 4 hours
testuser's avatar
testuser Published 3 months ago
Security

This checklist helps IT and security teams implement the Microsoft Office 365 ProPlus STIG (Ver 3, Rel 7). Use it to gather DISA resources, apply GPO and Intune controls, run automated scans, remediate findings, and document changes for ongoing compliance. It’s designed for administrators managing Office 365 ProPlus on endpoints in a managed environment.

Source: https://ncp.nist.gov/checklist/953

Progress
0 / 16
  1. Gather STIG resources from DISA — Collect STIG document, SCAP/XCCDF files, GPO packages, and Intune policies.
  2. Download SCAP 1.3 content — Grab the SCAP benchmark content for automated assessments.
  3. Download Standalone XCCDF 1.1.4 — Obtain the XCCDF checklist for manual or tool-based checks.
  4. Download Intune policies (latest) — Retrieve the published Intune policy package for Office 365 ProPlus.
  5. Download GPO package for Office 365 ProPlus — Save the Group Policy Objects distributed by DISA for deployment.
  6. Review the STIG document and checklist details — Read requirements, scope, exceptions, and change history before implementing.
  7. Identify target systems running Office 365 ProPlus — List endpoints, user groups, and managed device types in scope.
  8. Inventory current Office configurations and versions — Record build numbers, update channels, and installed Office components.
  9. Map STIG requirements to existing controls — Determine which controls are already implemented and identify gaps.
  10. Import SCAP/XCCDF content into assessment tools — Load benchmark content into your scanner or compliance tool.
  11. Run automated STIG scan and review results — Execute scans, export findings, and prioritize by risk level.
  12. Apply GPOs to managed devices — Import and link DISA GPOs to appropriate OUs in your AD environment.
  13. Deploy Intune policies to managed endpoints — Publish and assign Intune configurations to device groups.
  14. Remediate high-risk findings — Apply fixes, config changes, or compensating controls for critical items.
  15. Document configuration changes and approvals — Record what changed, why, and who approved it for audit purposes.
  16. Schedule recurring reviews and update STIG resources — Plan periodic reassessments and refresh DISA resources as they update.
Sign in to save
📝 My Notes