Framework-driven security
for your M365 tenant
CIS M365 Benchmark and NIST CSF 2.0. Auto-detect from M365. Attest what you handle with other tools. Get a compliance score that reflects your actual posture — not just what Microsoft can see.
The problem
Compliance frameworks in a spreadsheet
Most organizations "do CIS" by opening a 60-row spreadsheet and manually checking boxes once a year. The spreadsheet doesn't know your M365 configuration. It doesn't know you use Okta. And it's out of date the moment you close it.
The solution
Living assessments, not annual audits
Calibrant auto-detects everything it can from M365, then lets you attest the rest with full context — tool name, notes, evidence. The score updates live as you work. Re-scan anytime to refresh the M365-detectable controls. Attestations persist.
Protocol
How it works
Assess, scan, attest — continuously.
Choose Framework
Start a CIS M365 or NIST CSF 2.0 assessment. All controls load instantly — pending until evaluated.
Run Scan
The relay auto-detects ~44 CIS controls and ~30 NIST controls directly from your M365 configuration.
Attest the Rest
For controls handled by other tools (Okta, Duo, CrowdStrike), add a note and mark as attested. Score updates live.
Supported frameworks
Start one or both. Assessments are independent, controls cross-referenced.
CIS M365 v4.0
CIS Microsoft 365 Foundations Benchmark
Prescriptive configuration guidance — every control is a specific M365 setting. The most actionable framework for M365 environments.
59
total controls
44
auto-detected
L1 + L2
levels / tiers
NIST CSF 2.0
NIST Cybersecurity Framework 2.0
Risk-based framework with 6 functions (GV/ID/PR/DE/RS/RC). Mix of M365 auto-checks and organizational controls for full coverage.
41
total controls
30
auto-detected
Tiers 1–4
levels / tiers
Built for real compliance programs
Not a checklist. A working assessment system.
CIS M365 Benchmark
59 controls mapped directly to M365 settings. Level 1 (minimum recommended) and Level 2 (high-security). Most controls auto-evaluated by relay scan.
NIST CSF 2.0
41 subcategories across all 6 functions: Govern, Identify, Protect, Detect, Respond, Recover. Cross-mapped to CIS controls for traceability.
Third-Party Attestation
Using Okta instead of Entra MFA? CrowdStrike for endpoint detection? Attest any control with a note — your score reflects your actual posture.
Living Assessment
Attestations persist across scans. Re-scan to refresh M365-detectable controls. Your compliance score evolves as your environment improves.
Zero Credentials Required
All M365 data collection runs through the relay's Managed Identity. No passwords, no service accounts, no OAuth tokens on-premises.
Audit-Ready Export
CSV export includes framework, section, control ID, level, status, attestation notes, and tool names. Ready for GRC platforms or auditor review.
Every control has a clear status
Score = (Auto Pass + Attested) / (Total − N/A) × 100
Your MFA might be Okta. We know.
CIS control 2.1.1 says “Ensure MFA is enforced via Conditional Access.” But if your MFA runs through Okta or Duo, the M365 check fails — even though your posture is fine.
Security Checkup lets you attest any control with a note: “MFA enforced by Okta SSO — all users enrolled.” That attestation counts toward your score, persists across scans, and shows up in your audit export.
Ready to know where you stand?
Pick a framework, run your first scan, and start attesting. Most teams get to a meaningful compliance score in their first session.