V
Veri-Docs Dev Lab
Security Compliance Report
April 22, 2026
Confidential
353
Controls Passing
174
Controls Failing
548
Total Assessed
Moderate
Risk Level
15 breaches
15 documented security incidents with over $6.6B in combined costs were caused by the same misconfigurations currently present in this tenant.
Framework Compliance
| Framework | Score | Passing | Failing | Checked |
|---|---|---|---|---|
| EIDSCA | 62% | 64 | 40 | 104 |
| CISA Secure Baseline | 64% | 68 | 39 | 107 |
| CIS Microsoft 365 | 67% | 250 | 123 | 373 |
| NIST 800-53 r5 | 68% | 179 | 85 | 264 |
| ISO 27001:2022 | 69% | 74 | 33 | 107 |
| HHS 405(d) HICP | 69% | 142 | 63 | 205 |
| NIST CSF 2.0 | 70% | 35 | 15 | 50 |
| SOC 2 Type II | 73% | 38 | 14 | 52 |
| HIPAA Security Rule | 73% | 37 | 14 | 51 |
Domain Scores
V
Veri-Docs Dev Lab
Top Risks & Recommendations
April 22, 2026
Confidential
Top 10 Highest Severity Failing Controls
| # | Control | Severity | Precedent |
|---|---|---|---|
| 1 | Block legacy authentication protocols CIS-1.1.2 | critical | 2 incidents |
| 2 | Configure sign-in risk Conditional Access policy CIS-1.2.1 | critical | — |
| 3 | Block legacy auth endpoints at the authentication methods policy EIDSCA-AP03 | critical | — |
| 4 | Require MFA for Global Administrator sign-ins CIS-1.1.10 | critical | — |
| 5 | Enforce Conditional Access for unmanaged devices CIS-1.1.16 | critical | — |
| 6 | Enforce guest user access review cadence CIS-1.3.1 | critical | 2 incidents |
| 7 | Block legacy POP3 authentication to mailboxes CIS-1.3.7 | critical | — |
| 8 | Disable voice call as a primary authentication method CIS-1.3.13 | critical | — |
| 9 | Enforce authenticator app lockout policy CIS-1.4.5 | critical | — |
| 10 | Enforce persistent browser sessions off for unmanaged devices CIS-1.4.11 | critical | — |
Linked Breach Precedents
The following documented security incidents were caused by the same misconfigurations currently present in this tenant. These precedents illustrate the real-world consequences of leaving these controls unaddressed.
Change Healthcare Ransomware
$1.6B+
Healthcare M365 Email Breaches (180 orgs)
$1.7B/yr
SolarWinds Supply Chain Attack
$100M+
Montefiore Medical Center (HIPAA)
$4.75M
Microsoft Midnight Blizzard
$1B+ (SFI)
Colonial Pipeline Ransomware
$4.4M ransom + $1B+ impact
Recommended Next Steps
1
Remediate Critical & High Severity Controls
100 controls at Critical or High severity should be prioritized for immediate remediation. 174 of these support automated remediation.
2
Enable Continuous Monitoring
Schedule weekly scans to detect compliance regressions as configurations change. Track score trends over time to demonstrate continuous improvement.
3
Address License Gaps
All required licenses are present. No gaps to address.