CIS Microsoft 365 Evidence

When someone asks “prove it”
hand them this.

We snapshot your Microsoft 365, evaluate 140 controls against the CIS Microsoft 365 Foundations Benchmark v6.0.1, and package the results into a professional evidence binder. Offline. Portable. Ready to hand to an insurer, auditor, client reviewer, or due diligence team.

Book a quick call →
Read-only No changes to your tenant Offline & portable
Without PROVE
📧Re: MFA evidence?Can you resend that screenshot?
📁Screenshots (3)MFA_proof_v2_FINAL_revised.png
📄Vendor Questionnaire.xlsx“Describe your email security”
💬#compliance“Anyone have the CA export?”
Renewal in 18 daysUnderwriter still waiting
With PROVE
📦PROVE_CLIENT_BUNDLE_Contoso.zipOne file. Open in any browser.
START_HERE.html
 📄 PROVE_BINDER_Contoso/index.html
 📄 run_scorecard.md
 📄 evidence_worklist.csv
 📄 trace_summary.md
 📁 PROVE_EVIDENCE_PACK_Contoso/
 🔒 CHECKSUMS.sha256
 🔒 chain_of_custody.md
 🔒 PROVE_GATE_REPORT.md
140 CIS controls • 9 benchmark sections • tamper-evident
The problem
Three conversations. Zero good answers.
INSURANCE RENEWAL

“Show us your MFA and email security posture.”

Your insurer sends a questionnaire. You spend a week pulling screenshots, writing narratives, and hoping it’s enough. PROVE turns that scramble into a single CIS-aligned evidence package.

CLIENT DUE DILIGENCE

“Can you demonstrate your security controls?”

A prospect or existing client asks for proof. You rewrite the same answers for every questionnaire—and nobody can verify any of it.

MSP TRANSITION

“What’s the current state of our tenant?”

You’re switching IT providers, or you just hired one. Someone should look at what’s there—and that someone shouldn’t be the one grading their own work.

PROVE replaces the scramble.

Instead of pulling screenshots and writing cover letters, you hand the reviewer a single evidence binder that shows exactly what’s configured, what passed, what didn’t, and what needs human follow-up. Built from a read-only snapshot. Deterministic: same evidence in, same outcomes out. They can verify it without trusting you.

140

CIS controls evaluated

9

CIS benchmark sections

1

Portable ZIP file

0

Changes to your tenant

What lands on your desk
One ZIP. Open in any browser. No portal, no login.

  • Evidence Binder

    The thing your reviewer reads. Every control includes an Audit Narrative: the requirement, what was tested, what was found, and how to fix it. Opens offline in any browser.

  • Follow-up Worklists

    Anything that needs human follow-up (a policy document, a signed statement, a manual export) gets its own checklist entry with exactly what to provide.

  • Evidence Pack

    The raw exports from your tenant, checksummed and chain-of-custody documented. A reviewer can trace any outcome back to the source data.

  • Integrity Artifacts

    SHA-256 checksums, chain of custody, and a gate report proving 15 integrity checks passed before delivery. If any in-scope evidence couldn’t be collected, delivery is blocked automatically. No partial binders.

PROVE Assessment Binder — Executive Summary showing 140 CIS controls, readiness score, outcome breakdown, and delivery status
Executive Summary — real output from the CIS-only client binder LIVE DATA
How it works
Five steps. Nothing touches your tenant.

If evidence is blocked at any point, we stop and tell you why. We don’t ship a binder built on gaps.

1

Scope

Agree what we’re checking and what we’re not.

2

Collect

Read-only export of your M365 configuration.

3

Evaluate

Findings tested against the CIS Microsoft 365 Foundations Benchmark v6.0.1.

4

Package

Binder, worklists, evidence, and integrity artifacts.

5

Deliver

You get a ZIP. Follow-up items get a worklist.

Inside the binder
This is what your reviewer actually opens.

Real output from a PROVE assessment. Click to explore each section.

Category Overview
Control Register
Action Plan
Control Detail
Compliance Readiness
Scope & Methodology
Domain Overview showing 9 CIS benchmark sections with pass-rate bars and control counts

Domain Overview

Nine CIS benchmark sections with pass rates, control counts, and inline previews. Microsoft 365 admin center, Microsoft 365 Defender, Microsoft Purview, Microsoft Intune admin center, Microsoft Entra admin center, Exchange admin center, SharePoint admin center, Microsoft Teams admin center, and Microsoft Fabric.

Control Register showing 140 CIS controls with outcome filters and searchable control list

Control Register

All 140 CIS controls in one searchable register. Filter by outcome or keyword. Click any row to expand the full workpaper detail.

Action Plan with prioritized remediation steps including admin portal paths and effort estimates

Action Plan

Every Non-Compliant control gets a specific remediation step: which admin portal, which setting, what to change. Priority-ranked with practical next actions and suggested owners.

Expanded control showing Audit Narrative, requirement, procedure, expected result, remediation, findings, and evidence references

Control Detail

Expand any control to see the full workpaper: Audit Narrative, the standard’s requirement, what was tested, the expected result, remediation guidance, findings with values, and links to the source evidence.

Compliance Readiness showing common insurance, audit, and compliance questions mapped to specific control evaluations

Compliance Readiness

Common insurance, audit, and compliance questions mapped to specific control evaluations — not opinion. Each answer reflects the worst-case outcome across its mapped controls, determined at build time by the evaluation engine.

Scope and Methodology showing the evaluation chain and client-facing outcome taxonomy with seven labels

Scope & Methodology

How PROVE evaluates: the five-step evidence chain from collection to rendering, assessment boundaries, and the seven-label outcome taxonomy. Every determination follows one path — controls evaluate findings, not raw evidence.

Your data never leaves the engagement.

PROVE runs entirely on the JGS consultant’s workstation. No tenant data is uploaded to any cloud service or third-party infrastructure. The assessment uses 35 scoped permissions — 34 read-only application permissions via certificate-based authentication, plus one delegated SharePoint scope for tenant-admin configuration reads. PROVE collectors execute only read operations. Microsoft-verified publisher.

Evidence is retained for a maximum of 30 days following delivery, then securely deleted. You can revoke all permissions at any time by removing the app from Entra ID. The evaluation engine is deterministic — rule-based logic, no AI or machine learning.

Pricing
Fixed price. No hourly. No surprises.

Choose the tier that fits your workflow.

Single Scan
One run. One bundle. A point-in-time evidence binder for your Microsoft 365 tenant.
$1,495
One assessment run
  • Offline evidence binder
  • Worklists with specific action items
  • Evidence pack with raw exports
  • Integrity artifacts (checksums + custody)
  • 140 CIS controls across 9 benchmark sections
BEST VALUE
30-Day Assessment Window
Unlimited runs within 30 days. Final bundle reflects your best compliance state. Remediate, re-run, improve.
$1,995
Unlimited runs for 30 days
  • Everything in Single Scan
  • Unlimited re-runs within 30 days
  • Final bundle reflects best state achieved
  • Remediate → re-validate → ship strongest evidence
Need help acting on what PROVE finds? Remediation and governance support are available as separate engagements.

What PROVE is not.

Not a pen test. Not a vulnerability scan. Not a certification or legal opinion. Not a guarantee your insurer will say yes. Not a dashboard, a portal, or a SaaS subscription. Not an AI tool. Not an MSP, a SOC, or a helpdesk. We show what’s there. If you want fixes, that’s a separate conversation.

FAQ
Common questions
What exactly do you look at?
Nine CIS benchmark sections: Microsoft 365 admin center, Microsoft 365 Defender, Microsoft Purview, Microsoft Intune admin center, Microsoft Entra admin center, Exchange admin center, SharePoint admin center, Microsoft Teams admin center, and Microsoft Fabric. All read-only. We export evidence from Microsoft 365 admin APIs and evaluate it against the CIS Microsoft 365 Foundations Benchmark v6.0.1.
What access do you need?
A Global Admin or Privileged Role Admin clicks a one-time consent link that grants 35 scoped permissions across Microsoft Graph, Defender, Exchange, and SharePoint. Certificate-based authentication — no one stays signed in. SharePoint admin access is optional. You can revoke everything at any time by deleting the enterprise app from Entra ID.
Do you change anything in our Microsoft 365?
No. PROVE is “show me, don’t touch.” If you want changes afterward, that’s a separate engagement with its own approved scope.
How long does it take?
Evidence collection takes hours, not weeks. After the run, you receive your binder and worklists. The timeline depends mostly on scheduling and prerequisites, not the work itself.
We already use Secure Score / Defender dashboards. Why this?
Dashboards help you manage your environment day-to-day. But when someone outside your organization asks for proof, they need something they can read and verify independently—without logging into your tenant. That’s what the binder is.
Is this a certification?
No. PROVE produces evidence and governance determinations. It is not a certification, legal attestation, or guarantee. Auditors and underwriters apply their own judgment—we give them organized, verifiable evidence so that review goes faster.
What if some items need follow-up?
They go on a worklist. Some controls require a policy document, a signed statement, or a manual export that a machine can’t pull automatically. Each worklist entry tells you exactly what to provide and what “done” looks like.
How are decisions made?
The evaluation engine is deterministic — rule-based logic applied to collected evidence. Same evidence in, same outcomes out.
How do we verify the results haven’t been tampered with?
The bundle includes SHA-256 checksums for every evidence artifact, a chain-of-custody manifest, and a gate report documenting 15 integrity checks that passed before delivery was allowed.
What happens to our data after the engagement?
Evidence is securely deleted within 30 days of final delivery. No cloud backups, no persistent store. Your binder is yours — you retain the full assessment package under your own data governance.
Jeremiah Spears
Jeremiah Spears
Founder • JGS Cloud Compliance

Most firms do not fail scrutiny because they did nothing. They fail because the proof is scattered: a dashboard here, a screenshot there, and a different story depending on who answers the email.

Stop scrambling. Start handing it over.

Short call. We confirm fit, agree scope, schedule the run.

Book a call → Email us