docs(compliance): add manual control verification templates for CIS M…

[Ashjani]

Summary

Work in progress, still not finished, adding GRC content for the manual control verification integration.

This PR adds verification templates for the 14 CIS M365 v6.0.0 controls that cannot be
automated. Each template contains step-by-step auditor instructions, a keyword list for
confidence scoring, severity level, and evidence type. Templates are formatted to match
the ControlVerificationTemplate schema and will be seeded via POST /v1/verification-templates/
once Aaron's migration is merged.

Still to be added to this PR:

• Manual control classification doc (docs/compliance/manual_control_classification.md)
• Confidence threshold justification doc (docs/compliance/confidence_threshold_justification.md)
• Confidence scoring algorithm (backend-api/app/services/confidence_scorer.py)

Type of Change

• Bug fix
• New feature
• Breaking change
• Refactor / code cleanup
• Documentation
• CI/CD / infrastructure
• Security

Affected Components

• /backend-api
• /frontend
• /engine (collectors / policies)
• /security
• /infrastructure
• /.github/workflows
• /docs

Motivation

14 controls in the CIS M365 Foundations Benchmark v6.0.0 cannot be checked automatically
because Microsoft does not expose those settings through a stable API. When a scan runs,
these controls are created with status pending and never update. There is no guidance for
auditors on what to check or upload.

This PR provides the content layer for the manual verification workflow , auditor
instructions and keywords for all 14 controls so that when Aaron Alijani's ControlVerificationTemplate
table and endpoints are merged, the table can be seeded immediately and auditors have
structured guidance for every pending manual control.

Testing Done

• Unit tests pass locally
• Tested manually — describe how:
• No tests required : documentation and JSON data only, no executable code in this PR yet

Security Considerations

No security impact. This PR adds documentation and a JSON data file only. No secrets,
credentials, API permissions, or data exposure changes.

Breaking Changes

• No breaking changes

Rollback Plan

• Revert commit is sufficient

Checklist

• Code follows project conventions
• No secrets, credentials, or tokens committed
• Relevant documentation updated (if applicable)
• CI/CD workflows pass on this branch
• PR is focused on one thing

Screenshots

Not applicable , no frontend or visual changes.

[du-dhartley]

This is currently blocked by the changes required on PR #229 around the version and benchmark/framework specifications. As we will be dealing with multiple versions of multiple benchmarks or frameworks, it's critical that the data living in the database can be explicitly matched on the combination of benchmark, version and control_id, rather than control_id alone.

[du-dhartley]

Requesting changes based on my previous comment about this being blocked by another PR for version reasons

[Ashjani]

Hi @du-dhartley, thanks for the review and for flagging the dependency on PR #229.

I've updated all 24 templates in the latest commit (727dbb3) to include
the framework, benchmark, and version fields, so the data is now keyed on the
full (framework, benchmark, version, control_id) tuple matching Aaron's updated
schema.

Happy to keep this open until PR #229 is merged so you can review everything
together. Let me know if there's anything else to address on this side.

[Ashjani]

Added two new docs

• manual_control_classification.md, which explains why each of the 14 controls
  cannot be automated, with a control register table and notes flagging
  7.2.8 and 9.1.1-9.1.12 as automation candidates
• confidence_threshold_justification.md, which justifies the severity-adjusted
  thresholds used by the confidence scoring algorithm, with the connection
  Back to the Risk Matrix

[github-actions]

Preview Environment

A preview environment can be spun up on demand for this PR.

Action	Label	Includes
Spin up preview	deploy-preview	Frontend, backend, database, Redis, OPA, worker
Spin up preview with M365	deploy-preview-m365	Everything above + PowerShell service for Exchange/Teams scan testing
Tear down preview	teardown-preview	Stops the environment early

The environment will also be torn down automatically when the PR is closed or merged.
Preview URLs will appear in a follow-up comment once the deploy completes (~5–8 min).
M365 scans require real tenant credentials added through the frontend UI.