CMMC Power BI Reporting: Built by an RPO, Not Guessed at by a BI Shop
Petronella Technology Group, Inc. is CMMC Registered Provider Organization #1449. We build Power BI reporting for Department of Defense contractors three ways: GCC High when CUI flows through the semantic model, a Petronella encrypted enclave with de-identified Power BI when the CUI footprint is small, or Power BI Report Server on-premises when the client wants in-boundary BI without GCC High. Then ComplianceArmor® auto-generates the evidence package so your assessor sees a clean control trail.
Yes, with the right architecture. Power BI is a Microsoft SaaS product. Where the Controlled Unclassified Information (CUI) actually lives inside the BI pipeline determines which architecture you need. If CUI rows live in the Power BI semantic model, the Power BI tenant must be in GCC High. If CUI stays in an encrypted enclave and only aggregates or de-identified extracts reach Power BI, commercial Power BI is acceptable. And if a prime mandates that BI never leaves the assessor-scoped boundary, Power BI Report Server on-premises is the third option. Petronella Technology Group, Inc. selects the right pattern during the Phase 1 gap analysis, and never sells the wrong one to win a deal.
Most BI shops do not understand the CMMC scoping question, and most CMMC consultants do not understand Power BI architecture. Petronella Technology Group, Inc. is the rare provider that does both: a Cyber AB Registered Provider Organization (RPO #1449) with four CMMC Registered Practitioners on staff, Microsoft data platform experience since 2002, and a fleet of private AI infrastructure for sensitive analytics workloads where Microsoft Copilot is not acceptable.
This page walks through the three architectural patterns, maps each NIST SP 800-171 r3 control that touches Power BI, lists the assessor findings we see most often in the field, and gives you the Phase 1 gap-analysis checklist that Petronella Technology Group runs on every new engagement.
Request a fixed-fee CMMC Power BI gap analysis. A Petronella Technology Group Lead vCISO and one of our CMMC-RP practitioners will return a recommended pattern, scoped backlog, and ComplianceArmor® evidence package within two to four weeks.
Request a QuoteThe 3-pattern Power BI decision tree for CMMC Level 2
Every Power BI deployment that touches Department of Defense work fits one of three patterns. Choosing the wrong one wastes six figures or fails the next assessment. Petronella Technology Group, Inc. uses this matrix on every Phase 1 gap analysis.
GCC High Power BI
When: CUI flows through the Power BI semantic model. Primes that explicitly require Microsoft FedRAMP High lineage. Multi-tier DoD supply chains where the BI surface area is broad and CUI segregation is impractical.
Implementation tier: Foundation through Enterprise scope. Request a Quote, pricing depends on tenant provisioning, data source count, and dashboard scope.
- Entra ID (Azure AD) in GCC High
- On-Premises Data Gateway in GCC High mode
- Microsoft Information Protection labels mandatory
- Private Link for restricted-VNet access
Encrypted enclave + de-identified Power BI
When: Small CUI footprint. Analytics need is for management dashboards on aggregates or de-identified data. SMB defense suppliers who cannot justify GCC High licensing for a thin BI use case.
Implementation tier: Foundation scope with CUI-handling layer. Request a Quote.
- CUI lives at rest in the Petronella encrypted data and email system
- De-identification + aggregation extract layer
- Boundary diagram explicitly excludes Power BI from CUI scope
- Acceptable Use Policy blocks raw CUI from BI publish
Power BI Report Server on-premises
When: Client wants BI inside the assessor-scoped boundary without GCC High. Prime contract clauses block external SaaS for BI. Row-level CUI is acceptable because BI never leaves the boundary.
Implementation tier: Foundation through Enterprise. Request a Quote, pricing depends on infrastructure scope.
- Power BI Premium per User license required for Report Server
- No Copilot, no Fabric, no native cloud features
- Longer release cycles, more hardening work
- Compatible with air-gapped or restricted-egress environments
Important: an encrypted enclave does not turn commercial Power BI into a CUI-capable platform. It moves the CUI handling layer outside Power BI. The Petronella encrypted data and email system is the CUI vault in Pattern B; it is complementary to GCC High in Pattern A; and it is the document and email layer alongside Pattern C. We see this misunderstood often enough that it is worth repeating. See the full CMMC data-protection page for the encrypted-system breakdown.
NIST SP 800-171 r3 controls Power BI must satisfy
The CMMC Level 2 assessment walks the NIST SP 800-171 revision 3 access-control family against your Power BI configuration. Petronella Technology Group, Inc. maps each control to a concrete Power BI implementation requirement and an evidence artifact maintained by ComplianceArmor®. The table below is the working reference our practitioners use during gap analysis.
| Control ID | Control name | Power BI implementation requirement |
|---|---|---|
| 3.1.1 | Account Management | Use Entra ID (Azure AD) with MFA. Disable local accounts. |
| 3.1.2 | Account Monitoring | Enable Audit Logs in Power BI and Microsoft 365. Forward to SIEM. |
| 3.1.3 | Access Enforcement | Implement Row-Level Security (RLS) and Object-Level Security (OLS). Enforce least privilege. |
| 3.1.4 | Access Control | RBAC in Power BI workspaces. No shared accounts. |
| 3.1.5 | Audit Records | Enable Power BI Activity Logs. Retain for 1 year or longer. |
| 3.1.6 | Configuration Management | Use Power BI Deployment Pipelines. Version control for PBIX files. |
| 3.1.7 | System and Communications Protection | Use HTTPS/TLS 1.2 or higher. No "Publish to Web." |
| 3.1.8 | System and Communications Protection | Encrypt data at rest (Microsoft handles this in GCC High; AES-256). |
| 3.1.9 | System and Communications Protection | Use Service Principals (with certificate auth) for automated tasks, not user credentials. |
| 3.1.10 | System and Communications Protection | Microsoft Information Protection (MIP) sensitivity labels applied to all datasets and reports. |
| 3.1.11 | System and Communications Protection | Regular review of workspace memberships. |
| 3.1.12 | System and Communications Protection | Disable "Allow users to connect to Power BI" tenant features that are not needed. |
| 3.1.13 | System and Communications Protection | Use Azure Private Link for Power BI to restrict access to specific VNets. |
| 3.1.14 | System and Communications Protection | Ensure On-Premises Data Gateways are patched and secured. |
| 3.1.15 | System and Communications Protection | Regularly review and revoke unused access. Run quarterly access reviews on workspace roles. |
Source: NIST SP 800-171 r3 access-control family. The control table above reflects how Petronella Technology Group, Inc. maps the requirements to Power BI configuration during gap analysis. Implementation specifics vary by deployment pattern (A, B, or C).
Common CMMC assessor findings against Power BI deployments
Petronella Technology Group, Inc. has seen the same five Power BI findings repeat across DoD supplier engagements. Each one is preventable. Most are configurable in under a day once identified. None of them appear in a Microsoft licensing brochure, which is why a CMMC-RP review is required before your next assessment, not a Microsoft Solutions Partner who only sells licenses.
1. "Publish to Web" enabled at tenant level
Even if no report has actually been published publicly, leaving the tenant feature enabled means a single workspace admin can leak a CUI-bearing dashboard to the open internet. Disable at the tenant-settings level and document the change as evidence under 3.1.7.
2. Broad Row-Level Security with admin bypass
Power BI workspace admins and tenant admins bypass RLS by default. If your "BI admin" group has 12 members and 10 of them do not have a clearance reason to view CUI rows, that is a finding. Dynamic RLS plus a narrow admin group is the fix.
3. No audit log forwarding to a SIEM
The Power BI Activity Log defaults to a 6-month retention. CMMC Level 2 expects at least 1 year, and many primes require longer. Forwarding Power BI logs to Microsoft Sentinel (or an external SIEM) satisfies 3.1.5 and gives you the cross-correlation an assessor wants to see.
4. Service principal sprawl
App Registrations accumulate when developers ship Power BI Embedded prototypes, Fabric pipelines, or refresh automation. Many are forgotten. Service Principals with broad workspace permissions and aging secrets are a credential-management finding under 3.1.9. Move to certificate authentication and prune unused App Registrations quarterly.
5. Missing or unapplied MIP sensitivity labels
If a dataset contains CUI but is unlabeled, your DLP policies cannot enforce export controls and your Purview lineage record looks empty during the assessment. Sensitivity labels under MIP must be configured at the tenant level and applied at the dataset and report level. We see one but not the other constantly.
Additional findings we encounter frequently: weak MFA policies (SMS-only), unpatched On-Premises Data Gateways, hardcoded credentials in Power Query M scripts, missing Deployment Pipelines, broad Workspace Admin group membership, no refresh-failure monitoring, and Copilot enabled against CUI-labeled datasets without DLP enforcement. The Petronella Technology Group Power BI gap analysis sweeps all of them.
CMMC Power BI Phase 1 gap-analysis checklist
This is the same checklist Petronella Technology Group, Inc. delivers as the Phase 1 artifact on every CMMC Power BI engagement. Use it as a self-assessment before you call us, or as the specification for the engagement itself. Each item maps to one or more NIST 800-171 r3 controls.
- Tenant placement. Tenant is GCC High (if DoD CUI flows through Power BI), or pattern selection documented for B or C.
- MFA. Multi-factor authentication enforced for all users with access to BI assets. SMS-only MFA disabled.
- Sensitivity labels. MIP labels configured at tenant level and applied to every dataset, report, and dashboard.
- Purview DLP policies. Power BI flows covered by DLP. Restricted-label datasets blocked from Copilot if Copilot is enabled.
- Audit log forwarding. Power BI and Microsoft 365 audit logs forwarded to a SIEM with retention of 1 year or longer.
- Private Link. Azure Private Link enabled for tenant access from corporate networks; public internet access restricted.
- Service Principal hygiene. All service principals use certificate-based authentication. Quarterly cleanup of unused App Registrations.
- Publish-to-Web disabled. Tenant-level feature off. Documented as evidence.
- External sharing restricted. External sharing disabled, or restricted to a documented allowlist of partner domains.
- Workspace role hygiene. Each workspace has documented Admin / Member / Contributor / Viewer membership with quarterly review.
- Row-Level Security. Dynamic RLS implemented on every dataset that holds sensitive rows. Admin bypass documented and minimized.
- Deployment pipelines. Dev / Test / Prod deployment pipeline configured with separation of duties between developer and approver.
- Gateway posture. On-Premises Data Gateway patched, monitored, and on a hardened host.
- Boundary documentation. Network and SaaS boundary diagram includes Power BI explicitly. CUI flow arrows are correct.
- Evidence artifacts. Power BI AUP, Data Classification Policy, BI SOP, and RBAC matrix exist and are kept current. (ComplianceArmor® generates and maintains.)
Want the checklist as a deliverable, scored against your tenant? Petronella Technology Group, Inc. runs the full gap analysis as a fixed-fee engagement. We deliver the scored checklist, recommended pattern (A, B, or C), and the ComplianceArmor® evidence package.
Request a QuoteComplianceArmor® auto-generates your Power BI evidence package
The work that wastes weeks on most CMMC Power BI engagements is not the technical configuration, it is producing the policies, procedures, and evidence artifacts the assessor will ask for. ComplianceArmor®, the Petronella Technology Group compliance documentation platform, generates and maintains these artifacts automatically and maps each one to NIST SP 800-171 r3.
For a Power BI engagement, ComplianceArmor® produces and maintains:
- Power BI Acceptable Use Policy, what users can and cannot publish, share, or download from Power BI assets. Calls out the prohibition on "Publish to Web" for CUI-labeled datasets.
- Data Classification Policy, defines CUI, FCI, and internal sensitivity levels, and the MIP labels that correspond to each.
- Business Intelligence Standard Operating Procedure, how Power BI changes move from dev to test to prod, who can approve a deployment, and how rollback works.
- Role-Based Access Control Matrix, every Power BI workspace and dataset mapped to the user roles that may access it, the role's clearance basis, and the review cadence.
- Service Principal Inventory, full list of App Registrations with their purpose, owner, secret/certificate expiration, and last-used date.
- Power BI Tenant Settings Baseline, documented configuration of every tenant setting that the assessor will check, with screenshots and change history.
- Audit log retention and forwarding standard, where Power BI logs go, retention windows, and the SIEM correlation rules that trigger on anomalous activity.
Every artifact is mapped to NIST SP 800-171 r3 control IDs and refreshed whenever your tenant configuration changes. When the assessor asks "show me the evidence for 3.1.10," your answer is one click in ComplianceArmor®, not a frantic week of policy-writing.
CMMC Power BI: how Petronella Technology Group compares
Most CMMC Power BI conversations are a forced choice between BI specialists who do not understand the DoD scoping rules and CMMC consultants who do not know what a semantic model is. Petronella Technology Group, Inc. is rare in covering both.
| Capability | Petronella Technology Group, Inc. | Generic Power BI shop | CMMC-only consultancy |
|---|---|---|---|
| CMMC RPO accreditation | RPO #1449 (Cyber AB) | None | RPO (varies) |
| CMMC Registered Practitioners on staff | Four (Craig, Blake Rea, Justin Summers, Jonathan Wood) | None | 1-2 |
| Power BI delivery experience | Yes, since the platform shipped | Yes | No |
| GCC High experience | Yes, Petronella CMMC Compliance Enclave Hosting Package | No | Partial |
| Encrypted enclave for CUI at rest | Petronella encrypted data and email system | No | No |
| Auto-generated evidence package | ComplianceArmor® | No | Manual |
| Private AI for sensitive BI workloads | Penny on Petronella fleet LLMs | Copilot only | None |
| vCISO continuity post-engagement | Lead vCISO Blake Rea | No | Yes, varies |
CMMC Power BI sits inside a larger Petronella engagement
If you have a CMMC Power BI scope, you almost certainly also have CMMC Level 2 readiness work, ongoing governance, and a security operations footprint to keep watching the boundary. Petronella Technology Group, Inc. delivers all of it under one roof. Pricing is by request for every line below.
Full CMMC Level 2 readiness
Full gap analysis, System Security Plan (SSP), Plan of Action & Milestones (POA&M), control remediation, and pre-assessment dry run. Power BI is one workload inside the larger boundary.
CMMC compliance →Petronella vCISO
Lead vCISO Blake Rea runs monthly executive risk briefings, control owner cadence, vendor reviews, and incident response readiness. Power BI is a recurring agenda item.
Talk to Petronella Technology Group →Petronella XDR
Extended detection and response across endpoints, identity, and cloud. Picks up the anomalies that Power BI audit-log review alone would not catch.
Petronella XDR →ComplianceArmor®
The compliance documentation platform that produces and maintains your Power BI evidence package and the underlying CMMC artifacts. Subscription model.
ComplianceArmor® →Frequently asked questions about CMMC Power BI reporting
Can Power BI be used for CMMC Level 2 reporting?
Yes, but only with the right architecture. Power BI is a Microsoft SaaS service. If Controlled Unclassified Information (CUI) flows through the Power BI semantic model, the Power BI tenant must be provisioned in Microsoft GCC High to maintain the FedRAMP High lineage that DoD CMMC Level 2 expects. If CUI does not flow through Power BI directly, for example, only aggregates or de-identified rows, it can run in commercial Power BI behind an encrypted enclave (Pattern B). A third option is Power BI Report Server on-premises (Pattern C). Petronella Technology Group, Inc. selects the pattern during the Phase 1 gap analysis.
Does an encrypted enclave replace GCC High for Power BI when CUI is in the model?
No. The Petronella encrypted data and email system is a CUI handling layer for email and document storage. It does not change the Microsoft Power BI service tenant. If the Power BI semantic model holds rows of CUI, the Power BI service itself must be in GCC High. The encrypted enclave is part of Pattern B and Pattern C, it does not turn commercial Power BI into a CUI-capable platform.
What is the difference between GCC, GCC High, and commercial Power BI for CMMC?
Commercial Power BI is the default tenant used by most businesses and is not authorized for DoD CUI. GCC is the Government Community Cloud for state and local government workloads; it is generally not the answer for DoD CMMC Level 2. GCC High is the FedRAMP High lineage tenant required for DoD contractors handling CUI. The Power BI service, Entra ID (Azure AD), and the data gateway must all be provisioned in GCC High when CUI flows through the BI pipeline.
What NIST 800-171 controls does Power BI specifically touch?
The CMMC Level 2 audit looks at NIST SP 800-171 r3 controls 3.1.1 through 3.1.15 as they apply to Power BI: account management, audit record monitoring, access enforcement, separation of duties, audit records, configuration management, TLS in transit, encryption at rest, service principal hygiene, MIP sensitivity labels, workspace membership review, feature governance, Private Link, gateway patching, and access review and revocation. See the control mapping table above for the full table.
What is the most common CMMC assessor finding against a Power BI deployment?
The five most common are: Publish to Web is enabled at the tenant level even if not actively used, broad Row Level Security roles where workspace admins silently bypass RLS, no audit log forwarding to a SIEM, service principal sprawl with unused App Registrations holding broad permissions, and missing Microsoft Information Protection sensitivity labels on datasets that contain CUI.
Does Petronella Technology Group operate its own GCC High tenant?
Petronella Technology Group, Inc. is a CMMC Registered Provider Organization (RPO #1449) and operates a CMMC Compliance Enclave Hosting Package for clients who need Microsoft 365 GCC High provisioning, identity, and managed BI inside the FedRAMP High boundary. For clients who do not require GCC High Power BI (Pattern B or Pattern C), we use the Petronella encrypted enclave for CUI handling and keep BI on commercial or on-premises.
What does Pattern B (encrypted enclave + de-identified Power BI) actually look like?
CUI lives at rest inside the Petronella encrypted data and email system. A controlled extract layer prepares aggregates, counts, anonymized identifiers, and de-identified rows. That extract feeds commercial Power BI for management dashboards. The CUI itself never enters Power BI. This is the right pattern for small DoD suppliers with a limited CUI footprint who want analytics on non-CUI metrics without provisioning GCC High.
What about Power BI Report Server on-premises?
Power BI Report Server is the on-premises version of Power BI. It runs entirely inside the client boundary or inside a Petronella-managed enclave. Row-level CUI is acceptable because the rows never leave the assessor-scoped boundary. The tradeoffs are no Copilot, no Fabric features, more infrastructure to harden, and longer release cycles. This is the right pattern for primes that mandate in-boundary BI without GCC High. Power BI Report Server requires a Power BI Premium per User license.
How does ComplianceArmor® help with Power BI evidence?
ComplianceArmor® generates and maintains the Power BI Acceptable Use Policy, the Data Classification Policy, the Business Intelligence Standard Operating Procedure, the Role Based Access Control matrix, the Service Principal inventory, the tenant settings baseline, and the audit-log retention standard. Each artifact is mapped to NIST 800-171 r3 controls and refreshed as your configuration changes.
How long does a CMMC Power BI engagement take?
A Phase 1 gap analysis and pattern selection runs two to four weeks. Pattern B and Pattern C implementations run four to ten weeks depending on data source count and dashboard scope. Pattern A (GCC High) timelines also depend on Microsoft-side tenant provisioning, which is largely outside of Petronella Technology Group's control and varies from four to twelve weeks. We typically run gap analysis in parallel with provisioning so no calendar time is wasted.
Can you support clients pursuing CMMC Level 3?
Yes. Level 3 layers NIST SP 800-172 enhanced security requirements on top of Level 2. For Power BI that means stronger separation, narrower service principal posture, formalized supply chain risk handling for connectors and gateways, and tighter audit log retention windows. Our team has published a detailed walkthrough of the NIST SP 800-172 revision 3 final on the Petronella blog and incorporates those controls into Level 3 Power BI scoping. See our NIST 800-172 r3 deep dive.
What is the next step?
Request a quote. Petronella Technology Group, Inc. will schedule a thirty-minute scoping call, confirm whether your Power BI workload needs Pattern A, B, or C, and provide a fixed-fee proposal for the gap analysis. From there we agree on the implementation pattern, run the Phase 1 deliverables, and move into pattern build-out with ComplianceArmor® evidence generation from day one.
Who delivers your CMMC Power BI engagement
Petronella Technology Group, Inc. is a CMMC Registered Provider Organization (RPO #1449) and one of the few firms in the Southeast with four CMMC Registered Practitioners on staff. The firm has delivered IT, cybersecurity, and compliance work for North Carolina and US clients since April 2002.
Craig Petronella: Founder & Executive Sponsor
Craig is the founding principal of Petronella Technology Group, Inc. He holds the CMMC Registered Practitioner (CMMC-RP) designation from The Cyber AB, Cisco CCNA, Certified Wireless Network Expert (CWNE), Hubbell Certified, Digital Forensic Examiner License 604180-DFE, and an MIT Sloan certificate in AI Implications for Business Strategy. He is the #1 Amazon Best-Selling Author of 14+ cybersecurity books, including titles on HIPAA, CMMC, and protecting law firms and businesses from hackers. Craig is the executive sponsor for CMMC engagements and the senior escalation point for client leadership on strategy and risk.
The CMMC Registered Practitioner bench
Day-to-day delivery of your CMMC Power BI engagement is led by our CMMC-RP bench, with Blake Rea as Lead vCISO and senior practitioner-of-record:
Meet the full Petronella Technology Group team → · Read Craig's full bio →
Explore related Petronella services
Ready to put Power BI to work?
Tell us what you need. Blake or Craig replies within 4 business hours, often sooner.
Ready to scope your CMMC Power BI reporting the right way?
Petronella Technology Group, Inc., RPO #1449, four CMMC-RP practitioners, ComplianceArmor® evidence automation. Twenty-three years building secure, compliant IT for North Carolina and US clients.
Request a Quote