The shift from CSV (Computer System Validation) to CSA (Computer Software Assurance) is focused on a risk-based approach to software assurance, with a greater emphasis on the risks associated with the use of software rather than the validation of the software itself.
For commercial off-the-shelf software (COTS) like Office 365, if you are using it out of the box without any customization or alteration, you do not need to validate the software. However, you still need to assess the risks associated with its use and ensure that appropriate controls are in place to mitigate those risks.
As you mentioned, you can conduct a risk assessment to determine the level of risk associated with using the software, and based on the results, you can establish appropriate controls to manage those risks. This may include controls such as access controls, data backup and recovery procedures, and regular security updates.
It is also important to ensure that you have a clear understanding of the vendor’s security and compliance practices, as well as any contractual obligations regarding data privacy and security.
Overall, while you do not need to validate off-the-shelf software like Office 365, you still need to assess the risks associated with its use and implement appropriate controls to mitigate those risks.