CISA (Cybersecurity and Infrastructure Security Agency) has unveiled Version 1.0 of its Secure Configuration Baselines for Microsoft 365 (M365) as part of the Secure Cloud Business Applications (SCuBA) project. The initiative aims to elevate the federal government’s baseline for email and cloud environments by optimizing security capabilities within widely used products. These baselines, refined through engagement with partners and pilot projects, provide easily adoptable policy configuration recommendations tailored to each agency’s unique requirements and risk tolerance levels.
CISA also introduced the ScubaGear assessment tool to help organizations rapidly assess their M365 services against recommended policies, receiving positive feedback and over 4,000 downloads since its launch. After a year of coordination, technical support, and comment adjudication, CISA published seven M365 Secure Configuration Baselines, covering Microsoft Teams, Defender for Office 365, Power Platform, Azure Active Directory, Power BI, SharePoint Online, OneDrive for Business, and Exchange Online. Version 1.0 incorporates over 100 modifications to the initial draft and nearly 50 enhancements to the ScubaGear tool, improving user experience and reliability.
The final baselines differ significantly from the draft, with notable improvements including the integration of SharePoint and OneDrive baselines for usability, optimized baselines for assessment purposes, and enhanced focus on practical application and communication to drive progress and elevate cybersecurity. CISA acknowledges the collaborative efforts of government partners, early adopters, industry partners, and the Microsoft M365 team in shaping Project SCuBA. The deliberate design of the project as collaborative, inclusive, and public underscores its commitment to supporting users in enhancing their cybersecurity posture. The release represents a milestone in CISA’s ongoing commitment to improving the security of federal agencies’ email and cloud environments.