Enhancing Security with CISA’s ScubaGear Baselines for M365

In today’s digital age, protecting your organization’s information is more important than ever. The Cybersecurity and Infrastructure Security Agency (CISA) has launched a program called Secure Cloud Business Application (SCuBA). In response to Sorigate 2020, the program identified common cybersecurity gaps that negatively impact organizational risk. One of the main objectives of the project is to provide guidance for improving the security posture of cloud environments.

The SCuBA program provides a valuable assessment tool called ScubaGear, which provides reports to help you strengthen your Microsoft 365 environment. Microsoft worked with CISA to create and maintain security configuration baselines for ScubaGear, as well as a PowerShell script tool to scan M365 environments. This tool is intended to better protect against common misconfigured settings that allow attackers to move laterally into cloud environments, access data, or remain undetected. CISA sought a mechanism to verify security configurations in any organization’s M365 cloud environment. Thus the ScubaGear tool was born.

The CISA and Microsoft partnership within the SCuBA program provides an integrated approach to cloud application security and promotes the sharing of best practices and threat intelligence as organizations work to better secure their environments. This post focuses on the benefits of M365 hardening and outlines some important steps to follow when using ScubaGear to scan and provide reports to help you find security settings that improve your tenant’s security posture.

What is scuba gear?

ScubaGear is designed to identify weak security configurations in cloud-based business applications used by federal agencies, but can be leveraged by any organization.. ScubaGear provides comprehensive guidance and standards to help cloud environments meet security requirements. This includes best practices for configuration management and monitoring your environment. A basic implementation guide can be found here: Secure Cloud Business Application (SCuBA) Project | CISA.

PowerShell source code and downloads for the tool can be found here: GitHub – cisagov/ScubaGear: Automated assessment of M365 tenant health against CISA criteria…. For easier installation, see the PowerShell Gallery (https://www.powershellgallery.com/packages/ScubaGear/1.3.0) Start your scanning journey (Installation-Module-Name ScubaGear). Installing and running the tool provides the ability to perform a security assessment of your cloud environment through PowerShell and Open Policy Agent to ensure compliance with implementation guides. Combining PowerShell and Open Policy Agent allows anyone to verify compliance with the latest ScubaGear standards through a means of automatically comparing the tool’s output to CISA standards.

Flowchart showing the process for testing Microsoft 365 setup using PowerShell and OPA, ending with a final report. Source: CISA GitHub repository, ScubaGear.

This tool was created to help organizations comply with various security regulations and policies. This aligns with federal mandates and frameworks and helps ensure systems meet security standards. A report is generated showing where your organization has appropriately strengthened the necessary security controls. This tool may be aligned with other security frameworks, but that alignment is not complete. Although not all of the tool’s suggestions may meet every organization’s risk posture or preferences, the tool provides valuable insight and information about the current security state of your infrastructure.

Benefits of Hardening Microsoft 365

Hardening your Microsoft 365 environment can help organizations protect their data from potential threats. Implementing strong security measures provides the following benefits:

• Enhances data protection and privacy.
• Reduces the risk of unauthorized access.
• Improve compliance with industry standards and regulations.
• Improvements are made when logging.

Key services identified by ScubaGear

ScubaGear checks several important settings across a variety of Microsoft services and provides recommended changes aimed at building more comprehensive security controls. Includes key settings for the following services:

• Entra ID: Enforce secure identity management and access controls, such as conditional access.
• defender: Provides advanced threat prevention, data loss prevention (DLP), and real-time monitoring settings.
• online exchange: Look for phishing settings and other email security options (such as DKIM).
• power platform: Recommended changes to data and application settings within the Power Platform ecosystem.
• SharePoint/OneDrive: Addresses security settings for sharing and other site permissions.
• team: Encourage controls for more secure communication and collaboration within Microsoft Teams.
• The ScubaGear team plans to further expand the M365 service in the future.

By following the steps outlined in this article and using ScubaGear, you can significantly improve the security of your Microsoft 365 environment. ScubaGear’s guidance and best practices can help you stay ahead of potential threats and create a secure digital environment for your organization.

Important Steps for Using ScubaGear

To use ScubaGear effectively, it is important to follow regular inspections and maintenance. Here are some key steps to consider:

1. regular scanning: Schedule regular scans of your Microsoft 365 environment to identify and remediate potential vulnerabilities. Your settings may change over time, and ScubaGear can scan your preferences for any deviations from security standards.
2. Review and update security policies: Ensure your security policies are up to date and aligned with the latest best practices.
3. Implement recommended settings: Strengthen your security posture by applying the recommended settings provided by ScubaGear.

Stay connected with the Microsoft public sector technology community

Continue the conversation about technological advancements in government and public services. Join the Microsoft Public Sector Technology Community to connect with peers, share insights, and engage in discussions about IT solutions for government. discussion space. For updates on cloud security, compliance, and digital transformation, follow: Public sector blog.