SCuBA Dives Deeper to Help Federal Agencies Secure their Cloud Environments Publishes Security Configuration Baselines for Microsoft 365


Michael Duffy, Associate Director, CISA

In April, CISA announced the Secure Cloud Business Applications (SCuBA) project to help secure federal civilian executive branch (FCEB) information assets stored within cloud environments through consistent, effective, modern, and manageable security configurations. Today, we are excited to announce the latest contribution of the SCuBA project:  a series of recommended security configuration baselines for Microsoft 365 (M365).  These baselines will kick off a series of pilot efforts to advance cloud security practices across the FCEB and more effectively safeguard sensitive information and government services.

These baselines benefitted from foundational work from a consortium of security experts across the FCEB, called the Federal Chief Information Officers Council’s Cyber Innovation Tiger Team (CITT),[1] and will help agencies align their cloud environments with federal security mandates and cybersecurity best practices.

Building on CITT’s efforts, these security configuration baselines for M365 provide easily adoptable recommendations that complement each agency’s unique requirements and risk tolerance levels as well as include automation features to assist federal agencies in rapidly assessing their M365 services. Included in the M365 series are minimum viable security configuration baselines for:

Microsoft Teams

SharePoint Online

Power Platform

Power BI

OneDrive for Business

Exchange Online

Defender for Office 365

Azure Active Directory

In addition to encouraging FCEB agencies to pilot the recommended baselines and provide feedback, CISA is also requesting public comment on the eight M365 security configuration baseline documents located on Github and These baselines were developed with flexibility in mind to keep pace with evolving technologies and capabilities while protecting the federal enterprise today. Although these documents are principally intended for use by federal agencies, CISA recommends that all organizations utilizing cloud services review the baselines and implement practices therein where appropriate.

In the coming months, CISA will publish security configuration baselines for Google Workspace (GWS) to guide agencies in protecting their network, as well as request agencies to pilot them. Ultimately the publication of the GWS and M365 baselines will further CISA’s mission to secure the federal enterprise by addressing cybersecurity and visibility gaps within cloud-based business applications.

FCEB agencies piloting these baselines should contact our Cybersecurity Shared Services Office with any questions:

The public comment period is open until November 24, 2022, and comments should be submitted to or at CISA’s SCUBA’s GitHub page. CISA looks forward to receiving and reviewing public feedback on this important effort to improve federal cloud cybersecurity.

CITT members are: Mike Witt, CISO, National Aeronautics and Space Administration; James Saunders, CISO, U.S. Office of Personnel Management; Beau Houser, CISO, U.S. Census Bureau; Andrew Havely, CTO, U.S. Department of the Interior; Han Wei Lin, Sandia; and Sanjay Gupta, CIO, U.S. Department of Justice, Executive Office for Immigration Review.