CISA Finalizes Microsoft 365 Secure Configuration Baselines

When CISA initiated its Secure Cloud Business Applications (SCuBA) project, our goal was to elevate the federal government’s baseline for email and cloud environments by optimizing the security capabilities available within widely used products and services while enabling operational visibility at the enterprise-level in support of our shared cybersecurity mission. This meant security-centric configurations in response to the current and evolving threat environment, guidance to support the practical application at agencies, and an assessment tool to provide comprehensive awareness of the ‘current state’ to define what additional steps were needed.

Today, we are pleased to announce the release of Version 1.0 of CISA’s Secure Configuration Baselines for Microsoft 365 (M365) along with our ScubaGear tool. These baselines provide easily adoptable policy configuration recommendations that complement each agency’s unique requirements and risk tolerance levels.

These final Baselines have been refined and improved through extensive engagement with partners and from experiences gained from on-the-ground implementation efforts with agencies. In October 2022, CISA released the draft M365 Secure Configuration Baselines for public comment and received hundreds of responses from public and private sector partners. In parallel, we conducted a dozen pilot projects at federal agencies to target the adoption of advanced cloud security practices while testing our guidance and recommended configurations in practice. These pilots demonstrated not only how critical these configuration baselines are to enhancing cybersecurity, but also how valuable it is to have comprehensive guidance to drive cross-organizational adoption in line with enterprise risk management. Our pilot effort also reinforced how simple the ScubaGear tool is to use, and provided insight into agency resource needs for full adoption. All participating agency teams were able to adopt a higher security baseline for their M365 email and cloud environments with existing resources- expertise they already had available. Though these results may vary across organizations, applying the M365 Secure Configuration Baselines is not only essential in this cyber threat environment, but it is a relatively low level of effort for most cyber teams.

In support of our pilot efforts, CISA also released our assessment tool, ScubaGear, to help organizations rapidly assess their M365 services against CISA’s recommended policies. This tool decreases the effort required for agencies (or any organization) to assess their tenant configurations by producing a detailed as-is report to serve as a starting point. Since launch, ScubaGear has been downloaded over 4,000 times and its results, coupled with our SCuBA Baselines, have helped countless agencies and organizations take meaningful steps forward to elevate their cybersecurity posture.

So, after a year of coordination, hands-on technical support, and extensive comment adjudication, we are excited to share the results with our broader cybersecurity community. CISA is proud to announce the publication of the following seven M365 Secure Configuration Baselines:

Based on agency feedback, expert insight, Microsoft product updates, and extensive collaboration from Microsoft and other partners, Version 1.0 of the M365 Secure Configuration Baselines incorporates over 100 modifications to the initial draft. We’ve also made close to 50 enhancements to the ScubaGear tool as well to improve user experience and reliability. While the final M365 baselines differ from the draft in meaningful ways, a few key improvements are of note.

• Combined SharePoint and OneDrive: To improve usability and functional convenience, we integrated the baselines for SharePoint and OneDrive into one.
• Optimized Baselines for Assessment Purposes: Our pilot experience illustrated the need for improved categorization and verification potential to facilitate assessments and implementation planning. We removed policies that could not be verified through tools, reorganized policies into more logical groupings, and established unique policy identifiers. These changes clarified the intent of the baselines, streamlined their implementation, and directly improved the ScubaGear tool. Ease of use and ease of implementation is a critical component.
• Focus on Practical Application and Communication: In order to drive progress and adopt an elevated baseline, practitioners and managers need to coordinate. And change management requires great communication. We incorporated rationale statements and additional clarity related to risk tolerance and risk acceptance determinations. Where possible, CISA also provided information on the business impact of specific controls to support decision-making.

We appreciate the contributions of all those who supported this effort over the past year. CISA deliberately designed Project SCuBA to be collaborative, inclusive, and public. From our government partners on the Federal CIO Council and early pilot adopters to our industry partners that provided constructive feedback, this cybersecurity community has helped shape our SCuBA product into something that will support countless users seeking to enhance their cybersecurity posture. A special thanks to the M365 team at Microsoft for the close collaboration throughout this effort.

These artifacts are now available for download on CISA’s GitHub or CISA’s SCuBA webpage.