The Cybersecurity and Infrastructure Security Agency has released Version 1.0 of Secure Configuration Baselines for Microsoft 365, providing policy configuration recommendations that align with CISA’s requirements and risk tolerance levels while still being easily adoptable.
CISA held several pilots for the Secure Cloud Business Applications project at federal agencies to test guidance and recommended configurations in practice and target advanced cloud security practice adoption, according to two agency officials.
“These pilots demonstrated not only how critical these configuration baselines are to enhancing cybersecurity, but also how valuable it is to have comprehensive guidance to drive cross-organizational adoption in line with enterprise risk management,” said Michael Duffy, associate director of CISA, and Chad Poland, SCuBA product manager. “All participating agency teams were able to adopt a higher security baseline for their M365 email and cloud environments with existing resources- expertise they already had available.”
They added that the application of M365 Secure Configuration Baselines is needed in the cyber threat environment and requires a relatively low level of cyber team effort.
CISA also launched the ScubaGear tool for assessing organizations’ M365 services against agency-recommended policies. It works to reduce the effort to evaluate tenant configurations of agencies by generating as-is report to serve as a starting point.
The tool has been downloaded more than 4,000 times since its launch, helping organizations boost their cybersecurity posture.