CISA Releases Microsoft 365 Security Configurations Baseline Recommendations

Updated on 2022-10-26

The CISA has reportedly sought out public comments on security configuration baselines for eight Microsoft products, as part of its Securing Cloud Business Applications (SCUBA) project. Read more: CISA Seeks Feedback on Baseline Measures to Secure Cloud Configuration

Overview

The US Cybersecurity and Infrastructure Security Agency (CISA) has released security configuration baseline recommendations for Microsoft 365 cloud services. The recommendations are part of CISA’s Secure Cloud Business Application (SCuBA) project, which was launched in April of this year. CISA is accepting public comment on the recommendations through November 24.

Note

• The Center for Internet Security has published and widely used consensus configuration benchmarks for Office 365 and many other cloud services. Full list at https://learn.cisecurity.org/benchmarks
• The SCuBA project’s initial scope is Microsoft 365 and Google Web Services and an automated tool to perform assessments. Over time they expect to grow to other environments. They are basing their reference model on many existing directives including CISA cloud security guidance (CDM, Zero Trust, Cloud Security TRA), Federal cloud security guidance (FedRAMP, OMB Zero Trust M-22-09, OMB logging (M-21-31) and Federal ICAM architecture. All in all giving an overview of how all these fit together to not only aid security but also aid in incident response. Two risks – having visibility to the data needed, such as CDM and your cloud service providing needed/timely log data to your SIEM. Even so, if you’re in the federal space, review the document and provide feedback to [email protected].

Read more in

• cisagov / ScubaGear
• Secure Cloud Business Applications (SCuBA) Technical Reference Architecture (TRA) (PDF)
• CISA Seeks Comment on Microsoft 365 Security Configuration Baselines
• CISA releases Microsoft 365 security configuration baselines for pilots, public comment