CISA releases Microsoft 365 security configuration baselines for pilots, public comment

A series of Google Workspace baselines are expected within months as part of the SCuBA project to protect sensitive information.
CISA, DHS, Department of Homeland Security, RSA 2019
The DHS and CISA booth at the 2019 RSA conference in San Francisco. (Scoop News Group photo)

The Cybersecurity and Infrastructure Security Agency released recommended Microsoft 365 security configuration baselines Thursday for use in cloud security pilots by federal agencies and for public comment.

Part of CISA’s Secure Cloud Business Applications (SCuBA) project to protect sensitive information, the information system specifications will help agencies align their environments with federal cyber mandates.

CISA announced SCuBA in April, and the baselines are just the first — with a Google Workspace series expected within months.

A configuration baseline is a documented specification for an information system that is formally reviewed and can be amended only through change of control procedures.


“CISA has developed these baselines to be broadly adopted by the federal agencies, beginning with pilot efforts, as the agencies transform, modernize and secure their enterprise environments,” Sean Connelly, senior cyber architect at CISA, told FedScoop.

The flexible baselines complement agencies’ unique requirements and risk tolerance levels and include automation to quickly assess Microsoft 365 services.

A consortium of security experts called the Federal Chief Information Officers Council’s Cyber Innovation Tiger Team conducted the foundational work on the baselines that CISA’s Cyber Quality Service Management Office (QSMO) has subsequently taken up.

“We have worked hard to closely align these baselines with zero trust tenets and principles,” Connelly said. “And they can be a key resource as agencies map these baselines with the application, workload pillar of CISA’s Zero Trust Maturity Model.”

Federal agencies and other organizations using cloud services have until Nov. 24, 2022 to comment on the baselines.


SCuBA will help vendors adapt their capabilities and develop products that are more fit for purpose, said Alice Fakir, account partner for federal security services at IBM, during CyberTalks presented by CyberScoop on Thursday.

Increased partnerships with vendors will help build out the technical reference architecture into multiple versions.

“If there was something I’d like to add and see more of it’s more engagement and collaboration with the government, CISA specifically, and being able to build out additional proofs of concept around these things,” Fakir said.

Latest Podcasts