BOD 25-01: Implementation Guidance for Implementing Secure Practices for Cloud Services

Note: CISA will update this page to provide users and agencies with the latest information and guidance on BOD implementation.

Background

Malicious threat actors have increasingly targeted cloud environments and evolved tactics to gain initial cloud access. In recent cybersecurity incidents, the improper configuration of security controls in cloud environments introduced substantial risk and resulted in actual compromises. To combat these threats, the Cybersecurity and Infrastructure Security Agency (CISA) initiated the Secure Cloud Business Applications (SCuBA) project. Through the SCuBA project, CISA developed Secure Configuration Baselines, providing consistent and manageable cloud security configurations and assessment tools, allowing agencies and CISA to improve security for Federal Civilian Executive Branch (FCEB) assets hosted in cloud environments. Binding Operational Directive (BOD) 25-01 requires agencies to implement a set of SCuBA Secure Configuration Baselines for certain Software as a Service (SaaS) products widely used in the FCEB, deploy CISA developed automated configuration assessment tools to measure against the required baselines, integrate with CISA’s continuous monitoring infrastructure, and remediate deviations from the secure configuration baselines. These steps reduce risks highlighted by recent adversary activity and increase resiliency for FCEB agencies against cyber threats. 

This Implementation Guidance provides FCEB agencies with additional context and instructions for implementing the requirements from BOD 25-01. 

Scope

BOD 25-01 applies to all production or operational cloud tenants (operating in or as federal information systems) with an associated and finalized SCuBA Secure Configuration Baselines published by CISA. At the time of issuance of BOD 25-01, CISA published final SCuBA Secure Cloud Configuration Baselines for Microsoft Office 365. In the future, CISA may release additional SCuBA Secure Configuration Baselines for other cloud products. Upon issuance of applicable Baselines, such products will fall under the scope of this Directive. Any baselines not updated within one year will automatically fall out of scope and will be removed from the SCuBA Secure Configuration Baseline catalog, linked through the Binding Operational Directive 25-01 Required Configurations website. 

BOD 25-01 requirements pertain only to mandatory policies referenced within the SCuBA Secure Configuration Baselines as “shall” actions. All such mandatory policies are published on the Binding Operational Directive 25-01 Required Configurations website. SCuBA Secure Configuration Baselines specify both recommended policies that are left to agency discretion to implement (identified as “should” actions within the Baselines) and mandatory SCuBA policies that must be implemented, pursuant to the requirements of this Directive (identified as “shall” actions within the Baselines).

Scope Clarification

The scope of BOD 25-01 has several parts, including addressing production and operational content, operating in or as federal information systems, using finalized SCuBA Secure Configuration Baselines published by CISA, and ensuring mandatory policy implementation. As agencies evaluate whether cloud service tenancies are in scope of the BOD’s requirements, they should consider the following guidance and how it applies to their situation:

1. Production or operational tenant: A production or operational tenant is a Cloud Service Provider’s (CSP’s) environment primarily used by the government to conduct official government business, whether operated by the government or a contractor. A tenant is not a production or operational tenant if it is primarily used to test configuration changes before application to another tenant or as part of the software development and testing process before it is deployed to another tenant. Agencies may choose to include additional tenants—those not included in the BOD’s scope—in CISA’s continuous monitoring program at their discretion.
2. Operating in or as federal information systems: The scope of the BOD is limited to tenants that are part of an Information System, as defined in 44 USC § 3502(8), that is owned by or operated by Federal agency or on behalf of a Federal Agency by a contractor. Tenants outside of the authorization boundary of an agency’s Information System are not in scope of the BOD. 
3. Finalized SCuBA Secure Configuration Baselines published by CISA: The BOD’s scope is limited to cloud services that have a finalized SCuBA Secure Configuration Baseline (SCB) published by CISA. At the time of BOD 25-01 issuance, only Microsoft 365 is the only finalized SCB. SCBs are initially developed in a draft format and circulated for comment with agencies, vendors, and the public prior to becoming a finalized baseline. The Binding Operational Directive 25-01 Required Configurations website contains the authoritative list of finalized baselines and mandatory policies under the BOD.
4. Mandatory policies: Requirement 3 of the BOD 25-01 mandates the implementation of “shall” policies from in scope SCBs. The authoritative list of mandatory policies and finalized baselines can be found on the Binding Operational Directive 25-01 Required Configurations website. Although recommended (“should”) policies are not required, CISA strongly advises agencies implement these policies to the extent possible in their environment.  

Requirements (Microsoft 365)

Requirement #1

Identify all cloud tenants within the scope of this Directive:

1. No later than Friday, February 21^st, 2025, provide the tenant name and the system owning agency/component for each tenant, following CISA reporting instructions.
2. Update this inventory in the first quarter annually by following CISA reporting instructions.

User Guidance: To achieve compliance with this requirement, agencies must collect and enter the required information via: 

A. The CyberScope SCuBA Tenant Inventory site, an interactive CyberScope U/I available in December 2024.  Agencies may begin collecting the inventory in an CyberScope Excel template, currently available via CyberScope.

Agencies must update their inventory by the end of the first quarter each fiscal year (FY). The inventory list will be used to help ensure reports for all tenants are being received in a timely manner. Agencies are encouraged to update their inventory immediately when there are changes to tenants. Agencies may complete this requirement manually or with assistance from the output of the ScubaGear tool.

1. To access the CyberScope SCuBA Tenant Inventory website, log into an agency MAX ID account using a registered PIV or CAC card or with a MAX.GOV UserID and password. 
   1. To register a MAX ID with CyberScope, register a select “Sign Up” when prompted and select or enter the following:
      1. Agency: Select the appropriate agency from the dropdown menu.
      2. Request Access: Select “Binding Operational Directive 25-01”
      3. Work Phone: Enter the user’s work phone number in the format 000-000-0000.
   2. For users possessing a CyberScope account but not access to the SCuBA Tenant Inventory page, request access by reaching out to the Agency Lead POC or the CyberScope Help Desk (cyberscopehelp@cisa.dhs.gov) to assign the SCuBA BOD Data Entry/Validate and/or Submitter permissions to the CyberScope account.
2. With access to the CyberScope SCuBA Tenant Inventory site, select “Add New Tenant.” Then, select or enter the following for all M365 cloud tenants within the scope of this Directive: 
   1. Bureau/Sub-Component: Select the bureau or sub-component that the tenant is operated for. Each user is already assigned to an Agency; therefore, CyberScope is aware of this context, and all tenants added by a user will be assigned to the Agency. The Bureau/Sub-Component list will be limited to the user’s Agency. Example: If a user’s component was CISA under the Department of Homeland Security (DHS), the user’s Agency is DHS, bureau or sub-component would be CISA. If the tenant was operated by DHS HQ, no Bureau or sub-component would be selected.
      1. If no sub-component, insert Agency name.
   2. Product: Select M365
   3. Service Plan: For M365, select either Commercial, GCC or GCC High; GWS will only have Commercial, and no other selection is necessary at this time.
   4. Tenant ID: Enter the globally unique identifier (GUID) for the tenant.
      1. Microsoft Entra admin center:
         1. Sign in to the Microsoft Entra admin center as at least a Global Reader.
         2. Browse to Identity > Overview > Properties.
         3. Scroll down to the Tenant ID section to find the tenant ID in the box.
      2. Azure Portal
         1. Sign in to the Azure portal.
         2. Browse to Microsoft Entra ID > Properties.
         3. Scroll down to the Tenant ID section to find the tenant ID listed.
      3. Other: PowerShell, Azure or Microsoft 365 CLI
         1. Follow the commands listed in How to find your tenant ID - Microsoft Entra | Microsoft Learn
   5. Tenant FQDN: Enter the fully qualified domain name (FQDN) for the tenant [e.g., tenant1.cisa.gov].
      1. Microsoft Entra admin center: 
      2. Sign in to the Microsoft Entra admin center as at least a Global Reader.
      3. Browse to Identity > Overview 
      4. Scroll down to the Primary Domain section to find the Tenant FQDN listed.
   6. In Scope: The default is ‘Y’ (Yes) when entering a new tenant. If a tenant falls out of scope or an agency is pre-emptively listing a tenant they know will soon be within the scope of the BOD, then change this value to ‘N’ (No). Subsequently, CISA will know not to expect results from the tenant.
      1. When “N” (No) is selected, data for the associated tenant will be shown on a normal agency dashboard but will not be shown on the BOD 25-01 CDM Dashboard or used for compliance.
      2. This option is included to allow agencies flexibility in maintaining current inventory data:
         1. Agencies can use the CDM infrastructure to track their cloud tenants and view their inventories through their own CDM dashboards.
         2. Agencies can pre-populate inventories as they bring new tenants on-board and prepare for additional tenants entering the scope of the Directive.
         3. Agencies can adjust their inventory through a single field without having to delete and re-add data – for example, if a tenant is taken offline for a period of time but will re-enter production again at a later date. 
   7. ATO: Select “Y” if the tenant has an active ATO.
3. Agencies can run ScubaGear on each M365 tenant to help fill out the CyberScope SCuBA Tenant Inventory fields. See Requirement 2 for information on running ScubaGear.
   1. To install and run ScubaGear, refer to the ScubaGear GitHub README. The README contains instructions to install ScubaGear from PSGallery. Find information on the ScubaGear reports in the ScubaGear documentation on GitHub.
   2. Note: CISA recognizes that using software on agency networks may require internal agency authorization processes that must be followed. Agencies should initiate those processes as needed for ScubaGear and its dependencies. 

Requirement #2

Deploy all SCuBA assessment tools for in scope cloud tenants no later than Friday, April 25^th, 2025 and begin continuous reporting on the requirements of this Directive through one of the following methods:

1. Integrate the tool results feeds with CISA’s continuous monitoring solution to enable automated reporting

OR

2. Manually report the results of the most recent SCuBA assessment tool version to CISA quarterly in a CISA approved, machine-readable format, following CISA reporting instructions

User Guidance: To achieve compliance, agencies will run ScubaGear on all in scope tenants. Agencies may complete the remainder of this requirement in one of three ways: 

• The first (2.a.) is automated reporting managed by CISA, a “set-and-forget” option that will enable reporting compliance overseen by CISA.
• The second (2.b.) is automated reporting to CISA via integration with CLAW / TALON using agency-hosted resources. 
• The third (2.c.) is manual configuration of the assessment tool with a quarterly reporting obligation of agency results to CISA.  

1. First, install and configure the ScubaGear tool to run assessments on all in- scope tenants:
   1. To install and run ScubaGear, refer to the ScubaGear GitHub README, which contains instructions to install ScubaGear from PSGallery. Find ScubaGear report information in the ScubaGear documentation on GitHub.
      1. Further resources, including instructional videos, demonstrations, and in-depth slides, can be found through the CommunityConnect (OMB MAX) SCuBA workshop resource.
   2. Within the ScubaGear Configuration File agencies should insert values for their agency name in the OrgName of the config file and, if applicable, they should enter the bureau or subagency name in the ‘OrgUnitName’ of the config file. The “OrgName” should be the top level agency acronym as defined under CISA’s Federal Civilian Executive Branch Agency List. The “OrgUnitName” should be the next organization acronym 1 level down from the top level. Example below:
      1. OrgName = “DHS”
      2. OrgUnitName = “CISA” 
   3. CISA currently offers relevant training courses (IR113/IR213: Implementing SaaS Security Guidelines) available for registration through Incident Response Training | CISA.
      1. Additional SCuBA training resources will be available in CISA Learning at https://learning.cisa.gov/ later in FY25.
   4. Agencies may refer to the Binding Operational Directive 25-01 Required Configurations website for links and additional guidance.
   5. Note:  CISA recognizes that using software on agency networks may require following internal agency authorization processes. Agencies should initiate those processes as needed for ScubaGear and its dependencies.
2. For each tenant listed as “In Scope,” the user will need to provide the results from the latest version of the SCuBA assessment tool to CISA. This can be done by:
   1. Agency integration with CISA’s Continuous Monitoring Solution via the ScubaConnect application for automated reporting (this is the preferred method of compliance).
      1. ScubaConnect runs from a CISA environment as though the application was native to an agency’s tenant.
      2. Agencies will grant access to their tenant to a CISA owned and operated multi-tenant application, and results will automatically be provided back to the agency through the CDM Dashboard.
      3. Beyond initial configuration, CISA will manage reporting compliance via ScubaConnect without additional workload requirements on agencies.
      4. Agencies complete the following steps to complete integration with ScubaConnect:
         1. Email the SCuBA Team at scuba@cisa.dhs.gov.
         2. A tenant admin with sufficient privileges will need to be able to approve the consent link and ensure permissions are correctly set.
         3. The agency will need to upload their ScubaGear configuration file to CyberScope for the appropriate tenant. 
   2. Agency runs ScubaGear and configures automated reporting of results to CISA via integration with CLAW / TALON using agency-hosted resources. (This is a less preferred method of compliance.)
      1. In this option, agencies run regular automated ScubaGear scans hosted in an agency cloud environment and provide the results to CISA through the CLAW Azure TALON. 
         1. Results will also be automatically provided back to the agency through the CDM dashboard. 
         2. This is a more advanced option for agencies that wish to automate ScubaGear reporting and will require integration and development work on the agency side.
      2. After each ScubaGear scan is run within the environment, the outputs should be sent to a CLAW Azure TALON.  
      3. For agencies looking for further guidance to pursue this option, please contact CISA to at scuba@cisa.dhs.gov to discuss integration requirements in more detail.
   3. Agency manually runs ScubaGear and reports the results to CISA by manually uploading them to CyberScope. (This is the least preferred option of compliance.)
      1. In this option, agencies manually upload ScubaGear assessment results to CISA quarterly through CyberScope. Results will be updated in the CDM dashboard upon receipt by CISA. If desired, agencies may update results in CyberScope more frequently. For agencies manually reporting results, follow the steps in Requirement 1 (above) to ensure all cloud tenants within the scope of this Directive have their required information collected and listed via CyberScope.
         1. Agencies must configure and run ScubaGear for all in scope tenants.
            1. Refer to the ScubaGear GitHub README, which contains instructions to install ScubaGear from PSGallery.
            2. Further resources, including instructional videos, demonstrations, and in-depth slides, can be found through the CommunityConnect (OMB MAX) SCuBA workshop resource.
            3. CISA currently offers relevant training courses (IR113/IR213: Implementing SaaS Security Guidelines) available for registration through Incident Response Training | CISA.
         2. After running the ScubaGear tool for each in scope tenant, login to CyberScope and select the “v” arrow symbol at the end of each row to open the submission section for the tenant.
         3. For Submission Type, select from the dropdown menu “Scan Results.”
         4. Select and submit the SCuBA assessment tool results by dragging and dropping the file or selecting browse and selecting the file. For the “Scan Results” requirement, the file type is limited to:
            1. .json: grab and drop or select via browse the ScubaResults .json file in the output directory folder. The ScubaResults file will include about 18 characters that are part of the UUID (unique identifier that is generated for each report; the full report unique identifier is available in the .json file) prior to the .json file extension.
         5. Agencies will then upload the resulting output via the BOD 25-01 CyberScope page. 

Requirement #3

Implement all mandatory SCuBA policies effective as of this Directive’s issuance, as set forth in the CISA-managed Binding Operational Directive 25-01 Required Configurations website no later than Friday, June 20^th, 2025. These mandatory SCuBA policies are provided on the Required Configurations website and correspond to the mandatory policies referenced within the SCuBA Secure Configuration Baselines.

User Guidance: When implementing mandatory policies to all cloud instances covered by this BOD, agencies shall reference the Binding Operational Directive 25-01 Required Configurations website.

1. Follow all steps identified in Requirements 1 and 2 (above), verifying that:
   1. All cloud tenants within the scope of this Directive have been collected and entered on the CyberScope SCuBA Tenant Inventory site.
   2. SCuBA assessment tools for in scope cloud tenants have been enrolled in the SCuBA continuous manual solution or results submitted manually in the CyberScope SCuBA Tenant Inventory site. 
2. For the mandatory policies identified as “failures,” follow the next steps below:
   1. Continuous Monitoring Solution (Use for agencies and tenants that are integrated through CISA’s continuous monitoring solution.) Do the following:  
      1. Go to the CDM Dashboard to find the mandatory policies identified as “failures.”  
      2. Review and follow the steps found in the SCuBA Secure Configuration Baselines to implement the remaining mandatory security policies or identify timelines for required implementations. 
   2. Manually Reporting (Use for agencies and tenants who submitted the SCuBA assessment tool results manually.) Do the following: 
      1. Open the file name BaselineReposts.html to view the SCuBA M365 Secure Baseline Conformance Report. 
      2. Review all mandatory policies referenced within the SCuBA Secure Configuration Baselines and as set forth in the Binding Operational Directive 25-01 Required Configurations website.
      3. Determine which have been identified as “failures.” 
      4. Follow the steps found in the SCuBA Secure Configuration Baselines to implement the remaining mandatory security policies or identify timelines for required implementations.
3. In some cases, ScubaGear may need to be configured with relevant information so that policies pass. For example, “break glass” accounts that are exempt from certain policies must be explicitly listed. These cases are documented in the ScubaGear documentation. Refer to the user guidance in Requirement 6 for further steps. Rerun ScubaGear again to confirm that the policy failures have been remediated and resubmit the latest SCuBA assessment tool results to CISA as outlined in Requirement 2.

Requirement #4

Implement all future updates to mandatory SCuBA policies in accordance with the timelines set forth in the CISA-managed Binding Operational Directive 25-01 Required Configurations website.

User Guidance: CISA will notify agencies via email when changes are made to the SCuBA Secure Configuration Baselines. Agencies shall reference the Binding Operational Directive 25-01 Required Configurations website to identify and implement all current Secure Configuration Baselines, mandatory security policies and timelines for required implementation.

1. Follow all above steps and verify that:
   1. All cloud tenants within the scope of this Directive have been collected and entered on the CyberScope SCuBA Tenant Inventory site.
   2. The SCuBA assessment tools for in scope cloud tenants have been enrolled in the SCuBA continuous manual solution or results submitted manually in the CyberScope SCuBA Tenant Inventory site.
   3. For the mandatory policies identified as “failures:” 
      1. Review the results.
      2. Follow the steps found in the SCuBA Secure Configuration Baselines to implement the remaining mandatory security policies or identify timelines for required implementations.

Requirement #5

Implement all mandatory SCuBA Secure Configuration Baselines and begin continuous monitoring for new cloud tenants prior to granting an Authorization to Operate (ATO).

User Guidance: When planning to add new cloud instances prior to granting an Authorization to Operate, agencies shall reference the Binding Operational Directive 25-01 Required Configurations website to identify all current Secure Configuration Baselines, mandatory security policies and timelines for required implementation. 

1. For all associated cloud tenants, agencies must: 
   1. Implement all steps in requirement #1, except mark the field of ATO to “N.”
   2. Begin steps in requirement #2.
   3. Implement all steps in requirement #3, aside from steps referencing requirement #2.
   4. Implement all steps in requirement #4, aside from steps referencing requirement #2.
   5. Once an ATO is granted, mark the ATO field to “Y.”
   6. Continue to report as above.

Requirement #6

Agencies shall identify and explain deviations in the output of the SCuBA assessment tools when reported to CISA. For more information regarding this process, review the following and coordinate with CISA via cyberdirectives@cisa.dhs.gov. 

User Guidance: The opportunity to document operationally required deviations in the ScubaGear output is satisfied via the ScubaGear configuration file. The config file includes an option allowing users to indicate policies that should be "omitted" or excluded from ScubaGear's output, indicate the rationale for omission and optionally time-bound the exclusion. (Click here for more information.)

1. Operationally required deviations to policies will show up as “Omitted” in the ScubaGear output, along with the accompanying rationale. Omitting policies must only be done if the omissions are approved within an organization's security risk management process. Exercise care when omitting policies because this can inadvertently introduce blind spots in system assessment. 
2. Agencies that have integrated with ScubaConnect should:
   1. Create a config file documenting the deviations and rationales for deviation. Click here for more information.
   2. Manually upload the config file via CyberScope.
   3. Follow the instructions here for running ScubaGear with a config file.
3. Agencies that are manually running ScubaGear and need to configure an operationally required deviation should:
   1. Create a config file documenting the deviations and rationales for deviation. Click here for more information.
   2. If reporting via CLAW / TALON integration, follow the instructions here for running ScubaGear with a config file and deploy the config file within the environment’s configuration.  
   3. If reporting manually via Cyberscope, follow the instructions here for running ScubaGear with a config file.
4. As part of the ScubaGear analysis, a CSV file is produced to help agencies track non-compliant policies with implementation plans (e.g., POA&M). The CSV file is a template to track why a policy is non-compliant, what will be done to meet compliance and an anticipated date for compliance, should agencies require it.

SCuBA Policies and Assessment Tool Updates

Instructions on how to sign up for GovDelivery can be found on the CISA website “Subscribe to Updates from CISA”. 

1. Click the SUBSCRIBE button under “Subscribe to Email Updates.”
2. A prompt will inform the user that they are leaving an official USG website, click ok. Follow the prompts to create a user profile.
3. Under “Subscription Topics” select BOD 25-01: Implementing Secure Cloud Practices for SCuBA BOD specific policy updates and tool changes. 
4. Once the desired selections are made, click submit.

Templates 

CyberScope User Interface Inventory Tracker

CyberScope Inventory Excel Tracker

Frequently Asked Questions

General Questions

Q: I have questions about this BOD. Who do I talk to?

A:

• For general information, assistance, and questions about reporting, visit Cybersecurity Directives | CISA or contact CyberDirectives@cisa.dhs.gov.  
• For questions about the SCuBA program, SCBs, the assessment and tools, managing inventory or uploading SCuBA files to CyberScope, integrating SCuBA results to CLAW Azure TALONs, and viewing SCuBA results in CDM contact the SCuBA team at scuba@cisa.dhs.gov.

Q: For which vendors are the SCuBA SCBs currently operational?

A: CISA is actively constructing a robust framework aimed at developing SCuBA’s Secure Configuration Baselines for various SaaS products, aligning closely with the Federal Risk and Authorization Management Program (FedRAMP). As of December 2024, CISA has released finalized SCBs for Microsoft 365 (which is in scope for the BOD at issuance) and draft SCBs for Google Workspace (which are anticipated to enter scope in Q2, FY 2025).

CISA will continue its collaboration with agencies, organizations, and cloud service providers to keep these baselines up to date to reflect the latest security standards and threats. This ongoing partnership and proactive approach will help maintain a resilient, secure, and adaptable digital environment. 

Q: Is CISA developing SCuBA SCBs for other vendors?

A: Currently, only the M365 baseline is finalized and in scope for this Directive.  In the future, CISA may release additional SCuBA Secure Configuration Baselines for other cloud products.

Q: What type of licenses are needed for compliance with the policy requirements of the SCBs? 

A:  For Microsoft 365, license assumptions are listed in the licensing requirements. Some policies require additional licenses, either from Microsoft or a third-party service that offers equivalent protections, as noted in the "License Requirements" sections of the individual controls. The specific service used to meet the requirement for policies that require additional licensing is left up to agency discretion.

Q: What do I do if my agency has not purchased the license tiers needed for compliance with the policy requirements of the SCBs? 

A: Purchasing additional licensing is not a requirement of the BOD. Agencies may use third-party capabilities that provide equivalent protections, and more details can be found within the baselines. Agencies may also indicate a deviation in their configuration file and include the reason for the deviation.

Q: How do I download the assessment tool?

A: ScubaGear is available for download on CISA’s GitHub. Installation Instructions can also be found on its GitHub page in the README file. For simplicity ScubaGear can be installed directly through PowerShell Gallery. Agencies can also download signed releases from GitHub for packaging and distribution through agency enterprise software management infrastructure.

Q: What does each baseline policy contain?

A: SCuBA Secure Configuration Baselines are organized topically by policy groups, such as Risk Based Policies, Strong Authentication and a Secure Registration Process, Application Registration and Consent, etc.  To help users better understand each individual baseline policy, CISA includes the following information:

Q: My SCuBA tool report shows Red/Yellow/Gray: what does that mean?

A: Once the tool has generated the report, it will show all baselines with indications of “passed,” “warning,” “failed,” “omitted” or “manual checks needed.” Green indicates controls that passed or are compliant with the security baseline statements. Red indicates required baselines statement controls are not met, i.e., “SHALL” statements. Yellow indicates recommended baselines statement controls are not met, i.e., “SHOULD” statements. Gray indicates controls that ScubaGear is not able to evaluate using the APIs provided by the cloud service provider. See below for an example.

Q: Our Agency implements Zero Trust Architecture. Does this Directive still apply to us?

A: This Directive’s requirements complement and support zero trust (ZT) implementation principles. Agencies should complete the required actions outlined in this Directive in parallel to adopting ZT principles, in accordance with CISA’s ZT Maturity Model.

Q: Will CISA make the SCuBA assessment data available to my agency?

A: All results received by CISA through either the automated reporting tool (ScubaConnect) or via CyberScope will be made available to both the Federal and Agency Dashboards within CDM. This enables agencies to track Directive implementation progress and ongoing compliance for all in scope tenants across the agency.

ScubaGear (M365)Questions

Q: What is ScubaGear?

A: ScubaGear is a tool for automatically assessing whether a given tenant properly implements the Secure Configuration Baselines requirements for Microsoft 365. ScubaGear assesses the Secure Configuration Baselines for a specific M365 tenant, supporting products like Azure Active Directory/Entra ID, Exchange Online, Defender for Office 365, SharePoint and One Drive Online, Microsoft Teams and Power Platform.

Q: What permissions on my tenant are required for my agency to run ScubaGear?

A: ScubaGear utilizes two distinct permissions sets for authentication: interactive authentication and non-interactive authentication. Each has separate permission requirements to accommodate different security and operational needs. Interactive authentication allows users to directly sign in to ScubaGear, whereas non-interactive authentication requires an Entra ID service principal to sign into the tool. For more information and to keep up to date with permission requirement changes, please refer to the interactive permissions and non-interactive permissions GitHub pages.

Q: What are the requirements for running ScubaGear in my environment?

A: ScubaGear has a base license assumption of M365 G3 or E3; however, some controls require additional add-on licensing (e.g., Entra ID P2). ScubaGear must be run on a PowerShell 5.1 terminal (the default version that ships with Windows) in a Microsoft Windows environment with an identity that possesses the required M365 permissions. ScubaGear also requires several dependencies. Normally, these dependencies are automatically installed during setup, but in some cases, agencies may need to manually package ScubaGear and its dependencies for deployment within their environment. If agencies use ScubaConnect, there is no requirement to run ScubaGear locally within the agency environment.

Q: Where is the best place to view the Secure Configuration Baselines for M365?

A: The Binding Operational Directive 25-01 Required Configurations website is the best way to see all mandatory M365 configurations within the scope of this Directive. Additionally, the Secure Configuration Baselines are available for download by policy group on the CISA.gov SCuBA Homepage. They can also be found on the ScubaGear GitHub page under the ‘baselines’ folder.

Resources

• SCuBA Homepage
• Slack Channel Registration
• NIST Digital Identity Guidelines
• NIST Cybersecurity Log Management Planning Guide

• CommunityConnect (OMB MAX) SCuBA workshop resource with demo videos and in-depth slides

  CommunityConnect serves as a comprehensive resource for all things SCuBA, offering users easy access to key information and tools. A wide range of training materials, including instructional videos, workshop recordings, demos and detailed slide decks, all designed to keep users informed and equipped with additional knowledge to utilize these assessment tools.

Training

• IR113  Implementing SaaS Security Guidelines
• IR213  Implementing SaaS Security Guidelines
• Additional SCuBA training resources will be available in CISA Learning at https://learning.cisa.gov/ later in FY25. 

Glossary

Appendix A: Sample Action Plan.csv Template

Below is an example of the CSV file template referenced in Requirement #6; section IV. This template is used to help agencies track why a policy is non-compliant, what will be done to meet compliance and an anticipated date for compliance.

Subscribe to SCuBA Email Updates

Stay up-to-date with the latest SCuBA updates.

scuba email notifications SUBSCription