CISA’s ScubaGear Tool Improves Security for Organizations Using M365 and Surpasses 30,000 Downloads

ScubaGear, a tool developed by the Cybersecurity and Infrastructure Security Agency (CISA) to automatically assess Microsoft 365 (M365) configurations for security gaps, hit a major milestone: more than 30,000 downloads since its debut in October 2022. In fact, downloads significantly increased with the recent release of ScubaGear version 1.3.0 in June 2024.  

Security misconfigurations of settings within Software-as-a-Service (SaaS) tenants can leave the system exposed to exploitation. During the first half of 2024, a major cloud vendor reported that these misconfigurations were found to be the initial access point for 30% of all cloud environment attacks. This is a significant jump from the second half of 2023, which traced 17% of attacks back to these misconfigurations. Avoidable misconfiguration vulnerabilities, such as not enabling multifactor authentication, could result in breaches, compromised data, and damaged customer trust.  

ScubaGear rapidly and thoroughly analyzes an organization’s M365 tenant configuration. It then delivers actionable security change insights and recommendations that allow the tenant administrator to close security gaps and attain a stronger defense within their M365 environment.  

The private sector, critical infrastructure and federal, state, local, tribal, and territorial governments use ScubaGear. The tool’s user-friendly reports map a course of corrective action that organizations can use to quickly identify and mitigate known configuration vulnerabilities, reducing the risk of costly breaches. One ScubaGear user from the Surface Transportation Board noted the assessment tool provided “excellent diagnostics, and the remediation steps outlined in the report were very clear and easy to understand.” 

ScubaGear has been updated nine times since its launch in 2022. Recent enhancements have made it more accessible and user-friendly. The tool is now available on PowerShell Gallery, which eases installation and lowers the user’s required technical skill to install and operate the tool.  

Additionally, the Secure Cloud Business Applications (SCuBA) shared service launched a specific M365 FCEB Slack channel to provide support to federal civilian executive branch (FCEB) agencies, enabling direct communications and real-time assistance. 

To learn more about how your organization can improve the security of its M365 tenant:  

Additional ScubaGear updates are planned for 2024 and beyond to match the pace of vendor updates and, most importantly, to address emerging cloud security issues.