Secure Cloud Business Applications (SCuBA) Project
Description
Secure Cloud Business Applications (SCuBA) provides tailored cloud solutions guidance and secure configuration baselines (SCBs) for Microsoft 365 (M365) and Google Workspace (GWS) applications. SCuBA’s guidance aims to protect information that organizations create, access, share, or store in cloud environments.
CISA established the SCuBA project in 2022 to address cybersecurity and visibility gaps exposed by software-as-a-service (SaaS) cyber intrusions and compromises. Although its primary goal is to help secure Federal Civilian Executive Branch (FCEB) information in cloud environments, all organizations can use SCuBA to strengthen SaaS security.
Additionally, in 2023, CISA introduced ScubaGear for M365 tenants and ScubaGoggles for GWS tenants, two assessment tools designed to reduce the burden to administrators of securing these cloud environments. These tools evaluate an organization’s current M365 and GWS tenant controls against CISA’s SCBs and generate clear, visual reports that highlight areas for security posture improvement.
Microsoft 365 & Google Workspace Secure Configuration Baselines
These secure configuration baselines (SCBs) for Microsoft 365 (M365) and Google Workspace (GWS) provide easily adoptable recommendations that complement an organization’s unique requirements and risk tolerance levels. The baselines include automation features to help federal agencies rapidly assess their M365 and GWS services.
ScubaGear is a no-cost assessment tool that verifies M365 tenant configuration alignment to the policies described in SCuBA’s secure configuration baselines. CISA has made this tool and the baselines available to all agencies and private sector organizations seeking security improvements. Visit CISA’s GitHub and PowerShell Gallery to view the M365 baselines and download the ScubaGear assessment tool.
ScubaGoggles is a no-cost assessment tool that verifies a GWS organization’s configuration conforms to the policies in SCuBA’s secure configuration baselines. ScubaGoggles provides a breakdown of security vulnerabilities in GWS, allowing organizations to see where changes should be made to their configuration. CISA has made this tool and the baselines available to all agencies and private sector organizations seeking security improvements. Visit CISA’s GitHub to view the GWS baselines and download the ScubaGoggles assessment tool.
Feedback to help refine baselines implementation guidance or assessment tools should be emailed to Cybersharedservices@mail.cisa.dhs.gov.
Microsoft Defender for Office 365
Microsoft Sharepoint and OneDrive for Business
The GWS baselines are available to view through GitHub or by clicking the links below:
Hybrid Identity Solutions Guidance
CISA has finalized and released the Hybrid Identity Solutions Guidance. This document is designed to help agencies understand potential options for identity management interoperability between on-premises and cloud-based solutions, the challenges involved in each, and how to address those challenges.
The document is available below.
Hybrid Identity Solutions GUIDANCe
eVRF
In 2023, CISA developed the extensible Visibility Reference Framework (eVRF) to support FCEB organizations in identifying and evaluating visibility in digital environments. The eVRF:
- Provides a threat-informed approach for organizations to prioritize logs that will provide visibility into attack techniques of adversaries that are targeting their environments.
- Helps FCEB organizations identify visibility gaps within their cybersecurity service offerings and products to better inform their detection posture management.
CISA developed the eVRF Program Guidebook to explain the process, scope, and concepts of eVRF. As visibility requirements evolve, CISA will update the eVRF guidebook. Two product-specific workbooks accompany the guidebook. The workbooks enable organizations to focus on their visibility surface and create a visibility coverage map, helping them identify desired or required operational visibility.
eVRF Google Workspace Workbook Overview
eVRF Google Workspace Workbook