When CISA initiated its Secure Cloud Business Applications project, our goal was to elevate the federal government's baseline for email and cloud environments by optimizing the security capabilities available within widely used products and services while enabling operational visibility at the enterprise-level in support of our shared cybersecurity mission.
Today, we are pleased to announce the release of Version 1.0 of CISA's Secure Configuration Baselines for Microsoft 365 along with our ScubaGear tool.
These baselines provide easily adoptable policy configuration recommendations that complement each agency's unique requirements and risk tolerance levels.
These final Baselines have been refined and improved through extensive engagement with partners and from experiences gained from on-the-ground implementation efforts with agencies.
In October 2022, CISA released the draft M365 Secure Configuration Baselines for public comment and received hundreds of responses from public and private sector partners.
In parallel, we conducted a dozen pilot projects at federal agencies to target the adoption of advanced cloud security practices while testing our guidance and recommended configurations in practice.
These pilots demonstrated not only how critical these configuration baselines are to enhancing cybersecurity, but also how valuable it is to have comprehensive guidance to drive cross-organizational adoption in line with enterprise risk management.
Our pilot effort also reinforced how simple the ScubaGear tool is to use, and provided insight into agency resource needs for full adoption.
All participating agency teams were able to adopt a higher security baseline for their M365 email and cloud environments with existing resources- expertise they already had available.
Though these results may vary across organizations, applying the M365 Secure Configuration Baselines is not only essential in this cyber threat environment, but it is a relatively low level of effort for most cyber teams.
In support of our pilot efforts, CISA also released our assessment tool, ScubaGear, to help organizations rapidly assess their M365 services against CISA's recommended policies.
Since launch, ScubaGear has been downloaded over 4,000 times and its results, coupled with our SCuBA Baselines, have helped countless agencies and organizations take meaningful steps forward to elevate their cybersecurity posture.
Based on agency feedback, expert insight, Microsoft product updates, and extensive collaboration from Microsoft and other partners, Version 1.0 of the M365 Secure Configuration Baselines incorporates over 100 modifications to the initial draft.
While the final M365 baselines differ from the draft in meaningful ways, a few key improvements are of note.
Combined SharePoint and OneDrive: To improve usability and functional convenience, we integrated the baselines for SharePoint and OneDrive into one.
Optimized Baselines for Assessment Purposes: Our pilot experience illustrated the need for improved categorization and verification potential to facilitate assessments and implementation planning.
These changes clarified the intent of the baselines, streamlined their implementation, and directly improved the ScubaGear tool.
Focus on Practical Application and Communication: In order to drive progress and adopt an elevated baseline, practitioners and managers need to coordinate.
Where possible, CISA also provided information on the business impact of specific controls to support decision-making.
CISA deliberately designed Project SCuBA to be collaborative, inclusive, and public.
This Cyber News was published on www.cisa.gov. Publication date: Thu, 21 Dec 2023 19:43:05 +0000