CISA has published the finalized Microsoft 365 Secure Configuration Baselines, designed to bolster the security and resilience of organizations’ Microsoft 365 (M365) cloud services. This guidance release is accompanied by the updated SCuBAGear tool that assesses organizations’ M365 cloud services per CISA’s recommended baselines.

Today’s release incorporates stakeholder input from last year’s public comment period and pilot effort with federal agencies. Changes to the draft Microsoft 365 Secure Configuration Baselines were integrated with the SCuBAGear tool, which is also now more automated to reduce organization effort.

CISA thanks all whose input took this guidance from a series of best practices to actionable policies and made the SCuBAGear tool easier to use.

Organizations are urged to review these baselines and utilize the SCuBAGear tool. For more information, read CISA’s blog and contact CISA’s Cybersecurity Shared Services Office for additional support.