SaaS solutions like Microsoft 365 (M365) give the federal government powerful workplace functionality. However, SaaS solutions have known cybersecurity gaps. To help Government entities secure their Microsoft 365 implementations, CISA has introduced ScubaGear. What is ScubaGear, and how can you make it work for you?
Background: SCuBA and the Need to Address Cybersecurity Gaps
By Ahmad Hamed, IT Manager
The Secure Cloud Business Applications (SCuBA) initiative provides tailored cloud security guidance and secure configuration baselines (SCBs) for Microsoft 365 (M365) and Google Workspace (GWS). These baselines help organizations secure data they create, access, share, or store in cloud environments.
Launched by CISA in 2022, SCuBA aims to address cybersecurity gaps exposed by SaaS compromises. Although its initial focus is securing Federal Civilian Executive Branch (FCEB) environments, any organization can benefit from SCuBA to strengthen SaaS security.
SCuBA helps organizations:
- Detect, respond to, and recover from cyber incidents.
- Test and implement secure configurations in M365 and GWS environments.
- Gain visibility into existing SaaS configurations.
- Align with recognized baselines like NIST SP 800-53 and MITRE ATT&CK.
As part of the SCuBA initiative, in 2023, CISA introduced two powerful assessment tools to help organizations evaluate current configurations and generate visual reports identifying misconfigurations and potential improvements. ScubaGoggles is used for Google Workspace, while ScubaGear is intended for Microsoft 365. Let’s take a closer look at ScubaGear and how it is used.
Diving into ScubaGear
What is ScubaGear?
ScubaGear is a free PowerShell-based assessment tool that compares your M365 tenant configuration against CISA’s secure configuration baselines. It enables both public and private sector organizations to identify gaps and improve cloud security postures.
How ScubaGear Works
ScubaGear is delivered as a PowerShell module that:
- Uses the Microsoft Graph API to access M365 tenant settings.
- Compares your configuration against SCuBA baseline documents.
- Can be run in:
– Interactive mode (user-based)
– Non-interactive mode (app-based)
Required Permissions
Before running ScubaGear, ensure the user has the required permissions.
| Access / Role | Description |
| Global Reader | Read-only access to all admin units |
| Power Platform Admin | With “Power Apps for Office 365” license |
| SharePoint Administrator | Admin access to SharePoint |
| Directory.Read.All | Read Entra ID Directory |
| GroupMember.Read.All | Read group members |
| Organization.Read.All | Read org-wide info |
| Policy.Read.All | Read tenant policies |
| RoleManagement.Read.Directory | View role assignments |
| User.Read.All | Read user objects |
| PrivilegedEligibilitySchedule.Read.AzureADGroup | View PIM assignments |
Supported Products
| Product Name | Mapping |
| Entra ID | aad |
| Defender | defender |
| Exchange | exo |
| PowerBI / Power Platform | powerplatform |
| SharePoint and OneDrive | sharepoint |
| Teams | teams |
Surfacing Issues: Generating a M365 Security Baseline Report
To create a Microsoft 365 security recommendations report, follow these steps:
Step 1: Launch PowerShell
PowerShell 5 is required because some of the SharePoint modules are incompatible with PowerShell 7. This may be fixed in a future version. You can run the following command in PowerShell to verify which version you have.
$PSVersionTable.PSVersion
Run PowerShell as Administrator and set execution policy:
Set-ExecutionPolicy Unrestricted
Step 2: Install ScubaGear
Install-Module -Name ScubaGear
Initialize-SCuBA
Invoke-SCuBA -Version
Step 3: Run the Assessment
All products:
Invoke-SCuBA -ProductNames *
Specific product (e.g., Entra ID):
Invoke-SCuBA -ProductNames aad
Multiple products:
Invoke-SCuBA -ProductNames aad,defender
Step 4: View Results
Output will be saved in a folder named like:
M365BaselineConformance_YYYY_MM_DD_HH_MM_SS
| File | Description |
| TestResults.json | JSON test results |
| TestResults.csv | CSV format |
| BaseLineReports.html | Interactive HTML report |
| ProviderSettingsExport.json | All exported settings |
| IndividualReports | One report per product |
The report shows the Microsoft products and the details in numbers. Click on a product to view all the details with the information.
Let’s look at the summary of the Entra ID-report. The summary contains a list of all the checks that were performed, and the result of each check:
Report Colors & Interpretation
| Color | Meaning |
| 🟢 Green | Passed |
| 🟡 Yellow | Passed with Warnings |
| 🔴 Red | Failed |
| ⚪ Grey | Not Applicable or Requires Manual Review |
Important: Don’t blindly apply fixes to pass the test. Consider the implications of each setting in the context of your organization.
Control Mappings
SCuBA controls are mapped to:
– NIST SP 800-53 rev. 5
– MITRE ATT&CK Framework
Mappings are based on FedRAMP High Baseline. See the provided CSV file:
`scuba-to-nist-sp-800-53-r5-fedramp-high.csv`
Disconnect Session
When finished, disconnect your session:
Disconnect-SCuBATenant
Conclusion
ScubaGear is a powerful tool to evaluate your M365 security posture. Security is not one-size-fits-all, but using ScubaGear thoughtfully helps ensure your alignment with CISA’s SCuBA baselines, improves visibility, and supports continuous cloud hardening. It’ll help keep your head above water when it comes to M365 security issues.
Learn more about cybersecurity from Acuity’s experts in “Busting Through the Myths Surrounding Zero Trust.”