Skip to content

04-10 - CISA Security Configuration Baselines (SCuBA) Hardening

This section covers the CISA Security Configuration Baseline Assessment (SCuBA) hardening guides for multiple Microsoft 365 services. Each subsection links to the official CISA hardening guide with additional configuration steps where applicable.

Task 04 - CISA SharePoint & OneDrive Hardening

Follow the CISA SCuBA Hardening Guide: Microsoft SharePoint & OneDrive | CISA

Task 05 - CISA Exchange Online Hardening

Follow the CISA SCuBA Hardening Guide: Microsoft Exchange Online | CISA

Additional Configuration Steps

  1. Your DMARC record is already good to go - setup earlier during onboarding

  2. Create a shared mailbox within clients Exchange Online Admin Portal:

    • Email: dmarc@clientsdomain.us
    • Assign access to the Admin/MSP Team

  3. Create another shared mailbox within clients Exchange Online Admin portal:

    • Email: secops@clientsdomain.us
    • Display name: Security Operations
    • Assign access to the Admin/MSP Team

Task 06 - CISA Microsoft Teams Hardening

Follow the CISA SCuBA Hardening Guide: Microsoft Teams | CISA

Task 07 - CISA Microsoft Defender for M365 Hardening

Follow the CISA SCuBA Hardening Guide: Microsoft Defender for Office 365 | CISA

Task 08 - CISA Microsoft Power BI Hardening

Follow the CISA SCuBA Hardening Guide: Microsoft Power BI | CISA

Task 09 - CISA Microsoft Power Platform Hardening

Follow the CISA SCuBA Hardening Guide: Microsoft Power Platform | CISA

Task 10 - CISA Microsoft Entra ID Hardening

Follow the CISA SCuBA Hardening Guide: Microsoft Entra ID | CISA

NOTE: We have a separate task in this guide for making the Conditional Access policies so don't make any from this CISA guide!

NOTE: During the Enterprise Application 'Consent Review Group' part, use the group you made for this allocation.

Overview of CISA SCuBA

The Security Configuration Baseline Assessment (SCuBA) project provides:

  • Baseline policies for secure configuration of M365 services
  • Assessment tools to verify compliance with baselines
  • Hardening guides with step-by-step implementation instructions
  • Automated testing scripts to validate configurations

Implementation Approach

  1. Review each guide before implementation
  2. Document deviations from baseline (if any) with business justification
  3. Test configurations in a non-production environment first (where possible)
  4. Implement gradually to minimize service disruption
  5. Validate with SCuBA tools after implementation

Key Areas Covered

  • SharePoint & OneDrive: Sharing settings, external access, file handling
  • Exchange Online: Email security, spam filtering, malware protection
  • Teams: External access, guest settings, meeting policies
  • Defender for M365: Threat policies, safe links, safe attachments
  • Power BI: Tenant settings, sharing and export controls
  • Power Platform: DLP policies, environment security
  • Entra ID: Authentication methods, security defaults, identity protection

Completion Checklist

Use this checklist to track your CISA hardening progress:

  • Task 04 - SharePoint & OneDrive hardening complete
  • Task 05 - Exchange Online hardening complete (including shared mailboxes)
  • Task 06 - Teams hardening complete
  • Task 07 - Defender for M365 hardening complete
  • Task 08 - Power BI hardening complete
  • Task 09 - Power Platform hardening complete
  • Task 10 - Entra ID hardening complete (excluding CA policies)
  • Task 14 - Conditional Access Policies: Implements additional Entra ID security controls beyond CISA baseline
  • Task 11 - Microsoft Defender Platform: Configures endpoint protection and cloud app security
  • Task 16 - SharePoint Online Sites: Implements CUI-specific SharePoint configuration

Notes

  • CISA guides are updated periodically - check for latest versions
  • Some recommendations may conflict with CMMC requirements - prioritize CMMC compliance
  • Document all configuration changes for audit purposes
  • Test SCuBA assessment tools before audits to ensure compliance