CISA Requests for Comment on Microsoft 365 Security Configuration Baselines

Original release date: October 20, 2022

CISA has issued requests for comment (RFCs) on eight Microsoft 365 security configuration baselines as part of the Secure Cloud Business Application (SCuBA) project to secure federal civilian executive branch agencies’ (FCEB) cloud environments. The baselines:
•    Build on and integrate previous security configuration baselines developed by the Federal Chief Information Officers Council’s Cyber Innovation Tiger Team (CITT).
•    Initiate a series of pilot efforts to advance cloud security practices across the FCEB. 
•    Aim to enhance the security of FCEB cloud business application environments through additional configurations, settings, and security products. 

Visit and CISA’s SCuBA GitHub page for more information and to review the baselines. The RFC period is open until Nov. 24, 2022. CISA is specifically requesting insight on the feasibility, clarity, and usefulness of the baselines. Comments should be submitted to:

This product is provided subject to this Notification and this Privacy & Use policy.