← Back to all briefings
Cybersecurity 5 min read Published Updated Credibility 91/100

CISA Finalizes SCuBA Cloud Security Reference Architecture — December 13, 2023

The Secure Cloud Business Applications project released finalized zero trust architecture guidance for Microsoft 365 tenants.

Kodi C.

Editor & Research Lead

Accuracy-reviewed by the editorial team

Cybersecurity pillar illustration for Zeph Tech briefings
Cybersecurity threat, control, and response briefings

Overview

On , CISA announced the final Secure Cloud Business Applications (SCuBA) Technical Reference Architecture. This full guidance delivers prescriptive configuration baselines, logging requirements, and security controls to secure Microsoft 365 environments across federal agencies and critical infrastructure organizations implementing zero trust architectures.

SCuBA Program Background

The Secure Cloud Business Applications (SCuBA) project emerged from CISA's broader efforts to secure federal cloud environments:

  • Origin: SCuBA was initiated following high-profile cloud compromises affecting federal agencies, including the SolarWinds supply chain attack and subsequent cloud-focused intrusions.
  • Development process: CISA collaborated with Microsoft, federal agencies, and security researchers to develop practical, implementable configuration guidance.
  • Draft feedback: The final release incorporates feedback from federal partners and private sector organizations that piloted draft configurations.
  • Zero trust alignment: SCuBA directly supports federal zero trust strategy setup under OMB M-22-09 and Executive Order 14028.

Architecture Components

The Technical Reference Architecture covers key Microsoft 365 services with detailed security configurations:

  • Azure Active Directory (Entra ID): Identity and access management configurations including conditional access policies, privileged identity management, authentication methods, and directory security settings.
  • Exchange Online: Email security configurations covering anti-phishing protection, malware filtering, data loss prevention, message encryption, and transport rules.
  • SharePoint Online: Document management security including sharing settings, external access controls, information barriers, and sensitivity labels.
  • OneDrive for Business: Personal storage security configurations addressing sync settings, sharing controls, and data protection policies.
  • Microsoft Teams: Collaboration security covering guest access, meeting policies, app permissions, and channel configurations.
  • Microsoft Defender: Threat protection configurations for Defender for Office 365, Defender for Endpoint integration, and security alerting.

Zero Trust Control Mapping

SCuBA maps configurations to the five pillars of federal zero trust strategy:

  • Identity: Multi-factor authentication requirements, conditional access policies, privileged access management, and identity governance configurations.
  • Devices: Device compliance requirements, endpoint detection integration, and managed device policies for accessing M365 resources.
  • Networks: Network security configurations including safe links, firewall policies, and secure connectivity requirements.
  • Applications: Application security settings, OAuth app governance, third-party app restrictions, and cloud app security integration.
  • Data: Data classification, sensitivity labeling, data loss prevention rules, information barriers, and encryption requirements.

Configuration Baselines

The reference architecture provides specific configuration recommendations organized by security impact:

  • Critical configurations: Settings that must be implemented to address known attack vectors and high-severity vulnerabilities.
  • Recommended configurations: Best practice settings that significantly improve security posture but may require organizational adjustment.
  • Conditional configurations: Settings that depend on organizational requirements, risk tolerance, or specific use cases.
  • Legacy considerations: Guidance for organizations with legacy applications or hybrid environments requiring compatibility accommodations.

Logging and Monitoring Requirements

SCuBA specifies full logging configurations to support threat detection and incident response:

  • Unified Audit Log: Enable and retain unified audit logs capturing user and administrator activities across all M365 services.
  • Azure AD Sign-in Logs: Capture authentication events including successful logins, failures, conditional access results, and risk detections.
  • Azure AD Audit Logs: Track directory changes, group modifications, application consent grants, and administrative actions.
  • Defender Telemetry: Configure Defender for Office 365 and Defender for Endpoint alerts for security operations integration.
  • Retention requirements: CISA recommends at least 12 months of log retention to support incident investigations and threat hunting.

How to implement

If you are affected, follow a structured approach to SCuBA setup:

  • Baseline assessment: Compare existing tenant configurations against SCuBA baselines to identify gaps and deviations.
  • Prioritization: Address critical configurations first, particularly those related to identity protection and known attack vectors.
  • Testing: Implement changes in test environments or pilot groups before broad deployment to identify compatibility issues.
  • Change management: Document configuration changes and obtain appropriate approvals per organizational change management processes.
  • Validation: Verify configurations are correctly applied using Microsoft Secure Score, configuration assessment tools, or manual review.

Federal Compliance Applications

Federal agencies can use SCuBA for multiple compliance objectives:

  • OMB M-22-09: SCuBA configurations directly support federal zero trust strategy milestones required by the Office of Management and Budget.
  • CDM program: Continuous Diagnostics and Mitigation program participants can use SCuBA baselines for cloud asset management.
  • FedRAMP: SCuBA configurations align with FedRAMP High baseline controls for cloud service security.
  • BOD compliance: Organizations subject to CISA binding operational directives can use SCuBA to show compliance with cloud security requirements.

Private Sector Applicability

While developed for federal agencies, SCuBA provides significant value for private sector organizations:

  • Configuration reference: SCuBA serves as an authoritative baseline for organizations seeking to harden Microsoft 365 deployments.
  • Audit evidence: Documented alignment with SCuBA baselines shows security due diligence for regulators and auditors.
  • Incident prevention: Configurations address attack vectors observed in recent cloud-focused compromises affecting both public and private organizations.
  • Vendor alignment: SCuBA represents Microsoft-validated configurations developed in partnership with the platform vendor.

Tools and Resources

CISA provides supporting resources to assist SCuBA setup:

  • SCuBA Technical Reference Architecture PDF with complete configuration details
  • Configuration assessment tools for automated baseline comparison
  • Implementation guides with step-by-step configuration instructions
  • Frequently asked questions addressing common setup challenges

Summary

The final SCuBA Technical Reference Architecture represents a significant resource for organizations securing Microsoft 365 environments. The prescriptive configuration baselines, full logging requirements, and zero trust alignment provide actionable guidance for both federal agencies meeting compliance mandates and private sector organizations seeking to improve cloud security posture. If you are affected, systematically assess their current configurations against SCuBA baselines and focus on remediation of high-risk deviations.

Similar analysis

Additional analysis covering similar themes.

Continue in the Cybersecurity pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • Cybersecurity Operations Playbook

    Use our research to align NIST CSF 2.0, CISA KEV deadlines, and sector mandates across threat intelligence, exposure management, and incident response teams.

  • Network Security Fundamentals Explained Practically

    A practitioner-focused guide to network security fundamentals covering firewalls, segmentation, IDS/IPS, DNS security, VPNs, wireless security, zero trust architecture, and traffic…

  • Small Business Cybersecurity Survival Checklist

    A budget-conscious cybersecurity checklist built specifically for small businesses. This guide covers foundational security policies, network hardening, employee training, phishing…

Coverage intelligence

Published
Coverage pillar
Cybersecurity
Source credibility
91/100 — high confidence
Topics
United States · Cloud security · Microsoft 365 · Zero trust
Sources cited
3 sources (cisa.gov, iso.org)
Reading time
5 min

Further reading

  1. CISA Releases Final SCuBA Technical Reference Architecture
  2. SCuBA Technical Reference Architecture
  3. ISO/IEC 27001:2022 — Information Security Management Systems — International Organization for Standardization
  • United States
  • Cloud security
  • Microsoft 365
  • Zero trust
Back to curated briefings

Comments

Community

We publish only high-quality, respectful contributions. Every submission is reviewed for clarity, sourcing, and safety before it appears here.

    Share your perspective

    Submissions showing "Awaiting moderation" are in review. Spam, low-effort posts, or unverifiable claims will be rejected. We verify submissions with the email you provide, and we never publish or sell that address.

    Verification

    Complete the CAPTCHA to submit.