CISA Just Gave MSPs a Microsoft 365 Blueprint

What is ScubaGear?

The Cybersecurity and Infrastructure Security Agency (CISA) has published a hardening baseline for Microsoft 365 called ScubaGear.

It’s not a whitepaper or a conceptual checklist. ScubaGear is a tactical set of configuration checks designed to help organizations secure Microsoft 365 tenants against real threats. It includes tools to run assessments, generate a score, and take action.

ScubaGear helps MSPs and security teams align their configuration with a credible standard built specifically for cloud productivity environments.

Why CISA’s Voice Matters

CISA is the U.S. federal agency tasked with protecting national infrastructure from cyber threats. They created Shields Up, KEV alerts, and other trusted frameworks used across both the public and private sector.

CISA does not sell licenses or products. Their guidance is threat-informed and purpose-built to reduce risk. For MSPs, this makes ScubaGear a rare tool — one that provides external validation and a defensible baseline to anchor client conversations and justify action.

Why Secure Score Isn’t Enough

Microsoft’s Secure Score is widely known but inherently limited. It attempts to balance security with usability, licensing tiers, and product promotion. Some recommendations require premium SKUs, while others include tradeoffs that Microsoft leaves up to the user.

ScubaGear flips that lens. It assumes the tenant is a target and applies a security-first posture. Its assessments are pass or fail — not partial credit — and focused purely on risk reduction. Secure Score gives you a number. ScubaGear gives you a defensible answer.

Why This Matters Now

Microsoft 365 is everywhere. Over 345 million users rely on it every day, and attackers know it. Despite improvements, many tenants remain misconfigured — often due to defaults, old policies, or unclear responsibility.

• 82% of breaches involve the human element (Verizon DBIR 2024)

• Only 26% of SMBs enforce MFA across all cloud services (Datto SMB Security Report)

• More than 80% of tenants still have legacy authentication enabled (Proofpoint Cloud Threat Report)

  
  

ScubaGear provides structure and clarity to help reduce these risks.

How to Use ScubaGear

You can get started right away:

1. Read the Baseline. Explore the ScubaGear GitHub repository to view the full list of configuration controls. The baseline is published in both JSON and readable formats.

2. Run the Assessment. Use CISA’s official PowerShell script to assess a tenant. The script will produce a score out of 100 and list which controls passed or failed. Results can be exported in JSON or CSV format for reporting.

3. Review the Score and Findings. Start by focusing on the failed controls. These are real, actionable risks and often quick to fix.

Here’s an example of what a finding looks like:

Control ID: SCB-002  
Name: Enable Mailbox Audit Logging  
Result: FAIL  
Recommendation: Run 'Set-Mailbox -AuditEnabled $true' for all user mailboxes  
Risk: Without audit logging, suspicious activity may go undetected  

These findings are practical and concrete. You can fix many of them in minutes.

4. Educate Clients. Use the results as part of onboarding, QBRs, or monthly service reporting. They help explain why changes are needed and show that you are following a national-level security framework.

Final Thought

Most Microsoft 365 tenants still contain hidden risks. Even when MFA is in place, it’s common to find:

• Legacy authentication still allowed

• Audit logging turned off

• Insecure guest sharing

• Admin roles with excessive permissions

  
  

If you manage Microsoft 365 tenants, this is worth your attention.

Next Steps: From One-Off Assessment to Scalable Practice

Running ScubaGear manually is a strong start. But managing dozens of tenants, detecting configuration drift, and responding to findings at scale takes more than scripts and spreadsheets.

That’s where solutions like ThreatMate step in. We help MSPs automate ScubaGear assessments, monitor configuration changes over time, and provide a centralized view across all clients. More on that soon!

Learn more on threatmate.com