ScubaGear is an assessment tool that verifies that a Microsoft 365 (M365) tenant’s configuration conforms to the policies described in the Secure Cloud Business Applications (SCuBA) Secure Configuration Baseline documents.
Note
This documentation can be read using GitHub Pages.
ScubaGear is for M365 administrators who want to assess their tenant environments against CISA Secure Configuration Baselines.
ScubaGear uses a three-step process:
- Step One - PowerShell code queries M365 APIs for various configuration settings.
- Step Two - It then calls Open Policy Agent (OPA) to compare these settings against Rego security policies written per the baseline documents.
- Step Three - Finally, it reports the results of the comparison as HTML, JSON, and CSV.
SCuBA controls have been mapped to both NIST SP 800-53 and the MITRE ATT&CK framework.
-
- Microsoft Entra ID: Identity and access management policies
- Defender: Advanced threat protection settings
- Exchange Online: Email security and compliance configurations
- Power BI: Cloud-based data visualization tool security settings
- Power Platform: Low-code application security settings
- SharePoint: Document collaboration and access controls
- Teams: Communication and meeting security policies
- HTML Reports: Interactive, user-friendly compliance reports. See SAMPLE: Baselinereports.html
- JSON Output: Structured results for reporting and parsing. See SAMPLE: ScubaResults.json
- CSV Export: Spreadsheet-compatible data for analysis. See SAMPLE: ScubaResults.csv
Before launching ScubaGear, it's important to ensure your environment is properly configured. This includes having the necessary dependencies and permissions in place.
Please review the prerequisites section to verify that your system meets all requirements. This will help avoid errors during execution and ensure a smooth experience when using ScubaGear.
ScubaGear can be run multiple times to properly evaluate baseline settings.
-
First Run (No Configuration File): Start ScubaGear without a configuration file. This initial run generates a baseline template of your environment's current settings. It does not make changes but helps you understand the default posture.
-
Subsequent Runs (With Configuration File): After reviewing and editing the generated configuration file, run ScubaGear again with the configuration file as input. This allows ScubaGear to compare your intended settings against the actual environment and elevate discrepancies accordingly.
Important
ScubaGear has specific prerequisites and relies on defined configuration values to properly evaluate your Microsoft 365 tenant. After your initial assessment run, review the results thoroughly. Address any identified gaps by updating your tenant configuration or documenting risk acceptances in a YAML configuration file using exclusions, annotations, or omissions. Refer to the sections below for detailed guidance.
This iterative approach ensures ScubaGear is aligned with your environment and that all policy evaluations are based on your customized baseline.
To install ScubaGear from PSGallery, open a PowerShell 5 terminal on a Windows computer and install the module:
# Install ScubaGear
Install-Module -Name ScubaGear# Install the minimum required dependencies
Initialize-SCuBA# Check the version
Invoke-SCuBA -Version# Assess all products (basic command)
Invoke-SCuBA -ProductNames *ScubaGear uses a YAML configuration file to define how your environment should be evaluated. This file serves several important purposes:
- Customization – Specify which products, baselines, and rules apply to your environment.
- Configuration Mapping – Align ScubaGear’s policies with your tenant’s current settings.
- Risk Acceptance – Document intentional deviations from baselines using exclusions, annotations, or omissions.
- Traceability – Maintain a clear record of accepted risks and policy decisions for audits or internal reviews.
- Repeatability – Run consistent assessments over time or across environments using the same configuration.
Important
Without a properly defined YAML file, ScubaGear will assume a default configuration that may not reflect your organization’s actual policies or risk posture. It is required if the usage is for CISA's Binding Operational Directive (BOD) 25-01
Tip
full_config.yaml is included to help you get started. This file should be customized to reflect your tenant’s unique configuration before using it with the ScubaGear module.
When running Invoke-SCuBA for BOD 25-01 submissions:
# Run with a configuration file
Invoke-SCuBA -ConfigFilePath "path/to/your/config.yaml" -Organization 'example.onmicrosoft.com'For all other instances:
# Run with a configuration file (no-BOD)
Invoke-SCuBA -ConfigFilePath "path/to/your/config.yaml" -SilenceBODWarnings- Configuration File - YAML-based configuration
- Parameters Reference - Command-line options
- ScubaConnect - ScubaConnect is cloud-native infrastructure, developed by CISA, that automates the execution of assessment tools ScubaGear and ScubaGoggles.
Unless otherwise noted, this project is distributed under the Creative Commons Zero license. With developer approval, contributions may be submitted with an alternate compatible license. If accepted, those contributions will be listed herein with the appropriate license.
![@github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=64&v=4){kind=small}
