Veri-Tech
← All Frameworks

CISA SCuBA M365 Security Configuration Baselines

Official / Regulatory

U.S. federal security baselines for Microsoft 365, developed by CISA as part of the Secure Cloud Business Applications (SCuBA) project.

Official documentation

108

Controls

87

Auto-Remediable

6

Domains

Exchange(35)

CISA-MS.EXO.1.1

Auto-forwarding to external domains disabled

critical
Auto-remediable
CISA MS.EXO.1.1CIS 6.2.1NIST AC-4NIST CM-6ISO27001 A.5.14ISO27001 A.8.22ISO27001 A.8.23ISO27001 A.8.9CSF DE.AE-1CSF ID.AM-3CSF PR.AC-5CSF PR.DS-5CSF PR.IP-1GDPR Art.25GDPR Art.32GDPR Art.5(1)(f)SOC2 CC6.7405D 1.M.A
CISA-MS.EXO.10.1

Outbound spam notification configured

medium
Auto-remediable
CISA MS.EXO.10.1CIS 6.5.6NIST SI-3SOC2 CC7.3ISO27001 A.8.7CSF DE.CM-4CSF DE.DP-3GDPR Art.32405D 1.M.A
CISA-MS.EXO.10.2

Emails identified as containing malware SHALL be quarantined or dropped.

high
Auto-remediable
CISA MS EXO 10 2
CISA-MS.EXO.10.3

Email scanning SHALL be capable of reviewing emails after delivery.

high
Auto-remediable
CISA MS EXO 10 3
CISA-MS.EXO.11.1

Connection filter IP allow list is empty

high
Auto-remediable
CISA MS.EXO.11.1CIS 6.5.7NIST SC-7SOC2 CC6.6ISO27001 A.5.14ISO27001 A.8.16ISO27001 A.8.20ISO27001 A.8.22ISO27001 A.8.23CSF DE.CM-1CSF PR.AC-5CSF PR.DS-5CSF PR.PT-4GDPR Art.32GDPR Art.33GDPR Art.5(1)(f)405D 1.M.A
CISA-MS.EXO.11.2

User warnings, comparable to the user safety tips included with EOP, SHOULD be displayed.

medium
Auto-remediable
CISA MS EXO 11 2
CISA-MS.EXO.11.3

The phishing protection solution SHOULD include an AI-based phishing detection tool comparable to EOP Mailbox Intelligence.

medium
Auto-remediable
CISA MS EXO 11 3
CISA-MS.EXO.12.1

Anti-phishing impersonation protection enabled

high
Auto-remediable
CISA MS.EXO.12.1CIS 6.5.8NIST SI-3SOC2 CC6.8ISO27001 A.8.7CSF DE.CM-4CSF DE.DP-3GDPR Art.32405D 1.M.A
CISA-MS.EXO.12.2

Safe lists SHOULD NOT be enabled.

medium
Auto-remediable
CISA MS EXO 12 2
CISA-MS.EXO.13.1

Inbound anti-spam high confidence action set

high
Auto-remediable
CISA MS.EXO.13.1CIS 6.5.9SOC2 CC6.8ISO27001 A.8.7NIST AU-12cGDPR Art.32405D 1.M.A
CISA-MS.EXO.14.1

A spam filter SHALL be enabled.

high
Auto-remediable
CISA MS EXO 14 1
CISA-MS.EXO.14.2

Spam and high confidence spam SHALL be moved to either the junk email folder or the quarantine folder.

medium
Auto-remediable
CISA MS EXO 14 2
CISA-MS.EXO.14.3

Allowed domains SHALL NOT be added to inbound anti-spam protection policies.

medium
Auto-remediable
CISA MS EXO 14 3405D 1.M.A
CISA-MS.EXO.14.4

If a third-party party filtering solution is used, the solution SHOULD offer services comparable to the native spam filtering offered by Microsoft.

medium
CISA MS EXO 14 4
CISA-MS.EXO.15.1

URL comparison with a block-list SHOULD be enabled.

medium
Auto-remediable
CISA MS EXO 15 1405D 1.M.A
CISA-MS.EXO.15.2

Direct download links SHOULD be scanned for malware.

high
Auto-remediable
CISA MS EXO 15 2
CISA-MS.EXO.15.3

User click tracking SHOULD be enabled.

medium
Auto-remediable
CISA MS EXO 15 3
CISA-MS.EXO.16.1

Alerts SHALL be enabled.

high
Auto-remediable
CISA MS EXO 16 1
CISA-MS.EXO.16.2

Alerts SHOULD be sent to a monitored address or incorporated into a security information and event management (SIEM) system.

medium
CISA MS EXO 16 2405D 8.M.A
CISA-MS.EXO.2.1

SPF record configured for all accepted domains

high
CISA MS.EXO.2.1CIS 6.3.1SOC2 CC6.6NIST AC-2NIST CM-10NIST CM-11NIST SC-18NIST SI-8ISO27001 A.5.16ISO27001 A.5.18ISO27001 A.5.32ISO27001 A.8.19ISO27001 A.8.2CSF DE.CM-3CSF DE.CM-4CSF DE.CM-5CSF PR.AC-4GDPR Art.32GDPR Art.5(1)(f)405D 1.M.A
CISA-MS.EXO.2.2

DKIM signing enabled for all accepted domains

high
Auto-remediable
CISA MS.EXO.2.2CIS 6.3.2NIST SI-8SOC2 CC6.6ISO27001 A.8.23CSF DE.CM-4GDPR Art.32405D 1.M.A
CISA-MS.EXO.2.3

DMARC policy set to reject or quarantine

high
CISA MS.EXO.2.3CIS 6.3.3NIST SI-8SOC2 CC6.6ISO27001 A.8.23CSF DE.CM-4GDPR Art.32405D 1.M.A
CISA-MS.EXO.3.1

SMTP AUTH disabled globally

high
Auto-remediable
CISA MS.EXO.3.1CIS 6.1.3NIST AC-1NIST AC-2NIST AC-2(1)NIST AU-12NIST AU-2NIST AU-7NIST SC-8ISO27001 A.5.1ISO27001 A.5.10ISO27001 A.5.14ISO27001 A.5.15ISO27001 A.5.16ISO27001 A.5.18ISO27001 A.5.2ISO27001 A.5.31ISO27001 A.5.33ISO27001 A.5.36ISO27001 A.5.37ISO27001 A.5.4ISO27001 A.8.15ISO27001 A.8.2ISO27001 A.8.20ISO27001 A.8.26CSF DE.CM-1CSF DE.CM-3CSF DE.CM-7CSF PR.AC-3CSF PR.AC-4CSF PR.DS-2CSF PR.PT-1CSF RS.AN-3GDPR Art.24GDPR Art.32GDPR Art.33GDPR Art.5(1)(f)SOC2 CC6.1SOC2 CC6.7SOC2 CC7.2
CISA-MS.EXO.4.1

Mailbox auditing enabled by default

critical
Auto-remediable
CISA MS.EXO.4.1CIS 6.5.1NIST AC-17(2)NIST IA-5NIST IA-5(1)NIST SC-8NIST SC-8(1)NIST SI-2NIST SI-8NIST SR-11ISO27001 A.5.10ISO27001 A.5.14ISO27001 A.5.16ISO27001 A.5.17ISO27001 A.5.33ISO27001 A.6.8ISO27001 A.8.20ISO27001 A.8.26ISO27001 A.8.32ISO27001 A.8.8CSF DE.CM-4CSF ID.RA-1CSF PR.AC-1CSF PR.AC-6CSF PR.AC-7CSF PR.DS-2CSF PR.IP-12GDPR Art.32GDPR Art.5(1)(f)SOC2 CC6.1SOC2 CC6.2SOC2 CC6.6SOC2 CC6.7
CISA-MS.EXO.4.2

The DMARC message rejection option SHALL be p=reject.

high
CISA MS EXO 4 2405D 1.M.A
CISA-MS.EXO.4.3

The DMARC point of contact for aggregate reports SHALL include reports@dmarc.cyber.dhs.gov.

medium
CISA MS EXO 4 3405D 1.M.A
CISA-MS.EXO.5.1

Calendar sharing with external users restricted

medium
Auto-remediable
CISA MS.EXO.5.1CIS 6.4.1NIST AC-1NIST AC-2NIST AC-2(1)NIST AU-6NIST AU-6(1)NIST AU-7(1)NIST CM-7ISO27001 A.5.1ISO27001 A.5.15ISO27001 A.5.16ISO27001 A.5.18ISO27001 A.5.2ISO27001 A.5.25ISO27001 A.5.31ISO27001 A.5.36ISO27001 A.5.37ISO27001 A.5.4ISO27001 A.6.8ISO27001 A.8.15ISO27001 A.8.19ISO27001 A.8.2CSF DE.AE-2CSF DE.AE-3CSF DE.CM-3CSF DE.DP-4CSF ID.SC-4CSF PR.AC-3CSF PR.AC-4CSF PR.IP-1CSF PR.PT-1CSF PR.PT-3CSF RS.AN-1CSF RS.CO-2GDPR Art.24GDPR Art.32GDPR Art.33GDPR Art.5(1)(f)SOC2 CC6.1SOC2 CC7.2
CISA-MS.EXO.6.1

Contact sharing with external users restricted

medium
Auto-remediable
CISA MS.EXO.6.1CIS 6.4.2SOC2 CC6.1NIST AC-3NIST SC-7(10)(a)ISO27001 A.5.15ISO27001 A.5.33ISO27001 A.8.18ISO27001 A.8.20ISO27001 A.8.26ISO27001 A.8.3ISO27001 A.8.4CSF PR.AC-4CSF PR.PT-3GDPR Art.32GDPR Art.5(1)(f)
CISA-MS.EXO.6.2

Calendar details SHALL NOT be shared with all domains.

medium
Auto-remediable
CISA MS EXO 6 2
CISA-MS.EXO.7.1

External sender identification enabled in Outlook

medium
Auto-remediable
CISA MS.EXO.7.1CIS 6.5.2SOC2 CC6.8NIST CM-6NIST SI-8ISO27001 A.8.9CSF DE.CM-4CSF PR.IP-1GDPR Art.25GDPR Art.32
CISA-MS.EXO.9.1

Common attachment type filter enabled in malware policy

high
Auto-remediable
CISA MS.EXO.9.1CIS 6.5.4NIST SI-3SOC2 CC6.8ISO27001 A.8.7CSF DE.CM-4CSF DE.DP-3GDPR Art.32405D 1.M.A
CISA-MS.EXO.9.2

Malware filter internal sender notifications configured

medium
Auto-remediable
CISA MS.EXO.9.2CIS 6.5.5NIST SI-3SOC2 CC7.3ISO27001 A.8.7CSF DE.CM-4CSF DE.DP-3GDPR Art.32
CISA-MS.EXO.9.3

Disallowed file types SHALL be determined and enforced.

high
Auto-remediable
CISA MS EXO 9 3
CISA-MS.EXO.9.4

Alternatively chosen filtering solutions SHOULD offer services comparable to Microsoft Defender's Common Attachment Filter.

medium
CISA MS EXO 9 4405D 1.M.A
CISA-MS.EXO.9.5

At a minimum, click-to-run files SHOULD be blocked (e.g., .exe, .cmd, and .vbe).

high
Auto-remediable
CISA MS EXO 9 5

Entra ID(31)

CISA-MS.AAD.1.1

Block legacy authentication

high
Auto-remediable
CISA MS.AAD.1.1CIS 1.5.4SOC2 CC6.1NIST CM-7ISO27001 A.8.19CIS 5.2.2.3CSF PR.IP-1CSF PR.PT-3GDPR Art.32
CISA-MS.AAD.2.1

Sign-in risk Conditional Access policy configured

high
Auto-remediable
CISA MS.AAD.2.1NIST IA-2(13)SOC2 CC6.1ISO27001 A.8.5GDPR Art.32
CISA-MS.AAD.2.2

User risk Conditional Access policy configured

high
Auto-remediable
CISA MS.AAD.2.2NIST IA-5(2)SOC2 CC6.1ISO27001 A.8.5GDPR Art.32
CISA-MS.AAD.2.3

Sign-ins detected as high risk SHALL be blocked.

high
Auto-remediable
CISA MS AAD 2 3
CISA-MS.AAD.3.1

Require MFA for admins

critical
Auto-remediable
CISA MS.AAD.3.1CIS 1.1.2SOC2 CC6.1NIST AC-2NIST IA-2(1)NIST IA-2(2)NIST IA-2(8)NIST IA-5cNIST IA-5gISO27001 A.5.16ISO27001 A.5.18ISO27001 A.8.2CSF DE.CM-3CSF PR.AC-4GDPR Art.32GDPR Art.5(1)(f)405D 3.M.D
CISA-MS.AAD.3.2

Require MFA for all users

critical
Auto-remediable
CISA MS.AAD.3.2CIS 1.1.1NIST AC-6(2)NIST CM-1NIST CM-2NIST CM-6NIST CM-7NIST CM-7(1)NIST CM-9NIST IA-2NIST SA-10NIST SA-3NIST SA-8ISO27001 A.5.1ISO27001 A.5.16ISO27001 A.5.2ISO27001 A.5.31ISO27001 A.5.36ISO27001 A.5.37ISO27001 A.5.4ISO27001 A.5.8ISO27001 A.8.19ISO27001 A.8.25ISO27001 A.8.27ISO27001 A.8.28ISO27001 A.8.30ISO27001 A.8.31ISO27001 A.8.32ISO27001 A.8.9CSF DE.AE-1CSF ID.BE-5CSF PR.AC-1CSF PR.AC-6CSF PR.AC-7CSF PR.DS-7CSF PR.DS-8CSF PR.IP-1CSF PR.IP-2CSF PR.IP-3CSF PR.PT-3GDPR Art.24GDPR Art.25GDPR Art.32GDPR Art.5(1)(f)SOC2 CC6.1SOC2 CC6.3SOC2 CC8.1405D 3.M.DCopilot Pre-Deployment
CISA-MS.AAD.3.3

Securing security info registration

high
Auto-remediable
CISA MS.AAD.3.3CIS 1.1.4NIST AC-1NIST AC-2NIST AC-2(1)NIST AC-2(3)NIST IA-5ISO27001 A.5.1ISO27001 A.5.15ISO27001 A.5.16ISO27001 A.5.17ISO27001 A.5.18ISO27001 A.5.2ISO27001 A.5.31ISO27001 A.5.36ISO27001 A.5.37ISO27001 A.5.4ISO27001 A.8.2CSF DE.CM-3CSF PR.AC-1CSF PR.AC-3CSF PR.AC-4CSF PR.AC-6CSF PR.AC-7GDPR Art.24GDPR Art.32GDPR Art.5(1)(f)SOC2 CC6.1SOC2 CC6.2
CISA-MS.AAD.3.4

Disable SMS sign-in as authentication method

high
Auto-remediable
CISA MS.AAD.3.4CIS 6.1.1NIST AC-1NIST AC-2NIST AC-2(1)NIST AU-12NIST AU-2NIST AU-7NIST CM-7ISO27001 A.5.1ISO27001 A.5.15ISO27001 A.5.16ISO27001 A.5.18ISO27001 A.5.2ISO27001 A.5.31ISO27001 A.5.36ISO27001 A.5.37ISO27001 A.5.4ISO27001 A.8.15ISO27001 A.8.19ISO27001 A.8.2CSF DE.CM-1CSF DE.CM-3CSF DE.CM-7CSF PR.AC-3CSF PR.AC-4CSF PR.IP-1CSF PR.PT-1CSF PR.PT-3CSF RS.AN-3GDPR Art.24GDPR Art.32GDPR Art.33GDPR Art.5(1)(f)SOC2 CC6.1SOC2 CC7.2
CISA-MS.AAD.3.5

Disable voice call as authentication method

medium
Auto-remediable
CISA MS.AAD.3.5NIST IA-2(6)SOC2 CC6.1ISO27001 A.8.5GDPR Art.32
CISA-MS.AAD.3.6

Require MFA for admin portals

high
Auto-remediable
CISA MS.AAD.3.6CIS 1.2.3NIST AC-6(5)SOC2 CC6.3405D 3.M.D
CISA-MS.AAD.3.7

Require phishing-resistant MFA for admins

high
Auto-remediable
CISA MS.AAD.3.7CIS 1.2.1NIST AC-20bNIST AC-3NIST AC-5NIST AC-6NIST AU-6(1)NIST AU-7NIST IA-3NIST IR-4(1)NIST MP-2NIST SI-4(2)NIST SI-4(5)ISO27001 A.5.10ISO27001 A.5.15ISO27001 A.5.3ISO27001 A.5.33ISO27001 A.7.10ISO27001 A.7.7ISO27001 A.8.18ISO27001 A.8.2ISO27001 A.8.20ISO27001 A.8.26ISO27001 A.8.3ISO27001 A.8.4CSF PR.AC-1CSF PR.AC-4CSF PR.AC-7CSF PR.DS-1CSF PR.DS-5CSF PR.PT-1CSF PR.PT-2CSF PR.PT-3CSF RS.AN-3GDPR Art.32GDPR Art.5(1)(f)SOC2 CC6.1SOC2 CC6.4SOC2 CC7.2SOC2 CC7.4405D 3.M.DCopilot Pre-Deployment
CISA-MS.AAD.3.8

Authentication methods registration campaign enabled

medium
Auto-remediable
CISA MS.AAD.3.8NIST IA-2(6)SOC2 CC6.1
CISA-MS.AAD.4.1

Named/trusted location configured

medium
Auto-remediable
CISA MS.AAD.4.1CIS 1.2.4NIST AU-4ISO27001 A.8.6CSF PR.DS-4SOC2 CC7.2
CISA-MS.AAD.4.2

Trusted IP-based named location defined

medium
Auto-remediable
CISA MS.AAD.4.2NIST AC-2(13)ISO27001 A.8.5GDPR Art.32SOC2 CC7.4
CISA-MS.AAD.5.1

Disable user consent to third-party applications

high
Auto-remediable
CISA MS.AAD.5.1CIS 2.1.1NIST AC-6(10)NIST CM-5NIST RA-5NIST RA-7NIST SI-2NIST SI-2(2)NIST SI-3ISO27001 A.6.8ISO27001 A.8.19ISO27001 A.8.2ISO27001 A.8.31ISO27001 A.8.32ISO27001 A.8.4ISO27001 A.8.7ISO27001 A.8.8ISO27001 A.8.9CSF DE.AE-2CSF DE.CM-4CSF DE.CM-8CSF DE.DP-3CSF DE.DP-4CSF DE.DP-5CSF ID.RA-1CSF ID.RA-6CSF PR.IP-1CSF PR.IP-12CSF RS.AN-1CSF RS.AN-5CSF RS.MI-3GDPR Art.25GDPR Art.32SOC2 CC4.2SOC2 CC6.1SOC2 CC8.1
CISA-MS.AAD.5.2

Admin consent workflow enabled

high
Auto-remediable
CISA MS.AAD.5.2CIS 2.1.3NIST AC-6(10)NIST AU-1NIST AU-2NIST CM-5NIST IR-1NIST IR-8NIST RA-5ISO27001 A.5.1ISO27001 A.5.2ISO27001 A.5.24ISO27001 A.5.31ISO27001 A.5.36ISO27001 A.5.37ISO27001 A.5.4ISO27001 A.8.15ISO27001 A.8.19ISO27001 A.8.2ISO27001 A.8.31ISO27001 A.8.32ISO27001 A.8.4ISO27001 A.8.8ISO27001 A.8.9CSF DE.AE-2CSF DE.AE-3CSF DE.AE-5CSF DE.CM-8CSF DE.DP-4CSF DE.DP-5CSF ID.RA-1CSF ID.SC-5CSF PR.IP-1CSF PR.IP-12CSF PR.IP-7CSF PR.IP-8CSF PR.IP-9CSF PR.PT-1CSF RC.IM-1CSF RC.IM-2CSF RC.RP-1CSF RS.AN-1CSF RS.AN-4CSF RS.CO-1CSF RS.CO-2CSF RS.CO-3CSF RS.CO-4CSF RS.IM-1CSF RS.IM-2CSF RS.MI-3CSF RS.RP-1GDPR Art.24GDPR Art.25GDPR Art.32GDPR Art.33GDPR Art.34GDPR Art.5(1)(f)SOC2 CC6.1SOC2 CC8.1
CISA-MS.AAD.5.3

An admin consent workflow SHALL be configured for applications.

high
Auto-remediable
CISA MS AAD 5 3
CISA-MS.AAD.5.4

Group owners SHALL NOT be allowed to consent to applications.

high
Auto-remediable
CISA MS AAD 5 4
CISA-MS.AAD.6.1

User passwords SHALL NOT expire.

high
Auto-remediable
CISA MS AAD 6 1405D 3.M.C
CISA-MS.AAD.7.1

Cross-tenant inbound MFA trust configured

medium
Auto-remediable
CISA MS.AAD.7.1NIST IA-8SOC2 CC6.1ISO27001 A.5.16CSF PR.AC-1CSF PR.AC-6CSF PR.AC-7GDPR Art.32GDPR Art.5(1)(f)405D 3.M.D405D 3.L.A
CISA-MS.AAD.7.2

Cross-tenant inbound compliant device trust configured

low
Auto-remediable
CISA MS.AAD.7.2NIST AC-17SOC2 CC6.1ISO27001 A.5.14ISO27001 A.6.7CSF PR.AC-3CSF PR.PT-4GDPR Art.32GDPR Art.5(1)(f)405D 3.L.A
CISA-MS.AAD.7.3

Restrict guest user access permissions

medium
Auto-remediable
CISA MS.AAD.7.3CIS 1.4.1ISO27001 A.8.3NIST AC-6(5)GDPR Art.32SOC2 CC6.3
CISA-MS.AAD.7.4

Cross-tenant inbound hybrid Azure AD join trust configured

medium
Auto-remediable
CISA MS.AAD.7.4NIST AC-17SOC2 CC6.1ISO27001 A.5.14ISO27001 A.6.7CSF PR.AC-3CSF PR.PT-4GDPR Art.32GDPR Art.5(1)(f)405D 3.L.A
CISA-MS.AAD.7.5

Cross-tenant inbound compliant network trust configured

low
Auto-remediable
CISA MS.AAD.7.5NIST AC-17SOC2 CC6.1ISO27001 A.5.14ISO27001 A.6.7CSF PR.AC-3CSF PR.PT-4GDPR Art.32GDPR Art.5(1)(f)405D 3.L.A
CISA-MS.AAD.7.6

Activation of the Global Administrator role SHALL require approval.

high
Auto-remediable
CISA MS AAD 7 6405D 3.L.B
CISA-MS.AAD.7.7

Eligible and Active highly privileged role assignments SHALL trigger an alert.

high
Auto-remediable
CISA MS AAD 7 7405D 3.L.B
CISA-MS.AAD.7.8

User activation of the Global Administrator role SHALL trigger an alert.

high
Auto-remediable
CISA MS AAD 7 8405D 3.L.B
CISA-MS.AAD.7.9

User activation of other highly privileged roles SHOULD trigger an alert.

high
Auto-remediable
CISA MS AAD 7 9
CISA-MS.AAD.8.1

Block access from non-allowed countries/locations

high
Auto-remediable
CISA MS.AAD.8.1NIST AC-2(13)ISO27001 A.8.5GDPR Art.32SOC2 CC7.4
CISA-MS.AAD.8.2

Only users with the Guest Inviter role SHOULD be able to invite guest users.

high
Auto-remediable
CISA MS AAD 8 2
CISA-MS.AAD.8.3

Guest invites SHOULD only be allowed to specific external domains that have been authorized by the agency for legitimate business purposes.

medium
CISA MS AAD 8 3

Teams(18)

CISA-MS.TEAMS.1.1

External participants cannot request control of shared screen

medium
Auto-remediable
CISA MS.TEAMS.1.1SOC2 CC6.1ISO27001 A.8.3NIST AC-17aGDPR Art.32
CISA-MS.TEAMS.1.2

Anonymous users cannot start meetings

critical
Auto-remediable
CISA MS.TEAMS.1.2CIS 8.2.1SOC2 CC6.1NIST CM-6NIST SC-15aISO27001 A.8.9CSF PR.IP-1GDPR Art.25GDPR Art.32
CISA-MS.TEAMS.1.3

Anonymous and dial-in users must wait in lobby

high
Auto-remediable
CISA MS.TEAMS.1.3SOC2 CC6.1ISO27001 A.9.4.1NIST SC-15a
CISA-MS.TEAMS.1.4

Internal users auto-admitted to meetings

low
Auto-remediable
CISA MS.TEAMS.1.4NIST AC-3SOC2 CC6.1ISO27001 A.5.15ISO27001 A.5.33ISO27001 A.8.18ISO27001 A.8.20ISO27001 A.8.26ISO27001 A.8.3ISO27001 A.8.4CSF PR.AC-4CSF PR.PT-3GDPR Art.32GDPR Art.5(1)(f)
CISA-MS.TEAMS.1.5

Dial-in users cannot bypass meeting lobby

medium
Auto-remediable
CISA MS.TEAMS.1.5SOC2 CC6.1ISO27001 A.9.4.1NIST SC-15a
CISA-MS.TEAMS.1.6

Meeting recording disabled by default

medium
Auto-remediable
CISA MS.TEAMS.1.6CIS 8.2.3SOC2 CC6.1NIST CM-7ISO27001 A.8.19CSF PR.IP-1CSF PR.PT-3GDPR Art.32
CISA-MS.TEAMS.1.7

Live event recording not set to always record

low
Auto-remediable
CISA MS.TEAMS.1.7ISO27001 A.8.10NIST AC-21aGDPR Art.17GDPR Art.32
CISA-MS.TEAMS.2.1

External access restricted to allowed domains only

critical
Auto-remediable
CISA MS.TEAMS.2.1CIS 8.2.4NIST AC-3SOC2 CC6.1ISO27001 A.5.15ISO27001 A.5.33ISO27001 A.8.18ISO27001 A.8.20ISO27001 A.8.26ISO27001 A.8.3ISO27001 A.8.4CSF PR.AC-4CSF PR.PT-3GDPR Art.32GDPR Art.5(1)(f)
CISA-MS.TEAMS.2.2

Unmanaged Teams users cannot initiate contact

critical
Auto-remediable
CISA MS.TEAMS.2.2CIS 8.5.9SOC2 CC6.1NIST CM-7NIST SI-8ISO27001 A.8.19CSF DE.CM-4CSF PR.IP-1CSF PR.PT-3GDPR Art.32
CISA-MS.TEAMS.2.3

Internal users cannot contact unmanaged Teams users

high
Auto-remediable
CISA MS.TEAMS.2.3SOC2 CC6.1NIST CM-7NIST SC-7(10)(a)ISO27001 A.8.19CSF PR.IP-1CSF PR.PT-3GDPR Art.32
CISA-MS.TEAMS.4.1

Teams email integration disabled

medium
Auto-remediable
CISA MS.TEAMS.4.1NIST AC-4NIST SC-7(10)(a)NIST SI-8ISO27001 A.5.14ISO27001 A.8.22ISO27001 A.8.23CSF DE.AE-1CSF DE.CM-4CSF ID.AM-3CSF PR.AC-5CSF PR.DS-5GDPR Art.32GDPR Art.5(1)(f)SOC2 CC6.7
CISA-MS.TEAMS.5.1

Microsoft apps restricted to approved list

high
Auto-remediable
CISA MS.TEAMS.5.1SOC2 CC6.8ISO27001 A.8.19NIST CM-11CSF DE.CM-3GDPR Art.32
CISA-MS.TEAMS.5.2

Third-party apps restricted to approved list

high
Auto-remediable
CISA MS.TEAMS.5.2SOC2 CC6.8ISO27001 A.8.19NIST CM-11CSF DE.CM-3GDPR Art.32
CISA-MS.TEAMS.5.3

Custom apps restricted to approved list

high
Auto-remediable
CISA MS.TEAMS.5.3SOC2 CC6.8ISO27001 A.8.19NIST CM-11CSF DE.CM-3GDPR Art.32
CISA-MS.TEAMS.7.1

Safe Attachments enabled for Teams

high
Auto-remediable
CISA MS.TEAMS.7.1NIST SI-3SOC2 CC6.8ISO27001 A.8.7CSF DE.CM-4CSF DE.DP-3GDPR Art.32
CISA-MS.TEAMS.7.2

Users prevented from opening malicious files in Teams

high
Auto-remediable
CISA MS.TEAMS.7.2NIST SI-3SOC2 CC6.8ISO27001 A.8.7CSF DE.CM-4CSF DE.DP-3GDPR Art.32
CISA-MS.TEAMS.8.1

Safe Links URL scanning enabled for Teams

high
Auto-remediable
CISA MS.TEAMS.8.1NIST SI-3SOC2 CC6.8ISO27001 A.8.7CSF DE.CM-4CSF DE.DP-3GDPR Art.32
CISA-MS.TEAMS.8.2

User click tracking enabled for Safe Links in Teams

medium
Auto-remediable
CISA MS.TEAMS.8.2NIST SI-4SOC2 CC6.8ISO27001 A.8.16CSF DE.AE-1CSF DE.AE-2CSF DE.AE-3CSF DE.AE-4CSF DE.CM-1CSF DE.CM-4CSF DE.CM-5CSF DE.CM-6CSF DE.CM-7CSF DE.DP-2CSF DE.DP-3CSF DE.DP-4CSF DE.DP-5CSF ID.RA-1CSF PR.DS-5CSF PR.IP-8CSF RS.AN-1GDPR Art.32GDPR Art.33

Defender(11)

CISA-MS.DEFENDER.1.1

Standard and strict preset security policies enabled

critical
Auto-remediable
CISA MS.DEFENDER.1.1NIST CM-6NIST SI-3SOC2 CC6.1ISO27001 A.8.7ISO27001 A.8.9CSF DE.CM-4CSF DE.DP-3CSF PR.IP-1GDPR Art.25GDPR Art.32
CISA-MS.DEFENDER.1.2

All users added to EOP in standard or strict preset security policy

critical
Auto-remediable
CISA MS.DEFENDER.1.2NIST CM-6NIST SI-8SOC2 CC6.1ISO27001 A.8.9CSF DE.CM-4CSF PR.IP-1GDPR Art.25GDPR Art.32
CISA-MS.DEFENDER.1.3

All users added to Defender for Office 365 in standard or strict preset security policy

critical
Auto-remediable
CISA MS.DEFENDER.1.3NIST SI-3NIST SI-8SOC2 CC6.1ISO27001 A.8.7CSF DE.CM-4CSF DE.DP-3GDPR Art.32405D 1.L.A
CISA-MS.DEFENDER.1.4

Sensitive accounts added to Exchange Online Protection in strict preset security policy

high
CISA MS.DEFENDER.1.4NIST CM-6NIST AC-6SOC2 CC6.1ISO27001 A.5.15ISO27001 A.8.18ISO27001 A.8.2ISO27001 A.8.9CSF PR.AC-4CSF PR.DS-5CSF PR.IP-1GDPR Art.25GDPR Art.32GDPR Art.5(1)(f)
CISA-MS.DEFENDER.1.5

Sensitive accounts added to Defender for Office 365 in strict preset security policy

high
CISA MS.DEFENDER.1.5NIST SI-3NIST AC-6SOC2 CC6.1ISO27001 A.5.15ISO27001 A.8.18ISO27001 A.8.2ISO27001 A.8.7CSF DE.CM-4CSF DE.DP-3CSF PR.AC-4CSF PR.DS-5GDPR Art.32GDPR Art.5(1)(f)405D 1.L.A
CISA-MS.DEFENDER.2.1

User impersonation protection enabled for sensitive accounts

high
Auto-remediable
CISA MS.DEFENDER.2.1NIST SI-8SOC2 CC6.1ISO27001 A.8.23CSF DE.CM-4GDPR Art.32405D 1.M.A
CISA-MS.DEFENDER.2.2

Domain impersonation protection enabled for organization domains

high
Auto-remediable
CISA MS.DEFENDER.2.2NIST SI-8SOC2 CC6.1ISO27001 A.8.23CSF DE.CM-4GDPR Art.32405D 1.M.A
CISA-MS.DEFENDER.2.3

Domain impersonation protection enabled for key partners and suppliers

medium
CISA MS.DEFENDER.2.3NIST SI-8SOC2 CC6.1ISO27001 A.8.23CSF DE.CM-4GDPR Art.32405D 1.M.A
CISA-MS.DEFENDER.3.1

Safe Attachments enabled for SharePoint, OneDrive, and Microsoft Teams

high
Auto-remediable
CISA MS.DEFENDER.3.1NIST SI-3SOC2 CC6.8ISO27001 A.8.7CSF DE.CM-4CSF DE.DP-3GDPR Art.32405D 1.L.A
CISA-MS.DEFENDER.5.1

Required CISA security alerts enabled

high
Auto-remediable
CISA MS.DEFENDER.5.1NIST SI-4SOC2 CC7.2ISO27001 A.8.16CSF DE.AE-1CSF DE.AE-2CSF DE.AE-3CSF DE.AE-4CSF DE.CM-1CSF DE.CM-4CSF DE.CM-5CSF DE.CM-6CSF DE.CM-7CSF DE.DP-2CSF DE.DP-3CSF DE.DP-4CSF DE.DP-5CSF ID.RA-1CSF PR.DS-5CSF PR.IP-8CSF RS.AN-1GDPR Art.32GDPR Art.33405D 8.M.B
CISA-MS.DEFENDER.5.2

Security alerts sent to monitored address or SIEM

medium
CISA MS.DEFENDER.5.2NIST SI-4(5)ISO27001 A.8.16GDPR Art.32GDPR Art.33SOC2 CC7.2405D 8.M.A405D 8.M.B

Purview(10)

CISA-MS.DEFENDER.6.3

Audit logs maintained for minimum duration per OMB M-21-31

high
CISA MS.DEFENDER.6.3NIST AU-11ISO27001 A.5.28ISO27001 A.8.15GDPR Art.32GDPR Art.33GDPR Art.5(2)SOC2 CC7.2405D 8.M.A
CISA-MS.EXO.17.1

Microsoft Purview Audit (Standard) logging SHALL be enabled.

high
Auto-remediable
CISA MS EXO 17 1
CISA-MS.EXO.17.2

Microsoft Purview Audit (Premium) logging SHALL be enabled.

medium
CISA MS EXO 17 2
CISA-MS.EXO.17.3

Audit logs SHALL be maintained for at least the minimum duration dictated by OMB M-21-31 (Appendix C).

medium
CISA MS EXO 17 3405D 8.M.A
CISA-MS.EXO.8.1

Unified audit logging enabled

critical
Auto-remediable
CISA MS.EXO.8.1CIS 6.5.3NIST AC-3NIST AC-5NIST AC-6NIST AU-2NIST AU-6(1)NIST AU-7NIST CA-9NIST IR-4(1)NIST MP-2NIST SC-7NIST SI-4(2)NIST SI-4(5)ISO27001 A.5.10ISO27001 A.5.14ISO27001 A.5.15ISO27001 A.5.3ISO27001 A.5.33ISO27001 A.7.10ISO27001 A.7.7ISO27001 A.8.15ISO27001 A.8.16ISO27001 A.8.18ISO27001 A.8.2ISO27001 A.8.20ISO27001 A.8.22ISO27001 A.8.23ISO27001 A.8.26ISO27001 A.8.3ISO27001 A.8.4CSF DE.CM-1CSF ID.AM-3CSF PR.AC-4CSF PR.AC-5CSF PR.DS-1CSF PR.DS-5CSF PR.PT-1CSF PR.PT-2CSF PR.PT-3CSF PR.PT-4CSF RS.AN-3GDPR Art.32GDPR Art.33GDPR Art.5(1)(f)SOC2 CC6.1SOC2 CC6.4SOC2 CC7.2SOC2 CC7.4405D 8.M.A
CISA-MS.EXO.8.2

The DLP solution SHALL protect personally identifiable information (PII) and sensitive information, as defined by the agency.

medium
CISA MS EXO 8 2405D 4.M.E
CISA-MS.EXO.8.3

The selected DLP solution SHOULD offer services comparable to the native DLP solution offered by Microsoft.

medium
CISA MS EXO 8 3405D 4.M.E
CISA-MS.EXO.8.4

At a minimum, the DLP solution SHALL restrict sharing credit card numbers, U.S. Individual Taxpayer Identification Numbers (ITIN), and U.S. Social Security numbers (SSN) via email.

high
CISA MS EXO 8 4405D 4.M.E
CISA-MS.TEAMS.6.1

DLP solution enabled for Teams

high
CISA MS.TEAMS.6.1NIST SI-4SOC2 CC6.1ISO27001 A.8.16CSF DE.AE-1CSF DE.AE-2CSF DE.AE-3CSF DE.AE-4CSF DE.CM-1CSF DE.CM-4CSF DE.CM-5CSF DE.CM-6CSF DE.CM-7CSF DE.DP-2CSF DE.DP-3CSF DE.DP-4CSF DE.DP-5CSF ID.RA-1CSF PR.DS-5CSF PR.IP-8CSF RS.AN-1GDPR Art.32GDPR Art.33405D 4.M.E
CISA-MS.TEAMS.6.2

DLP protects PII and sensitive information in Teams

high
CISA MS.TEAMS.6.2NIST SI-4SOC2 CC6.1ISO27001 A.8.16CSF DE.AE-1CSF DE.AE-2CSF DE.AE-3CSF DE.AE-4CSF DE.CM-1CSF DE.CM-4CSF DE.CM-5CSF DE.CM-6CSF DE.CM-7CSF DE.DP-2CSF DE.DP-3CSF DE.DP-4CSF DE.DP-5CSF ID.RA-1CSF PR.DS-5CSF PR.IP-8CSF RS.AN-1GDPR Art.32GDPR Art.33405D 4.M.E

SharePoint(3)

CISA-MS.SHAREPOINT.1.1

SharePoint external sharing restricted appropriately

high
Auto-remediable
CISA MS.SHAREPOINT.1.1CIS 3.1SOC2 CC6.1NIST AC-2NIST AC-3NIST IA-8ISO27001 A.5.15ISO27001 A.5.16ISO27001 A.5.18ISO27001 A.5.33ISO27001 A.8.18ISO27001 A.8.2ISO27001 A.8.20ISO27001 A.8.26ISO27001 A.8.3ISO27001 A.8.4CSF DE.CM-3CSF PR.AC-1CSF PR.AC-4CSF PR.AC-6CSF PR.AC-7CSF PR.PT-3GDPR Art.32GDPR Art.5(1)(f)405D 4.M.BCopilot Pre-Deployment
CISA-MS.SHAREPOINT.1.2

Legacy authentication protocols disabled for SharePoint

high
Auto-remediable
CISA MS.SHAREPOINT.1.2CIS 3.8NIST IA-2(6)ISO27001 A.8.5GDPR Art.32SOC2 CC6.1
CISA-MS.SHAREPOINT.1.3

External sharing SHALL be restricted to approved external domains and/or users in approved security groups per interagency collaboration needs.

high
CISA MS SHAREPOINT 1 3405D 4.M.B