{"assessment-plan":{"uuid":"d4f5c3e2-5b6a-4c3e-9f7a-123456789abc","metadata":{"roles":[{"id":"author","title":"Content Author"}],"title":"CISA SCuBA Assessment Plan","parties":[{"name":"Easy Dynamics","type":"organization","uuid":"33da91b4-3178-49d6-babb-948c9542fd13","links":[{"href":"https://easydynamics.com"}]}],"version":"EXPERIMENTAL","published":"2025-12-08T12:00:00-04:00","document-ids":[{"scheme":"http://oscal.io/oscal/identifier/content-uuid","identifier":"a690524e-2d20-4e5b-9ee5-498366d08e9a"}],"last-modified":"2025-12-08T12:00:00-04:00","oscal-version":"1.1.3"},"import-ssp":{"href":"#080172e1-3306-4f73-99b6-c1facbc21077"},"local-definitions":{"activities":[{"uuid":"760fe3fc-45af-4c62-b095-265a56a1dedf","steps":[{"uuid":"422ccfe4-7b60-4fe8-81ff-3d4464cc6e05","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/aad.md#msaad11v1"},{"rel":"reference","href":"https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-conditional-access-policy-block-legacy","text":"Block legacy authentication with Conditional Access"},{"rel":"reference","href":"https://learn.microsoft.com/en-us/azure/security/fundamentals/steps-secure-identity","text":"Five steps to securing your identity infrastructure"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1110/","text":"T1110: Brute Force"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1110/001/","text":"T1110.001: Password Guessing"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1110/002/","text":"T1110.002: Password Cracking"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1110/003/","text":"T1110.003: Password Spraying"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1078/","text":"T1078: Valid Accounts"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1078/004/","text":"T1078.004: Cloud Accounts"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHALL"}],"title":"MS.AAD.1.1v1","remarks":"The security risk of allowing legacy authentication protocols is they do not support MFA. Blocking legacy protocols reduces the impact of user credential theft.","description":"Legacy authentication SHALL be blocked.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"cm-7","statement-ids":["cm-7_smt"]}]}]}},{"uuid":"f8778b31-80d0-4ce7-8089-eaef63db47aa","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/aad.md#msaad21v1"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1078/","text":"T1078: Valid Accounts"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1078/004/","text":"T1078.004: Cloud Accounts"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHALL"}],"title":"MS.AAD.2.1v1","remarks":"Blocking high-risk users may prevent compromised accounts from accessing the tenant.","description":"Users detected as high risk SHALL be blocked.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"ac-2.12","statement-ids":["ac-2.12_smt"]},{"control-id":"ac-2.13","statement-ids":["ac-2.13_smt"]}]}]}},{"uuid":"2ba05345-887d-4306-9378-e04ac6bf13e7","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/aad.md#msaad22v1"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1078/","text":"T1078: Valid Accounts"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1078/004/","text":"T1078.004: Cloud Accounts"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHOULD"}],"title":"MS.AAD.2.2v1","remarks":"Notification enables the admin to monitor the event and remediate the risk. This helps the organization proactively respond to cyber intrusions as they occur.","description":"A notification SHOULD be sent to the administrator when high-risk users are detected.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"ac-2.12","statement-ids":["ac-2.12_smt"]}]}]}},{"uuid":"e7273bf6-6251-41f1-919e-d7d45f8f8c69","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/aad.md#msaad23v1"},{"rel":"reference","href":"https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks","text":"What are risk detections?"},{"rel":"reference","href":"https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-simulate-risk","text":"Simulating risk detections in Identity Protection"},{"rel":"reference","href":"https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-user-experience","text":"Self-remediation experience with Microsoft Entra ID Protection and Conditional Access"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1078/","text":"T1078: Valid Accounts"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1078/004/","text":"T1078.004: Cloud Accounts"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHALL"}],"title":"MS.AAD.2.3v1","remarks":"This prevents compromised accounts from accessing the tenant.","description":"Sign-ins detected as high risk SHALL be blocked.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"ac-2.12","statement-ids":["ac-2.12_smt"]},{"control-id":"ac-2.13","statement-ids":["ac-2.13_smt"]}]}]}},{"uuid":"b5b21ca4-bb3e-44e2-bc26-2363f8d3e0dc","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/aad.md#msaad31v1"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1566/","text":"T1566: Phishing"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1566/001/","text":"T1566.001: Spearphishing Attachment"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1566/002/","text":"T1566.002: Spearphishing Link"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHALL"}],"title":"MS.AAD.3.1v1","remarks":"Weaker forms of MFA do not protect against sophisticated phishing attacks. By enforcing methods resistant to phishing, those risks are minimized.","description":"Phishing-resistant MFA SHALL be enforced for all users.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"ia-2.1","statement-ids":["ia-2.1_smt"]},{"control-id":"ia-2.2","statement-ids":["ia-2.2_smt"]},{"control-id":"ia-5","statement-ids":["ia-5_smt.c","ia-5_smt.g"]},{"control-id":"ia-2.8","statement-ids":["ia-2.8_smt"]}]}]}},{"uuid":"c05380d7-88be-475b-92e5-9aeeb3fdcbfa","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/aad.md#msaad32v1"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1110/","text":"T1110: Brute Force"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1110/001/","text":"T1110.001: Password Guessing"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1110/002/","text":"T1110.002: Password Cracking"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1110/003/","text":"T1110.003: Password Spraying"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHALL"}],"title":"MS.AAD.3.2v1","remarks":"This is a stopgap security policy to help protect the tenant if phishing-resistant MFA has not been enforced. This policy requires MFA enforcement, thus reducing single-form authentication risk.","description":"If phishing-resistant MFA has not been enforced, an alternative MFA method SHALL be enforced for all users.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"ia-2.1","statement-ids":["ia-2.1_smt"]},{"control-id":"ia-2.2","statement-ids":["ia-2.2_smt"]}]}]}},{"uuid":"3b09e019-74d8-4bb8-828c-2e7909c7947b","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/aad.md#msaad33v2"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1110/","text":"T1110: Brute Force"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1110/001/","text":"T1110.001: Password Guessing"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1110/002/","text":"T1110.002: Password Cracking"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1110/003/","text":"T1110.003: Password Spraying"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHALL"}],"title":"MS.AAD.3.3v2","remarks":"This policy helps protect the tenant when Microsoft Authenticator is used by showing user context information, which helps reduce MFA phishing compromises.","description":"If Microsoft Authenticator is enabled, it SHALL be configured to show login context information.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"ia-2.1","statement-ids":["ia-2.1_smt"]},{"control-id":"ia-2.2","statement-ids":["ia-2.2_smt"]},{"control-id":"ia-5","statement-ids":["ia-5_smt.c","ia-5_smt.g"]},{"control-id":"ia-2.8","statement-ids":["ia-2.8_smt"]},{"control-id":"ia-2.13","statement-ids":["ia-2.13_smt"]}]}]}},{"uuid":"4e57b673-52ca-4eaa-a85c-42e688609054","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/aad.md#msaad34v1"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHALL"}],"title":"MS.AAD.3.4v1","remarks":"To disable the legacy authentication methods screen for the tenant, configure the Manage Migration feature to Migration Complete. The MFA and Self-Service Password Reset (SSPR) authentication methods are both managed from a central admin page, thereby reducing administrative complexity and potential security misconfigurations.","description":"The Authentication Methods Manage Migration feature SHALL be set to Migration Complete.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"cm-7","statement-ids":["cm-7_smt"]}]}]}},{"uuid":"23547b83-ce20-4be1-a64b-abacba60733c","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/aad.md#msaad35v1"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1621/","text":"T1621: Multi-Factor Authentication Request Generation"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1566/","text":"T1566: Phishing"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1566/002/","text":"T1566.002: Spearphishing Link"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHALL"}],"title":"MS.AAD.3.5v1","remarks":"SMS, voice call, and email OTP are the weakest authenticators. This policy forces users to use stronger MFA methods.","description":"The authentication methods SMS, Voice Call, and Email One-Time Passcode (OTP) SHALL be disabled.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"cm-7","statement-ids":["cm-7_smt.b"]},{"control-id":"ia-5","statement-ids":["ia-5_smt.c"]}]}]}},{"uuid":"08c5c660-c8c3-4e9b-b76e-dc0afbbeabb6","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/aad.md#msaad36v1"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1566/","text":"T1566: Phishing"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1566/001/","text":"T1566.001: Spearphishing Attachment"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1566/002/","text":"T1566.002: Spearphishing Link"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1078/","text":"T1078: Valid Accounts"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1078/004/","text":"T1078.004: Cloud Accounts"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHALL"}],"title":"MS.AAD.3.6v1","remarks":"This is a backup security policy to help protect privileged access to the tenant if the conditional access policy, which requires MFA for all users, is disabled or misconfigured.","description":"Phishing-resistant MFA SHALL be required for highly privileged roles.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"ia-2.1","statement-ids":["ia-2.1_smt"]},{"control-id":"ia-5","statement-ids":["ia-5_smt.c","ia-5_smt.g"]},{"control-id":"ia-2.8","statement-ids":["ia-2.8_smt"]}]}]}},{"uuid":"4b7f6f09-84da-4c03-ba7b-d02ff52d5b69","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/aad.md#msaad37v1"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1078/","text":"T1078: Valid Accounts"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1078/004/","text":"T1078.004: Cloud Accounts"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHOULD"}],"title":"MS.AAD.3.7v1","remarks":"The security risk of an adversary authenticating to the tenant from their own device is reduced by requiring a managed device to authenticate. Managed devices are under the provisioning and control of the agency. [OMB-22-09](https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf) states, \"When authorizing users to access resources, agencies must consider at least one device-level signal alongside identity information about the authenticated user.\"","description":"Managed devices SHOULD be required for authentication.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"ac-20","statement-ids":["ac-20_smt.b"]},{"control-id":"ia-3","statement-ids":["ia-3_smt"]}]}]}},{"uuid":"9413f12e-db95-44e6-96c3-e1617d313346","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/aad.md#msaad38v1"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1078/","text":"T1078: Valid Accounts"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1078/004/","text":"T1078.004: Cloud Accounts"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1098/","text":"T1098: Account Manipulation"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1098/005/","text":"T1098.005: Device Registration"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHOULD"}],"title":"MS.AAD.3.8v1","remarks":"Reduce risk of an adversary using stolen user credentials and then registering their own MFA device to access the tenant by requiring a managed device provisioned and controlled by the agency to perform registration actions. This prevents the adversary from using their own unmanaged device to perform the registration.","description":"Managed Devices SHOULD be required to register MFA.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"ac-20","statement-ids":["ac-20_smt.b"]},{"control-id":"ia-3","statement-ids":["ia-3_smt"]}]}]}},{"uuid":"44d65b67-ad4f-4f45-bec3-dabf87e3ee39","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/aad.md#msaad39v1"},{"rel":"reference","href":"https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-methods","text":"What authentication and verification methods are available in Microsoft Entra ID?"},{"rel":"reference","href":"https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-mfa-additional-context#enable-additional-context-in-the-portal","text":"Use additional context in Authenticator notifications - Authentication methods policy"},{"rel":"reference","href":"https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf","text":"M-22-09 Federal Zero Trust Architecture Strategy"},{"rel":"reference","href":"https://learn.microsoft.com/en-us/entra/identity/devices/how-to-hybrid-join","text":"Configure Microsoft Entra hybrid join"},{"rel":"reference","href":"https://learn.microsoft.com/en-us/entra/identity/devices/concept-directory-join","text":"Microsoft Entra joined devices"},{"rel":"reference","href":"https://learn.microsoft.com/en-us/mem/intune/enrollment/windows-enroll","text":"Set up automatic enrollment for Windows devices (for Intune)"},{"rel":"reference","href":"https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-enable-passkey-fido2","text":"Enable passkeys (FIDO2) for your organization"},{"rel":"reference","href":"https://www.microsoft.com/en-us/security/blog/2025/02/13/storm-2372-conducts-device-code-phishing-campaign/","text":"Storm-2372 conducts device code phishing campaign"},{"rel":"reference","href":"https://github.com/cisagov/ScubaGear/issues/1599","text":"Microsoft 365 Device Code Phishing Cyber Attack – Demonstration, Analysis and Mitigation"},{"rel":"reference","href":"https://learn.microsoft.com/en-us/entra/identity/conditional-access/managed-policies#block-device-code-flow","text":"Block device code flow"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1528/","text":"T1528: Steal Application Access Token"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1078/","text":"T1078: Valid Accounts"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1078/004/","text":"T1078.004: Cloud Accounts"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHOULD"}],"title":"MS.AAD.3.9v1","remarks":"The device code authentication flow has been abused to compromise user accounts via phishing. Since most organizations using M365 don't need device code authentication, blocking it mitigates the risk.","description":"Device code authentication SHOULD be blocked.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"cm-7","statement-ids":["cm-7_smt"]}]}]}},{"uuid":"f7faa6e0-d544-4f04-bd22-42d6bc4a0b45","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/aad.md#msaad41v1"},{"rel":"reference","href":"https://thecloudtechnologist.com/2021/10/15/everything-you-wanted-to-know-about-security-and-audit-logging-in-office-365/","text":"Everything you wanted to know about Security and Audit Logging in Office 365"},{"rel":"reference","href":"https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-sign-ins","text":"What are Microsoft Entra sign-in logs??"},{"rel":"reference","href":"https://www.cisa.gov/sites/default/files/publications/NCPS%20Cloud%20Interface%20RA%20Volume%20One%20%282021-05-14%29.pdf","text":"National Cybersecurity Protection System-Cloud Interface Reference Architecture Volume One: General Guidance"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1562/","text":"T1562: Impair Defenses"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1562/008/","text":"T1562.008: Disable or Modify Cloud Logs"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHALL"}],"title":"MS.AAD.4.1v1","remarks":"The security risk of not having visibility into cyber attacks is reduced by collecting logs in the agency’s centralized security detection infrastructure. This makes security events available for auditing, query, and incident response.","description":"Security logs SHALL be sent to the agency's security operations center for monitoring.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"au-4","statement-ids":["au-4_smt"]}]}]}},{"uuid":"b7afe9cf-d85c-43cc-b220-1e299c503814","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/aad.md#msaad51v1"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1098/","text":"T1098: Account Manipulation"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1098/001/","text":"T1098.001: Additional Cloud Credentials"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1098/003/","text":"T1098.003: Additional Cloud Roles"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHALL"}],"title":"MS.AAD.5.1v1","remarks":"Application access for the tenant presents a heightened security risk compared to interactive user access because applications are typically not subject to critical security protections, such as MFA policies. Reduce risk of unauthorized users installing malicious applications into the tenant by ensuring that only specific privileged users can register applications.","description":"Only administrators SHALL be allowed to register applications.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"ac-6.10","statement-ids":["ac-6.10_smt"]},{"control-id":"cm-5","statement-ids":["cm-5_smt"]}]}]}},{"uuid":"6c265210-a3af-4d88-8afc-a7aceaf03f15","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/aad.md#msaad52v1"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1098/","text":"T1098: Account Manipulation"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1098/001/","text":"T1098.001: Additional Cloud Credentials"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1098/003/","text":"T1098.003: Additional Cloud Roles"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHALL"}],"title":"MS.AAD.5.2v1","remarks":"Limiting applications consent to only specific privileged users reduces risk of users giving insecure applications access to their data via [consent grant attacks](https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide).","description":"Only administrators SHALL be allowed to consent to applications.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"ac-6.10","statement-ids":["ac-6.10_smt"]},{"control-id":"cm-5","statement-ids":["cm-5_smt"]}]}]}},{"uuid":"396592ab-bb71-4b97-93c5-b9941b8eb415","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/aad.md#msaad53v1"},{"rel":"reference","href":"https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/ActiveDirectory/users-can-register-applications.html","text":"Restrict Application Registration for Non-Privileged Users"},{"rel":"reference","href":"https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/ActiveDirectory/users-can-consent-to-apps-accessing-company-data-on-their-behalf.html","text":"Enforce Administrators to Provide Consent for Apps Before Use"},{"rel":"reference","href":"https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-admin-consent-workflow","text":"Configure the admin consent workflow"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1098/","text":"T1098: Account Manipulation"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1098/001/","text":"T1098.001: Additional Cloud Credentials"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1098/003/","text":"T1098.003: Additional Cloud Roles"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHALL"}],"title":"MS.AAD.5.3v1","remarks":"Configuring an admin consent workflow reduces the risk of the previous policy by setting up a process for users to securely request access to applications necessary for business purposes. Administrators have the opportunity to review the permissions requested by new applications and approve or deny access based on a risk assessment.","description":"An admin consent workflow SHALL be configured for applications.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"cm-4","statement-ids":["cm-4_smt"]}]}]}},{"uuid":"1341cd43-6d42-4eea-8f26-f3e06cfb9fca","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/aad.md#msaad61v1"},{"rel":"reference","href":"https://learn.microsoft.com/en-us/microsoft-365/admin/misc/password-policy-recommendations?view=o365-worldwide#password-expiration-requirements-for-users","text":"Password expiration requirements for users"},{"rel":"reference","href":"https://learn.microsoft.com/en-us/entra/identity/authentication/concept-password-ban-bad","text":"Eliminate bad passwords using Microsoft Entra Password Protection"},{"rel":"reference","href":"https://pages.nist.gov/800-63-3/sp800-63b.html","text":"NIST Special Publication 800-63B - Digital Identity Guidelines"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHALL"}],"title":"MS.AAD.6.1v1","remarks":"The National Institute of Standards and Technology (NIST), OMB, and Microsoft have published guidance indicating mandated periodic password changes make user accounts less secure. For example, OMB-22-09 states, \"Password policies must not require use of special characters or regular rotation.\"","description":"User passwords SHALL NOT expire.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"ia-5.1","statement-ids":["ia-5.1_smt"]}]}]}},{"uuid":"37617d5c-9685-4d2a-aca6-6d0f764f521a","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/aad.md#msaad71v1"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1098/","text":"T1098: Account Manipulation"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1098/003/","text":"T1098.003: Additional Cloud Roles"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHALL"}],"title":"MS.AAD.7.1v1","remarks":"The Global Administrator role provides unfettered access to the tenant. Limiting the number of users with this level of access makes tenant compromise more challenging. Microsoft recommends fewer than five users in the Global Administrator role. However, additional user accounts, up to eight, may be necessary to support emergency access and some operational scenarios.","description":"A minimum of two users and a maximum of eight users SHALL be provisioned with the Global Administrator role.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"ac-6.5","statement-ids":["ac-6.5_smt"]}]}]}},{"uuid":"5490e069-0158-41da-bf12-0a5dffa1317f","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/aad.md#msaad72v1"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1098/","text":"T1098: Account Manipulation"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1098/003/","text":"T1098.003: Additional Cloud Roles"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1651/","text":"T1651: Cloud Administration Command"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1136/","text":"T1136: Create Account"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1136/003/","text":"T1136.003: Cloud Account"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHALL"}],"title":"MS.AAD.7.2v1","remarks":"Many privileged administrative users do not need unfettered access to the tenant to perform their duties. By assigning them to roles based on least privilege, the risks associated with having their accounts compromised are reduced.","description":"Privileged users SHALL be provisioned with finer-grained roles instead of Global Administrator.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"ac-5","statement-ids":["ac-5_smt"]}]}]}},{"uuid":"9b2bcceb-a877-4cec-9cba-4d880c4a153c","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/aad.md#msaad73v1"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1556/","text":"T1556: Modify Authentication Process"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1556/007/","text":"T1556.007: Hybrid Identity"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHALL"}],"title":"MS.AAD.7.3v1","remarks":"By provisioning cloud-only Microsoft Entra ID user accounts to privileged users, the risks associated with a compromise of on-premises federation infrastructure are reduced. It is more challenging for the adversary to pivot from the compromised environment to the cloud with privileged access.","description":"Privileged users SHALL be provisioned cloud-only accounts separate from an on-premises directory or other federated identity providers.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"ac-6.5","statement-ids":["ac-6.5_smt"]}]}]}},{"uuid":"e592f49f-ba58-4d35-beb9-0e5ee3aeef98","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/aad.md#msaad74v1"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1098/","text":"T1098: Account Manipulation"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1098/003/","text":"T1098.003: Additional Cloud Roles"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHALL"}],"title":"MS.AAD.7.4v1","remarks":"Instead of giving users permanent assignments to privileged roles, provisioning access just in time lessens exposure if those accounts become compromised. In Microsoft Entra ID PIM or an alternative PAM system, just in time access can be provisioned by assigning users to roles as eligible instead of perpetually active.","description":"Permanent active role assignments SHALL NOT be allowed for highly privileged roles.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"ac-2","statement-ids":["ac-2_smt"]}]}]}},{"uuid":"b7bb79bc-6bc6-4690-b468-a245baa9f569","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/aad.md#msaad75v1"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1651/","text":"T1651: Cloud Administration Command"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHALL"}],"title":"MS.AAD.7.5v1","remarks":"Provisioning users to privileged roles within a PAM system enables enforcement of numerous privileged access policies and monitoring. If privileged users are assigned directly to roles in the M365 admin center or via PowerShell outside of the context of a PAM system, a significant set of critical security capabilities are bypassed.","description":"Provisioning users to highly privileged roles SHALL NOT occur outside of a PAM system.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"ac-2","statement-ids":["ac-2_smt"]}]}]}},{"uuid":"d72f1f68-e016-4be9-83a0-a8c7c6a2d0c5","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/aad.md#msaad76v1"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1098/","text":"T1098: Account Manipulation"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1098/003/","text":"T1098.003: Additional Cloud Roles"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHALL"}],"title":"MS.AAD.7.6v1","remarks":"Requiring approval for a user to activate Global Administrator, which provides unfettered access, makes it more challenging for an attacker to compromise the tenant with stolen credentials and it provides visibility of activities indicating a compromise is taking place.","description":"Activation of the Global Administrator role SHALL require approval.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"ac-6.1","statement-ids":["ac-6.1_smt"]}]}]}},{"uuid":"67518f12-9f60-4ac9-9bdc-69dfb9d243ab","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/aad.md#msaad77v1"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1098/","text":"T1098: Account Manipulation"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1098/003/","text":"T1098.003: Additional Cloud Roles"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHALL"}],"title":"MS.AAD.7.7v1","remarks":"Closely monitor assignment of the highest privileged roles for signs of compromise. Send assignment alerts to enable the security monitoring team to detect compromise attempts.","description":"Eligible and Active highly privileged role assignments SHALL trigger an alert.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"ac-2.1","statement-ids":["ac-2.1_smt"]}]}]}},{"uuid":"e56c4f86-f578-4c38-8855-54af56517b4e","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/aad.md#msaad78v1"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1098/","text":"T1098: Account Manipulation"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1098/003/","text":"T1098.003: Additional Cloud Roles"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHALL"}],"title":"MS.AAD.7.8v1","remarks":"Closely monitor activation of the Global Administrator role for signs of compromise. Send activation alerts to enable the security monitoring team to detect compromise attempts.","description":"User activation of the Global Administrator role SHALL trigger an alert.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"ac-6.9","statement-ids":["ac-6.9_smt"]}]}]}},{"uuid":"2ff8ff69-7b5e-41da-8410-b0438b86a2ea","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/aad.md#msaad79v1"},{"rel":"reference","href":"https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices#5-limit-the-number-of-global-administrators-to-less-than-5","text":"Limit number of Global Administrators to less than 5"},{"rel":"reference","href":"https://learn.microsoft.com/en-us/azure/security/fundamentals/steps-secure-identity#implement-privilege-access-management","text":"Implement Privilege Access Management"},{"rel":"reference","href":"https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-add-role-to-user","text":"Assign Microsoft Entra roles in Privileged Identity Management"},{"rel":"reference","href":"https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/concept-pim-for-groups","text":"Privileged Identity Management (PIM) for Groups"},{"rel":"reference","href":"https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-approval-workflow","text":"Approve or deny requests for Microsoft Entra roles in Privileged Identity Management"},{"rel":"reference","href":"https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts","text":"Configure security alerts for Microsoft Entra roles in Privileged Identity Management"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1098/","text":"T1098: Account Manipulation"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1098/003/","text":"T1098.003: Additional Cloud Roles"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1136/","text":"T1136: Create Account"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1136/003/","text":"T1136.003: Cloud Account"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHOULD"}],"title":"MS.AAD.7.9v1","remarks":"Closely monitor activation of high-risk roles for signs of compromise. Send activation alerts to enable the security monitoring team to detect compromise attempts. In some environments, activating privileged roles can generate a significant number of alerts.","description":"User activation of other highly privileged roles SHOULD trigger an alert.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"ac-6.9","statement-ids":["ac-6.9_smt"]}]}]}}],"title":"Assess Microsoft Entra ID for Identity, Authentication, and Privileged Access Controls","description":"This activity will examine the Microsoft Entra ID (formerly Azure Active Directory) configuration of the M365 tenant to verify compliance with the CISA Secure Cloud Business Applications (SCuBA) baseline. The assessment evaluates 27 policy checks spanning legacy authentication blocking, risk-based conditional access policies, phishing-resistant multi-factor authentication enforcement, application registration and consent restrictions, password expiration policies, privileged role management through just-in-time access, and guest user access controls. The assessment method is EXAMINE, using read-only API queries against the tenant's Entra ID configuration, and results are compared against the CISA SCuBA Secure Configuration Baseline for Microsoft Entra ID."},{"uuid":"4e391cf6-5549-46f3-b3d7-aad12cd5a226","steps":[{"uuid":"0763d718-a66e-4eac-9b3e-00eb007e141a","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/defender.md#msdefender11v1"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1566/","text":"T1566: Phishing"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1566/001/","text":"T1566.001: Spearphishing Attachment"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1566/002/","text":"T1566.002: Spearphishing Link"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1566/003/","text":"T1566.003: Spearphishing via Service"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHALL"}],"title":"MS.DEFENDER.1.1v1","remarks":"Defender includes a large number of features and settings to protect users against threats. Using the preset security policies, administrators can help ensure all new and existing users automatically have secure defaults applied.","description":"The standard and strict preset security policies SHALL be enabled.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"cm-6","statement-ids":["cm-6_smt.a"]},{"control-id":"si-3","statement-ids":["si-3_smt.a"]},{"control-id":"si-8","statement-ids":["si-8_smt"]}]}]}},{"uuid":"d217c197-f8d7-4f29-afd5-aba7e3d084e7","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/defender.md#msdefender12v1"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1566/","text":"T1566: Phishing"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1566/001/","text":"T1566.001: Spearphishing Attachment"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1566/002/","text":"T1566.002: Spearphishing Link"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1566/003/","text":"T1566.003: Spearphishing via Service"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHALL"}],"title":"MS.DEFENDER.1.2v1","remarks":"Important user protections are provided by EOP, including anti-spam, anti-malware, and anti-phishing protections. By using the preset policies, administrators can help ensure all new and existing users have secure defaults applied automatically.","description":"All users SHALL be added to Exchange Online Protection (EOP) in either the standard or strict preset security policy.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"cm-6","statement-ids":["cm-6_smt.a"]},{"control-id":"si-3","statement-ids":["si-3_smt.a"]},{"control-id":"si-8","statement-ids":["si-8_smt"]}]}]}},{"uuid":"bda5bac4-da43-490b-8647-e1de133e02f2","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/defender.md#msdefender13v1"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1566/","text":"T1566: Phishing"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1566/001/","text":"T1566.001: Spearphishing Attachment"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1566/002/","text":"T1566.002: Spearphishing Link"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1566/003/","text":"T1566.003: Spearphishing via Service"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHALL"}],"title":"MS.DEFENDER.1.3v1","remarks":"Important user protections are provided by Defender for Office 365 protection, including safe attachments and safe links. By using the preset policies, administrators can help ensure all new and existing users have secure defaults applied automatically.","description":"All users SHALL be added to Defender for Office 365 protection in either the standard or strict preset security policy.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"cm-6","statement-ids":["cm-6_smt.a"]},{"control-id":"si-3","statement-ids":["si-3_smt.a"]},{"control-id":"si-8","statement-ids":["si-8_smt"]}]}]}},{"uuid":"eaa53c5c-c4b4-45cc-a9da-32461480820d","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/defender.md#msdefender14v1"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1566/","text":"T1566: Phishing"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1566/001/","text":"T1566.001: Spearphishing Attachment"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1566/002/","text":"T1566.002: Spearphishing Link"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHALL"}],"title":"MS.DEFENDER.1.4v1","remarks":"Unauthorized access to a sensitive account may result in greater harm than a standard user account. Adding sensitive accounts to the strict preset security policy, with its increased protections, better mitigates their elevated risk to email threats.","description":"Sensitive accounts SHALL be added to Exchange Online Protection in the strict preset security policy.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"cm-6","statement-ids":["cm-6_smt.a"]},{"control-id":"si-3","statement-ids":["si-3_smt.a"]},{"control-id":"si-8","statement-ids":["si-8_smt"]}]}]}},{"uuid":"95840a4a-b69c-4c5a-9910-d4b9f00a5547","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/defender.md#msdefender15v1"},{"rel":"reference","href":"https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/preset-security-policies?view=o365-worldwide#use-the-microsoft-365-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users","text":"Use the Microsoft 365 Defender portal to assign Standard and Strict preset security policies to users \\\\\\| Microsoft Learn"},{"rel":"reference","href":"https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-policies-eop-configure?view=o365-worldwide","text":"Configure anti-phishing policies in EOP \\\\\\| Microsoft Learn"},{"rel":"reference","href":"https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-policies-configure?view=o365-worldwide","text":"Configure anti-malware policies in EOP \\\\\\| Microsoft Learn"},{"rel":"reference","href":"https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spam-policies-configure?view=o365-worldwide","text":"Configure anti-spam policies in EOP \\\\\\| Microsoft Learn"},{"rel":"reference","href":"https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-policies-mdo-configure?view=o365-worldwide","text":"Configure anti-phishing policies in Defender for Office 365 \\\\\\| Microsoft Learn"},{"rel":"reference","href":"https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-attachments-policies-configure?view=o365-worldwide","text":"Set up Safe Attachments policies in Microsoft Defender for Office 365 \\\\\\| Microsoft Learn"},{"rel":"reference","href":"https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-links-policies-configure?view=o365-worldwide","text":"Set up Safe Links policies in Microsoft Defender for Office 365 \\\\\\| Microsoft Learn"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1566/","text":"T1566: Phishing"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1566/001/","text":"T1566.001: Spearphishing Attachment"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1566/002/","text":"T1566.002: Spearphishing Link"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHALL"}],"title":"MS.DEFENDER.1.5v1","remarks":"Unauthorized access to a sensitive account may result in greater harm than to a standard user account. Adding sensitive accounts to the strict preset security policy, with its increased protections, better mitigates their elevated risk.","description":"Sensitive accounts SHALL be added to Defender for Office 365 protection in the strict preset security policy.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"cm-6","statement-ids":["cm-6_smt.a"]},{"control-id":"si-3","statement-ids":["si-3_smt.a"]},{"control-id":"si-8","statement-ids":["si-8_smt"]}]}]}},{"uuid":"fffd38b9-3d2c-4fdd-91ac-b1852f52394d","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/defender.md#msdefender21v1"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1566/","text":"T1566: Phishing"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1566/001/","text":"T1566.001: Spearphishing Attachment"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1566/002/","text":"T1566.002: Spearphishing Link"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1656/","text":"T1656: Impersonation"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHOULD"}],"title":"MS.DEFENDER.2.1v1","remarks":"User impersonation, especially of users with access to sensitive or high-value information and resources, has the potential to result in serious harm. Impersonation protection mitigates this risk. By configuring impersonation protection in both preset policies, administrators can help protect email recipients from impersonated emails, regardless of whether they are added to the standard or strict policy.","description":"User impersonation protection SHOULD be enabled for sensitive accounts in both the standard and strict preset policies.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"si-8","statement-ids":["si-8_smt"]}]}]}},{"uuid":"8bc70a06-a190-4ff5-8106-81200137d53c","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/defender.md#msdefender22v1"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1566/","text":"T1566: Phishing"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1566/001/","text":"T1566.001: Spearphishing Attachment"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1566/002/","text":"T1566.002: Spearphishing Link"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1656/","text":"T1656: Impersonation"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHOULD"}],"title":"MS.DEFENDER.2.2v1","remarks":"Configuring domain impersonation protection for all agency domains reduces the risk of a user being deceived by a look-alike domain. By configuring impersonation protection in both preset policies, administrators can help protect email recipients from impersonated emails, regardless of whether they are added to the standard or strict policy.","description":"Domain impersonation protection SHOULD be enabled for domains owned by the agency in both the standard and strict preset policies.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"si-8","statement-ids":["si-8_smt"]}]}]}},{"uuid":"92387cd9-4372-4654-8dd8-88078e229209","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/defender.md#msdefender23v1"},{"rel":"reference","href":"https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-policies-about?view=o365-worldwide#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365","text":"Impersonation settings in anti-phishing policies in Microsoft Defender for Office 365 \\\\\\| Microsoft Learn"},{"rel":"reference","href":"https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/preset-security-policies?view=o365-worldwide#use-the-microsoft-365-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users","text":"Use the Microsoft 365 Defender portal to assign Standard and Strict preset security policies to users \\\\\\| Microsoft Learn"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1566/","text":"T1566: Phishing"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1566/001/","text":"T1566.001: Spearphishing Attachment"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1566/002/","text":"T1566.002: Spearphishing Link"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1656/","text":"T1656: Impersonation"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHOULD"}],"title":"MS.DEFENDER.2.3v1","remarks":"Configuring domain impersonation protection for domains owned by important partners reduces the risk of a user being deceived by a look-alike domain. By configuring impersonation protection in both preset policies, administrators can help protect email recipients from impersonated emails, regardless of whether they are added to the standard or strict policy.","description":"Domain impersonation protection SHOULD be added for important partners in both the standard and strict preset policies.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"si-8","statement-ids":["si-8_smt"]}]}]}},{"uuid":"325c4deb-02c3-432b-8ad5-dab3a22dcced","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/defender.md#msdefender31v1"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1566/","text":"T1566: Phishing"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1566/001/","text":"T1566.001: Spearphishing Attachment"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1204/","text":"T1204.001: User Execution"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1204/001/","text":"T1204.001: Malicious Link"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1204/002/","text":"T1204.002: Malicious File"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHOULD"}],"title":"MS.DEFENDER.3.1v1","remarks":"Clicking malicious links makes users vulnerable to attacks, and this danger is not limited to links in emails. Other Microsoft products, such as Microsoft Teams, can be used to present users with malicious links. As such, it is important to protect users on these other Microsoft products as well.","description":"Safe attachments SHOULD be enabled for SharePoint, OneDrive, and Microsoft Teams.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"si-3","statement-ids":["si-3_smt.a"]}]}]}},{"uuid":"ca0432d2-27c3-4405-87cf-f375c86bcdf7","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/defender.md#msdefender41v2"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1567/","text":"T1567: Exfiltration Over Web Service"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1530/","text":"T1530: Data from Cloud Storage"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1213/","text":"T1213: Data from Information Repositories"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHALL"}],"title":"MS.DEFENDER.4.1v2","remarks":"Users may inadvertently share sensitive information with others who should not have access to it. DLP policies provide a way for agencies to detect and prevent unauthorized disclosures.","description":"A custom policy SHALL be configured to protect PII and sensitive information, as defined by the agency, blocking at a minimum: credit card numbers, U.S. Individual Taxpayer Identification Numbers (ITIN), and U.S. Social Security numbers (SSN).","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"sc-7.10","statement-ids":["sc-7.10_smt"]}]}]}},{"uuid":"86f06431-57be-496f-9ddc-e1f143733f43","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/defender.md#msdefender42v1"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1567/","text":"T1567: Exfiltration Over Web Service"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1530/","text":"T1530: Data from Cloud Storage"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1213/","text":"T1213: Data from Information Repositories"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1213/002/","text":"T1213.002: Sharepoint"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHOULD"}],"title":"MS.DEFENDER.4.2v1","remarks":"Unauthorized disclosures may happen through M365 services or endpoint devices. DLP policies should cover all affected locations to be effective.","description":"The custom policy SHOULD be applied to Exchange, OneDrive, SharePoint, Teams chat, and Devices.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"sc-7.10","statement-ids":["sc-7.10_smt"]}]}]}},{"uuid":"c6f0aacd-e1ff-4584-b602-ec722891d6c4","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/defender.md#msdefender43v1"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1567/","text":"T1567: Exfiltration Over Web Service"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1530/","text":"T1530: Data from Cloud Storage"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1213/","text":"T1213: Data from Information Repositories"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHOULD"}],"title":"MS.DEFENDER.4.3v1","remarks":"Access to sensitive information should be prohibited unless explicitly allowed. Specific exemptions can be made based on agency policies and valid business justifications.","description":"The action for the custom policy SHOULD be set to block sharing sensitive information with everyone.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"ac-3","statement-ids":["ac-3_smt"]},{"control-id":"sc-7.10","statement-ids":["sc-7.10_smt"]}]}]}},{"uuid":"8fd58b5d-22bf-4663-a48b-da0f64aa19f9","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/defender.md#msdefender44v1"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHOULD"}],"title":"MS.DEFENDER.4.4v1","remarks":"Some users may not be aware of agency policies on proper use of sensitive information. Enabling notifications provides positive feedback to users when accessing sensitive information.","description":"Notifications to inform users and help educate them on the proper use of sensitive information SHOULD be enabled in the custom policy.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"at-2","statement-ids":["at-2_smt.b"]}]}]}},{"uuid":"36f09006-cacf-41c8-b319-518a77f77a7c","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/defender.md#msdefender45v1"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1565/","text":"T1565: Data Manipulation"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1485/","text":"T1485: Data Destruction"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1530/","text":"T1530: Data from Cloud Storage"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHOULD"}],"title":"MS.DEFENDER.4.5v1","remarks":"Some apps may inappropriately share accessed files or not conform to agency policies for access to sensitive information. Defining a list of those apps makes it possible to use DLP policies to restrict those apps' access to sensitive information on endpoints using Defender.","description":"A list of apps that are restricted from accessing files protected by DLP policy SHOULD be defined.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"sc-7.10","statement-ids":["sc-7.10_smt"]}]}]}},{"uuid":"c5b4a410-efcb-4830-9246-3e46f31102f0","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/defender.md#msdefender46v1"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1565/","text":"T1565: Data Manipulation"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1485/","text":"T1485: Data Destruction"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1530/","text":"T1530: Data from Cloud Storage"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1486/","text":"T1486: Data Encrypted for Impact"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHOULD"}],"title":"MS.DEFENDER.4.6v1","remarks":"Some apps may inappropriately share accessed files or not conform to agency policies for access to sensitive information. Defining a DLP policy with an action to block access from restricted apps and unwanted Bluetooth applications prevents unauthorized disclosure by those programs.","description":"The custom policy SHOULD include an action to block access to sensitive","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"ac-19","statement-ids":["ac-19_smt.a"]}]}]}},{"uuid":"67db1541-7fdb-4e97-bee4-54a59104c489","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/defender.md#msdefender51v1"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1562/","text":"T1562: Impair Defenses"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1562/006/","text":"T1562.006: Indicator Blocking"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHALL"}],"title":"MS.DEFENDER.5.1v1","remarks":"Potentially malicious or service-impacting events may go undetected without a means of detecting these events. Setting up a mechanism to alert administrators to the list of events linked above draws attention to them to minimize any impact to users and the agency.","description":"At a minimum, the alerts required by the CISA M365 Secure Configuration Baseline for Exchange Online SHALL be enabled.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"si-4.5","statement-ids":["si-4.5_smt"]}]}]}},{"uuid":"34a2869b-9c5c-44e4-8ba6-0f87675f7a50","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/defender.md#msdefender52v1"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1562/","text":"T1562: Impair Defenses"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1562/006/","text":"T1562.006: Indicator Blocking"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHOULD"}],"title":"MS.DEFENDER.5.2v1","remarks":"Suspicious or malicious events, if not resolved promptly, may have a greater impact to users and the agency. Sending alerts to a monitored email address or SIEM system helps ensure events are acted upon in a timely manner to limit overall impact.","description":"The alerts SHOULD be sent to a monitored address or incorporated into a Security Information and Event Management (SIEM).","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"si-4.5","statement-ids":["si-4.5_smt"]}]}]}},{"uuid":"3ea722d7-e3cb-444e-9782-20088526b7f6","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/defender.md#msdefender61v1"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1562/","text":"T1562: Impair Defenses"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1562/008/","text":"T1562.008: Disable or Modify Cloud Logs"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHALL"}],"title":"MS.DEFENDER.6.1v1","remarks":"Responding to incidents without detailed information about activities that took place slows response actions. Enabling Unified Audit logging helps ensure agencies have visibility into user actions. Furthermore, enabling the Unified Audit log is required for government agencies by OMB M-21-31.","description":"Unified Audit logging SHALL be enabled.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"au-12","statement-ids":["au-12_smt"]}]}]}},{"uuid":"71268fc6-3a91-479a-bf82-ce47daa41070","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/defender.md#msdefender63v1"},{"rel":"reference","href":"https://learn.microsoft.com/en-us/purview/audit-log-export-records","text":"Export, configure, and view audit log records \\| Microsoft Learn"},{"rel":"reference","href":"https://www.cisa.gov/resources-tools/resources/untitled-goose-tool-fact-sheet","text":"Untitled Goose Tool Fact Sheet \\| CISA."},{"rel":"reference","href":"https://learn.microsoft.com/en-us/purview/audit-log-retention-policies?tabs=microsoft-purview-portal#before-you-create-an-audit-log-retention-policy","text":"Manage audit log retention policies \\| Microsoft Learn"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1070/","text":"T1070: Indicator Removal"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHALL"}],"title":"MS.DEFENDER.6.3v1","remarks":"Audit logs may no longer be available when needed if they are not retained for a sufficient time. Increased log retention time gives an agency the necessary visibility to investigate incidents that occurred some time ago.","description":"Audit logs SHALL be maintained for at least the minimum duration dictated by OMB M-21-31.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"au-11","statement-ids":["au-11_smt"]}]}]}}],"title":"Assess Microsoft Defender for Threat Protection, Data Loss Prevention, and Audit Logging","description":"This activity will examine the Microsoft Defender for Office 365 and Microsoft Purview configuration of the M365 tenant to verify compliance with the CISA SCuBA baseline. The assessment evaluates 19 policy checks spanning preset security profile activation for standard and strict protection tiers, impersonation protection for sensitive accounts and agency domains, Safe Attachments scanning for SharePoint, OneDrive, and Teams, data loss prevention policies covering personally identifiable information (PII), required security alert policies, and unified audit log retention. The assessment method is EXAMINE, using read-only API queries against the tenant's Defender and Purview configuration, and results are compared against the CISA SCuBA Secure Configuration Baseline for Defender."},{"uuid":"2c69fb5c-056f-4788-be36-723b939a4766","steps":[{"uuid":"b10db434-d24a-47d9-ad36-cbfe7af7d61d","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/exo.md#msexo11v2"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1567/","text":"T1567: Exfiltration Over Web Service"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1048/","text":"T1048: Exfiltration Over Alternative Protocol"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1566/","text":"T1566: Phishing"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1566/001/","text":"T1566.001: Spearphishing Attachment"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHALL"}],"title":"MS.EXO.1.1v2","remarks":"Adversaries can use automatic forwarding to gain persistent access to a victim's email. Disabling forwarding to external domains prevents this technique when the adversary is external to the organization but does not impede legitimate internal forwarding.","description":"Automatic forwarding to external domains SHALL be disabled.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"ac-4","statement-ids":["ac-4_smt"]}]}]}},{"uuid":"c5f6468d-4450-4d92-8f9a-80d85bf4629e","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/exo.md#msexo22v2"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1656/","text":"T1656: Impersonation"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1566/","text":"T1566: Phishing"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHALL"}],"title":"MS.EXO.2.2v2","remarks":"An adversary may modify the `FROM` field of an email such that it appears to be a legitimate email sent by an agency, facilitating phishing attacks. Publishing an SPF policy for each agency domain mitigates forged `FROM` fields by providing a means for recipients to detect emails spoofed in this way. SPF is required for FCEB departments and agencies by Binding Operational Directive (BOD) 18-01, \"Enhance Email and Web Security\".","description":"An SPF policy SHALL be published for each domain that fails all non-approved senders.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"ac-2","statement-ids":["ac-2_smt.d"]}]}]}},{"uuid":"23dc5124-e18e-4e3c-b88d-b53dc7485b99","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/exo.md#msexo31v1"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1598/","text":"T1598: Phishing for Information"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1656/","text":"T1656: Impersonation"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1566/","text":"T1566: Phishing"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHOULD"}],"title":"MS.EXO.3.1v1","remarks":"An adversary may modify the `FROM` field of an email such that it appears to be a legitimate email sent by an agency, facilitating phishing attacks. Enabling DKIM is another means for recipients to detect spoofed emails and verify the integrity of email content.","description":"DKIM SHOULD be enabled for all domains.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"sc-8","statement-ids":["sc-8_smt"]}]}]}},{"uuid":"f443dd5c-d88d-45b1-ba37-2f51fc0dbbfa","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/exo.md#msexo41v1"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1598/","text":"T1598: Phishing for Information"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1656/","text":"T1656: Impersonation"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1566/","text":"T1566: Phishing"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHALL"}],"title":"MS.EXO.4.1v1","remarks":"Without a DMARC policy available for each domain, recipients may improperly handle SPF and DKIM failures, possibly enabling spoofed emails to reach end users' mailboxes. Publishing DMARC records at the second-level domain protects the second-level domains and all subdomains.","description":"A DMARC policy SHALL be published for every second-level domain.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"si-8","statement-ids":["si-8_smt"]}]}]}},{"uuid":"d6310203-b683-426d-9640-9805eb372546","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/exo.md#msexo42v1"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1598/","text":"T1598: Phishing for Information"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1656/","text":"T1656: Impersonation"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1566/","text":"T1566: Phishing"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHALL"}],"title":"MS.EXO.4.2v1","remarks":"Of the three policy options (i.e., none, quarantine, and reject), reject provides the strongest protection. Reject is the level of protection required by BOD 18-01 for FCEB departments and agencies.","description":"The DMARC message rejection option SHALL be p=reject.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"si-8","statement-ids":["si-8_smt"]}]}]}},{"uuid":"428d2c9f-92c5-444e-a3f6-5162d743b440","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/exo.md#msexo43v1"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1562/","text":"T1562: Impair Defenses"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHALL"}],"title":"MS.EXO.4.3v1","remarks":"Email spoofing attempts are not inherently visible to domain owners. DMARC provides a mechanism to receive reports of spoofing attempts. Including [reports@dmarc.cyber.dhs.gov](mailto:reports@dmarc.cyber.dhs.gov) as a point of contact for these reports gives CISA insight into spoofing attempts and is required by BOD 18-01 for FCEB departments and agencies.","description":"The DMARC point of contact for aggregate reports SHALL include `reports@dmarc.cyber.dhs.gov`.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"si-4.5","statement-ids":["si-4.5_smt"]}]}]}},{"uuid":"b9f50163-d4ef-4cd1-8335-acbd34d5fdc1","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/exo.md#msexo44v1"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1562/","text":"T1562: Impair Defenses"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHOULD"}],"title":"MS.EXO.4.4v1","remarks":"Email spoofing attempts are not inherently visible to domain owners. DMARC provides a mechanism to receive reports of spoofing attempts. Including an agency point of contact gives the agency insight into attempts to spoof their domains.","description":"An agency point of contact SHOULD be included for aggregate and failure reports.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"si-4.5","statement-ids":["si-4.5_smt"]}]}]}},{"uuid":"a84151c7-f0c2-4c57-b17e-35b8bb5942ae","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/exo.md#msexo51v1"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHALL"}],"title":"MS.EXO.5.1v1","remarks":"SMTP AUTH is not used or needed by modern email clients. Therefore, disabling it as the global default conforms to the principle of least functionality.","description":"SMTP AUTH SHALL be disabled.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"cm-7","statement-ids":["cm-7_smt"]}]}]}},{"uuid":"c8192dc7-b900-474f-95a0-a919528c6718","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/exo.md#msexo61v1"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1567/","text":"T1567: Exfiltration Over Web Service"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1048/","text":"T1048: Exfiltration Over Alternative Protocol"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHALL"}],"title":"MS.EXO.6.1v1","remarks":"Contact folders may contain information that should not be shared by default with all domains. Disabling sharing with all domains closes an avenue for data exfiltration while still allowing for specific legitimate use as needed.","description":"Contact folders SHALL NOT be shared with all domains.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"ac-3","statement-ids":["ac-3_smt"]},{"control-id":"sc-7.10","statement-ids":["sc-7.10_smt.a"]}]}]}},{"uuid":"4690b7e7-1850-46e8-a1c0-e7e907434e56","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/exo.md#msexo62v1"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1567/","text":"T1567: Exfiltration Over Web Service"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1048/","text":"T1048: Exfiltration Over Alternative Protocol"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHALL"}],"title":"MS.EXO.6.2v1","remarks":"Calendar details may contain information that should not be shared by default with all domains. Disabling sharing with all domains closes an avenue for data exfiltration while still allowing for legitimate use as needed.","description":"Calendar details SHALL NOT be shared with all domains.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"ac-3","statement-ids":["ac-3_smt"]},{"control-id":"sc-7.10","statement-ids":["sc-7.10_smt.a"]}]}]}},{"uuid":"facbf9ae-ce69-42ad-ba49-3ef8f6dc0034","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/exo.md#msexo71v1"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1566/","text":"T1566: Phishing"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHALL"}],"title":"MS.EXO.7.1v1","remarks":"Phishing is an ever-present threat. Alerting users when email originates from outside their organization can encourage them to exercise increased caution, especially if an email is one they expected from an internal sender.","description":"External sender warnings SHALL be implemented.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"si-8","statement-ids":["si-8_smt"]}]}]}},{"uuid":"b6a6e389-43ae-46fe-b103-6beb644bedfe","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/exo.md#msexo81v2"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1567/","text":"T1567: Exfiltration Over Web Service"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1048/","text":"T1048: Exfiltration Over Alternative Protocol"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1530/","text":"T1530: Data from Cloud Storage"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHALL"}],"title":"MS.EXO.8.1v2","remarks":"Users may inadvertently disclose sensitive information to unauthorized individuals. A DLP solution may detect the presence of sensitive information in Exchange Online and block access to unauthorized entities.","description":"A DLP solution SHALL be used.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"sc-7.10","statement-ids":["sc-7.10_smt"]}]}]}},{"uuid":"3d5c53da-e083-4bb9-bcc4-17394700105f","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/exo.md#msexo82v2"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1567/","text":"T1567: Exfiltration Over Web Service"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1048/","text":"T1048: Exfiltration Over Alternative Protocol"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1213/","text":"T1213: Data from Information Repositories"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1213/002/","text":"T1213.002: Sharepoint"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1530/","text":"T1530: Data from Cloud Storage"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHALL"}],"title":"MS.EXO.8.2v2","remarks":"Users may inadvertently share sensitive information with others who should not have access to it. Data loss prevention policies provide a way for agencies to detect and prevent unauthorized disclosures.","description":"The DLP solution SHALL protect personally identifiable information (PII) and sensitive information, as defined by the agency.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"sc-7.10","statement-ids":["sc-7.10_smt"]}]}]}},{"uuid":"1a972df9-30d8-412c-82d2-24b8c949d702","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/exo.md#msexo83v1"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1567/","text":"T1567: Exfiltration Over Web Service"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1048/","text":"T1048: Exfiltration Over Alternative Protocol"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1530/","text":"T1530: Data from Cloud Storage"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHOULD"}],"title":"MS.EXO.8.3v1","remarks":"Any alternative DLP solution should be able to detect sensitive information in Exchange Online and block access to unauthorized entities.","description":"The selected DLP solution SHOULD offer services comparable to the native DLP solution offered by Microsoft.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"sc-7.10","statement-ids":["sc-7.10_smt"]}]}]}},{"uuid":"875100dc-c4ea-4d67-80d4-6e2693cb6f1f","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/exo.md#msexo84v1"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1567/","text":"T1567: Exfiltration Over Web Service"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1048/","text":"T1048: Exfiltration Over Alternative Protocol"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1213/","text":"T1213: Data from Information Repositories"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1213/002/","text":"T1213.002: Sharepoint"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1530/","text":"T1530: Data from Cloud Storage"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHALL"}],"title":"MS.EXO.8.4v1","remarks":"Users may inadvertently share sensitive information with others who should not have access to it. Data loss prevention policies provide a way for agencies to detect and prevent unauthorized disclosures.","description":"At a minimum, the DLP solution SHALL restrict sharing credit card numbers, U.S. Individual Taxpayer Identification Numbers (ITIN), and U.S. Social Security numbers (SSN) via email.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"sc-7.10","statement-ids":["sc-7.10_smt"]}]}]}},{"uuid":"9bc9a8da-e2bc-4b9b-a4f2-93d96d123682","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/exo.md#msexo91v2"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1566/","text":"T1566: Phishing"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1566/001/","text":"T1566.001: Spearphishing Attachment"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHALL"}],"title":"MS.EXO.9.1v2","remarks":"Malicious attachments often take the form of click-to-run files. Sharing high risk file types, when necessary, is better left to a means other than email; the dangers of allowing them to be sent over email outweigh any potential benefits. Filtering email attachments based on file types can prevent spread of malware distributed via click-to-run email attachments.","description":"Emails SHALL be filtered by attachment file types.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"si-3","statement-ids":["si-3_smt"]}]}]}},{"uuid":"818b4fde-58c2-4206-893a-0f2c17d63ee8","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/exo.md#msexo92v1"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1036/","text":"T1036: Masquerading"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1036/006/","text":"T1036.006: Space after Filename"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1036/007/","text":"T1036.007: Double File Extension"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1036/008/","text":"T1036.008: Masquerade File Type"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHOULD"}],"title":"MS.EXO.9.2v1","remarks":"Users can change a file extension at the end of a file name (e.g., notepad.exe to notepad.txt) to obscure the actual file type. Verifying the file type and checking that this matches the designated file extension can help detect instances where the file extension was changed.","description":"The attachment filter SHOULD attempt to determine the true file type and assess the file extension.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"si-3","statement-ids":["si-3_smt"]}]}]}},{"uuid":"f6b8f5b6-da0d-4379-b462-510253162327","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/exo.md#msexo93v2"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1566/","text":"T1566: Phishing"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1566/001/","text":"T1566.001: Spearphishing Attachment"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHALL"}],"title":"MS.EXO.9.3v2","remarks":"Malicious attachments often take the form of click-to-run files, though other file types can contain malicious content as well. As such, determining the full list of file types to block is left to each organization, to be made in accordance with their risk tolerance.","description":"Disallowed file types SHALL be determined and enforced.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"si-3","statement-ids":["si-3_smt"]}]}]}},{"uuid":"8b01e1bc-ad7e-457c-acde-98eb22adfbd3","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/exo.md#msexo94v1"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1566/","text":"T1566: Phishing"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1566/001/","text":"T1566.001: Spearphishing Attachment"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHOULD"}],"title":"MS.EXO.9.4v1","remarks":"Malicious attachments often take the form of click-to-run files. Sharing high risk file types, when necessary, is better left to a means other than email; the dangers of allowing them to be sent over email outweigh any potential benefits. Filtering email attachments based on file types can prevent spread of malware distributed via click-to-run email attachments.","description":"Alternatively chosen filtering solutions SHOULD offer services comparable to Microsoft Defender's Common Attachment Filter.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"si-3","statement-ids":["si-3_smt"]}]}]}},{"uuid":"5a425426-6f96-411b-8c20-811b888311aa","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/exo.md#msexo95v1"},{"rel":"reference","href":"https://learn.microsoft.com/en-us/defender-office-365/anti-malware-protection-about#common-attachments-filter-in-anti-malware-policies","text":"Common attachments filter in anti-malware policies \\\\\\| Microsoft Learn"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1566/","text":"T1566: Phishing"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1566/001/","text":"T1566.001: Spearphishing Attachment"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHOULD"}],"title":"MS.EXO.9.5v1","remarks":"Malicious attachments often take the form of click-to-run files. Blocking a list of common executable files helps mitigate the risk of adversarial exploitation.","description":"At a minimum, click-to-run files SHOULD be blocked (e.g., .exe, .cmd, and .vbe).","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"si-3","statement-ids":["si-3_smt"]}]}]}},{"uuid":"8051511e-127c-4045-b6a8-c2d8d920ce1a","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/exo.md#msexo101v1"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1566/","text":"T1566: Phishing"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1566/001/","text":"T1566.001: Spearphishing Attachment"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHALL"}],"title":"MS.EXO.10.1v1","remarks":"Email can be used as a mechanism for delivering malware. In many cases, malware can be detected through scanning, reducing the risk for end users.","description":"Emails SHALL be scanned for malware.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"si-3","statement-ids":["si-3_smt"]}]}]}},{"uuid":"71ba0c56-49fb-40b9-8a05-331e902533bc","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/exo.md#msexo102v1"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1566/","text":"T1566: Phishing"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1566/001/","text":"T1566.001: Spearphishing Attachment"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1566/","text":"T1566: Phishing"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1566/001/","text":"T1566.001: Spearphishing Attachment"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHALL"}],"title":"MS.EXO.10.2v1","remarks":"Email can be used as a mechanism for delivering malware. Preventing emails with known malware from reaching user mailboxes helps ensure users cannot interact with those emails.","description":"Emails identified as containing malware SHALL be quarantined or dropped.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"si-3","statement-ids":["si-3_smt"]}]}]}},{"uuid":"8e423d35-657e-4c63-88b1-4627c1a9aaff","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/exo.md#msexo103v1"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1566/","text":"T1566: Phishing"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1566/001/","text":"T1566.001: Spearphishing Attachment"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHALL"}],"title":"MS.EXO.10.3v1","remarks":"As known malware signatures are updated, it is possible for an email to be retroactively identified as containing malware after delivery. By scanning emails, the number of malware-infected in users' mailboxes can be reduced.","description":"Email scanning SHALL be capable of reviewing emails after delivery.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"si-3","statement-ids":["si-3_smt"]}]}]}},{"uuid":"3675cf88-4597-4404-bbae-72c47b0713e9","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/exo.md#msexo111v1"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1566/","text":"T1566: Phishing"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1656/","text":"T1656: Impersonation"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHOULD"}],"title":"MS.EXO.11.1v1","remarks":"Users might not be able to reliably identify phishing emails, especially if the `FROM` address is nearly indistinguishable from that of a known entity. By automatically identifying senders who appear to be impersonating known senders, the risk of a successful phishing attempt can be reduced.","description":"Impersonation protection checks SHOULD be used.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"si-8","statement-ids":["si-8_smt"]}]}]}},{"uuid":"3610b529-bba6-4531-a154-04a9e20cece7","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/exo.md#msexo112v1"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1566/","text":"T1566: Phishing"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1656/","text":"T1656: Impersonation"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHOULD"}],"title":"MS.EXO.11.2v1","remarks":"Many tasks are better suited for automated processes, such as identifying unusual characters in the `FROM` address or identifying a first-time sender. User warnings can handle these tasks, reducing the burden on end users and the risk of successful phishing attempts.","description":"User warnings, comparable to the user safety tips included with EOP, SHOULD be displayed.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"at-2","statement-ids":["at-2_smt.b"]},{"control-id":"si-8","statement-ids":["si-8_smt"]}]}]}},{"uuid":"f2cd380a-9334-4ef9-a8eb-ce809ba1d0ce","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/exo.md#msexo113v1"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1566/","text":"T1566: Phishing"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1656/","text":"T1656: Impersonation"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHOULD"}],"title":"MS.EXO.11.3v1","remarks":"Phishing attacks can result in unauthorized data disclosure and unauthorized access. Using AI-based phishing detection tools to improve the detection rate of phishing attempts helps reduce the risk of successful phishing attacks.","description":"The phishing protection solution SHOULD include an AI-based phishing detection tool comparable to EOP Mailbox Intelligence.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"si-8","statement-ids":["si-8_smt"]}]}]}},{"uuid":"79657b3b-0308-448b-813a-1658a2f93c53","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/exo.md#msexo121v1"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHOULD"}],"title":"MS.EXO.12.1v1","remarks":"Messages sent from IP addresses on an allow list bypass important security mechanisms, including spam filtering and sender authentication checks. Avoiding use of IP allow lists prevents potential threats from circumventing security mechanisms.","description":"IP allow lists SHOULD NOT be created.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"ac-4","statement-ids":["ac-4_smt"]}]}]}},{"uuid":"e90a4f4a-19ea-426c-8a96-9ca3ad1e12cb","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/exo.md#msexo122v1"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHOULD"}],"title":"MS.EXO.12.2v1","remarks":"Messages sent from allowed safe list addresses bypass important security mechanisms, including spam filtering and sender authentication checks. Avoiding use of safe lists prevents potential threats from circumventing security mechanisms. While blocking all malicious senders is not feasible, blocking specific known, malicious IP addresses may reduce the threat from specific senders.","description":"Safe lists SHOULD NOT be enabled.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"ac-4","statement-ids":["ac-4_smt"]}]}]}},{"uuid":"48380507-2926-49ad-a64d-02402894fbc7","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/exo.md#msexo131v1"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1070/","text":"T1070: Indicator Removal"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1070/008/","text":"T1070.008: Clear Mailbox Data"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1098/","text":"T1098: Account Manipulation"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1098/002/","text":"T1098.002: Additional Email Delegate Permissions"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1562/","text":"T1562: Impair Defenses"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1562/008/","text":"T1562.008: Disable or Modify Cloud Logs"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1586/","text":"T1586: Compromise Accounts"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1586/002/","text":"T1586.002: Email Accounts"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1564/","text":"T1564: Hide Artifacts"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1564/008/","text":"T1564.008: Email Hiding Rules"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHALL"}],"title":"MS.EXO.13.1v1","remarks":"Exchange Online user accounts can be compromised or misused. Enabling mailbox auditing provides a valuable source of information to detect and respond to mailbox misuse.","description":"Mailbox auditing SHALL be enabled.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"au-12","statement-ids":["au-12_smt.c"]}]}]}},{"uuid":"97d24991-a166-48a5-a372-450bbda85180","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/exo.md#msexo141v2"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1566/","text":"T1566: Phishing"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHALL"}],"title":"MS.EXO.14.1v2","remarks":"Spam is a constant threat as junk mail can reduce user productivity, fill up mailboxes unnecessarily, and in some cases include malicious links or attachments. Filtering out spam reduces user workload burden, prevents junk mail congestion, and reduces potentially malicious content exposure.","description":"A spam filter SHALL be enabled.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"si-8","statement-ids":["si-8_smt"]}]}]}},{"uuid":"be50d37a-8745-4571-9e0f-829e0ae7dc9b","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/exo.md#msexo142v1"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1566/","text":"T1566: Phishing"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHALL"}],"title":"MS.EXO.14.2v1","remarks":"Spam is a constant threat as junk mail can reduce user productivity, fill up mailboxes unnecessarily, and in some cases include malicious links or attachments. Moving spam messages to a separate junk or quarantine folder helps users filter out spam while still giving them the ability to review messages, as needed, in case a message is filtered incorrectly.","description":"Spam and high confidence spam SHALL be moved to either the junk email folder or the quarantine folder.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"si-8","statement-ids":["si-8_smt"]}]}]}},{"uuid":"c77702d6-7722-4870-a9e9-f831b4921db4","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/exo.md#msexo143v1"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1566/","text":"T1566: Phishing"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHALL"}],"title":"MS.EXO.14.3v1","remarks":"Legitimate emails may be incorrectly filtered by spam protections. Adding allowed senders is an acceptable method of combating these false positives. Allowing an entire domain, especially a common domain like office.com, however, provides for a large number of potentially unknown users to bypass spam protections.","description":"Allowed domains SHALL NOT be added to inbound anti-spam protection policies.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"si-8","statement-ids":["si-8_smt"]}]}]}},{"uuid":"9e4518ec-84cc-4a3d-a19b-b604177f9993","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/exo.md#msexo144v1"},{"rel":"reference","href":"https://learn.microsoft.com/en-us/defender-office-365/anti-spam-policies-configure?view=o365-worldwide","text":"Configure anti-spam policies in EOP \\\\\\| Microsoft Learn"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1566/","text":"T1566: Phishing"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHOULD"}],"title":"MS.EXO.14.4v1","remarks":"Spam is a constant threat as junk mail can reduce user productivity, fill up mailboxes unnecessarily, and in some cases include malicious links or attachments. Filtering out spam reduces user workload burden, prevents junk mail congestion, and reduces potentially malicious content exposure.","description":"If a third-party party filtering solution is used, the solution SHOULD offer services comparable to the native spam filtering offered by Microsoft.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"si-8","statement-ids":["si-8_smt"]}]}]}},{"uuid":"9fd1d767-ebf8-458f-8713-67155ef02ecf","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/exo.md#msexo151v1"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1566/","text":"T1566: Phishing"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1566/002/","text":"T1566.002: Spearphishing Link"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHOULD"}],"title":"MS.EXO.15.1v1","remarks":"Users may be directed to malicious websites via links in email. Blocking access to known, malicious URLs can prevent users from accessing known malicious websites.","description":"URL comparison with a block-list SHOULD be enabled.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"si-3","statement-ids":["si-3_smt"]}]}]}},{"uuid":"62560aa4-4d7d-4781-8e32-06e10ab163eb","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/exo.md#msexo152v1"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1566/","text":"T1566: Phishing"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1566/002/","text":"T1566.002: Spearphishing Link"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHOULD"}],"title":"MS.EXO.15.2v1","remarks":"URLs in emails may direct users to download and run malware. Scanning direct download links in real-time for known malware and blocking access can prevent users from infecting their devices.","description":"Direct download links SHOULD be scanned for malware.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"si-3","statement-ids":["si-3_smt"]}]}]}},{"uuid":"f28dc80f-22f8-41fa-95db-7336839b11ae","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/exo.md#msexo153v1"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1566/","text":"T1566: Phishing"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1566/002/","text":"T1566.002: Spearphishing Link"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHOULD"}],"title":"MS.EXO.15.3v1","remarks":"Users may click on malicious links in emails, leading to compromise or unauthorized data disclosure. Enabling user click tracking lets agencies know if a malicious link may have been visited after the fact to help tailor a response to a potential incident.","description":"User click tracking SHOULD be enabled.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"si-3","statement-ids":["si-3_smt"]},{"control-id":"au-12","statement-ids":["au-12_smt.c"]}]}]}},{"uuid":"038cfee8-4558-4ba4-8d5f-a44d74039988","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/exo.md#msexo161v1"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1078/","text":"T1078: Valid Accounts"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1078/004/","text":"T1078.004: Cloud Accounts"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1562/","text":"T1562: Impair Defenses"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1566/","text":"T1566: Phishing"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1566/002/","text":"T1566.002: Spearphishing Link"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1562/","text":"T1562: Impair Defenses"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1562/006/","text":"T1562.006: Indicator Blocking"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHALL"}],"title":"MS.EXO.16.1v1","remarks":"Potentially malicious or service impacting events may go undetected without a means of detecting these events. Setting up a mechanism to alert administrators to events listed above draws attention to them to help minimize impact to users and the agency.","description":"At a minimum, the following alerts SHALL be enabled:","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"si-4.5","statement-ids":["si-4.5_smt"]}]}]}},{"uuid":"23b29791-f99f-40dd-9157-b9cfd9c85e1f","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/exo.md#msexo162v1"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1562/","text":"T1562: Impair Defenses"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1562/006/","text":"T1562.006: Indicator Blocking"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHOULD"}],"title":"MS.EXO.16.2v1","remarks":"Suspicious or malicious events, if not resolved promptly, may have a greater impact to users and the agency. Sending alerts to a monitored email address or SIEM system helps ensure these suspicious or malicious events are acted upon in a timely manner to limit overall impact.","description":"The alerts SHOULD be sent to a monitored address or incorporated into a security information and event management (SIEM) system.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"si-4.12","statement-ids":["si-4.12_smt"]}]}]}},{"uuid":"25d3c635-cd50-4dd4-b958-8ac713894f60","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/exo.md#msexo171v1"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1562/","text":"T1562: Impair Defenses"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1562/008/","text":"T1562.008: Disable or Modify Cloud Logs"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHALL"}],"title":"MS.EXO.17.1v1","remarks":"Responding to incidents without detailed information about activities that took place slows response actions. Enabling Unified Audit logging helps ensure agencies have visibility into user actions. Furthermore, enabling the Unified Audit log is required for government agencies by OMB M-21-31.","description":"Unified Audit logging SHALL be enabled.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"au-12","statement-ids":["au-12_smt"]}]}]}},{"uuid":"54a70863-322d-49bb-bc01-cf9a7b1e9697","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/exo.md#msexo173v1"},{"rel":"reference","href":"https://learn.microsoft.com/en-us/purview/audit-log-export-records","text":"Export, configure, and view audit log records \\| Microsoft Learn"},{"rel":"reference","href":"https://www.cisa.gov/resources-tools/resources/untitled-goose-tool-fact-sheet","text":"Untitled Goose Tool Fact Sheet \\| CISA."},{"rel":"reference","href":"https://learn.microsoft.com/en-us/purview/audit-log-retention-policies?tabs=microsoft-purview-portal#before-you-create-an-audit-log-retention-policy","text":"Manage audit log retention policies \\| Microsoft Learn"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1070/","text":"T1070: Indicator Removal"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHALL"}],"title":"MS.EXO.17.3v1","remarks":"Audit logs may no longer be available when needed if they are not retained for a sufficient time. Increased log retention time gives an agency the necessary visibility to investigate incidents that occurred some time ago. OMB M-21-13, Appendix C, Table 5 specifically calls out Unified Audit Logs in the Cloud Azure log category.","description":"Audit logs SHALL be maintained for at least the minimum duration dictated by OMB M-21-31 (Appendix C).","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"au-11","statement-ids":["au-11_smt"]}]}]}}],"title":"Assess Exchange Online for Email Authentication, Transport Security, and Content Protection","description":"This activity will examine the Exchange Online configuration of the M365 tenant to verify compliance with the CISA SCuBA baseline. The assessment evaluates 40 policy checks spanning automatic external mail forwarding restrictions, email authentication protocols (SPF, DKIM, and DMARC at enforcement level), SMTP AUTH controls, external sender tagging, calendar and contact sharing restrictions, data loss prevention for sensitive information types, dangerous attachment filtering, malware scanning and zero-hour auto purge, anti-phishing and impersonation protections, spam filter policies, Safe Links URL scanning, required alert policies, and audit log retention per OMB M-21-31. The assessment method is EXAMINE, using read-only API queries against the tenant's Exchange Online configuration, and results are compared against the CISA SCuBA Secure Configuration Baseline for Exchange Online."},{"uuid":"04319877-e72d-4967-b968-4852e6738113","steps":[{"uuid":"388a42ef-40d9-48c0-bbd5-b3e24a025f15","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/powerbi.md#mspowerbi11v1"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1530/","text":"T1530: Data from Cloud Storage"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHOULD"}],"title":"MS.POWERBI.1.1v1","remarks":"A publicly accessible web URL can be accessed by everyone, including malicious actors. This policy limits information available on the public web that is not specifically allowed to be published.","description":"The Publish to Web feature SHOULD be disabled unless the agency mission requires the capability.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"cm-7","statement-ids":["cm-7_smt"]},{"control-id":"sc-7.10","statement-ids":["sc-7.10_smt.a"]}]}]}},{"uuid":"d552d20a-1187-47d0-b6a5-e89327a533fc","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/powerbi.md#mspowerbi21v1"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1485/","text":"T1485: Data Destruction"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1565/","text":"T1565: Data Manipulation"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1565/001/","text":"T1565.001: Stored Data Manipulation"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1078/","text":"T1078: Valid Accounts"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1078/001/","text":"T1078.001: Default Accounts"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHOULD"}],"title":"MS.POWERBI.2.1v1","remarks":"Disabling external access to Power BI helps keep guest users from accessing potentially risky data and application programming interfaces (APIs). If an agency needs to allow guest access, this can be limited to users in specific security groups to curb risk.","description":"Guest user access to the Power BI tenant SHOULD be disabled unless the agency mission requires the capability.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"cm-7","statement-ids":["cm-7_smt"]},{"control-id":"ac-6","statement-ids":["ac-6_smt"]}]}]}},{"uuid":"3a86a404-961e-41af-9079-ebb0ce6d5d5d","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/powerbi.md#mspowerbi31v1"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1485/","text":"T1485: Data Destruction"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1565/","text":"T1565: Data Manipulation"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1565/001/","text":"T1565.001: Stored Data Manipulation"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1078/","text":"T1078: Valid Accounts"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1078/001/","text":"T1078.001: Default Accounts"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1199/","text":"T1199: Trusted Relationship"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHOULD"}],"title":"MS.POWERBI.3.1v1","remarks":"Disabling this feature keeps internal users from inviting guest users. Therefore guest users can be limited from accessing potentially risky data/APIs. If an agency needs to allow guest access, the invitation feature can be limited to users in specific security groups to help limit risk.","description":"The Invite external users to your organization feature SHOULD be disabled unless agency mission requires the capability.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"cm-7","statement-ids":["cm-7_smt"]},{"control-id":"ac-6","statement-ids":["ac-6_smt"]}]}]}},{"uuid":"1b689575-ca99-4876-9910-6b048be93b0a","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/powerbi.md#mspowerbi41v1"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1059/","text":"T1059: Command and Scripting Interpreter"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1059/009/","text":"T1059.009: Cloud API"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHOULD"}],"title":"MS.POWERBI.4.1v1","remarks":"With unrestricted service principals, unwanted access to APIs is possible. Allowing service principals through security groups, and only where necessary, mitigates this risk.","description":"Service principals with access to APIs SHOULD be restricted to specific security groups.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"ac-4","statement-ids":["ac-4_smt"]},{"control-id":"ac-6.5","statement-ids":["ac-6.5_smt"]}]}]}},{"uuid":"736e069a-c0d6-4f9a-ae2c-2e53341e5462","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/powerbi.md#mspowerbi42v1"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1098/","text":"T1098: Account Manipulation"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1098/003/","text":"T1098.003: Additional Cloud Roles"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHOULD"}],"title":"MS.POWERBI.4.2v1","remarks":"With unrestricted service principals creating/using profiles, there is risk of an unauthorized user using a profile with more permissions than they have. Allowing service principals through security groups will mitigate that risk.","description":"Service principals creating and using profiles SHOULD be restricted to specific security groups.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"ac-4","statement-ids":["ac-4_smt"]},{"control-id":"ac-6.5","statement-ids":["ac-6.5_smt"]}]}]}},{"uuid":"11f8cfa8-75a8-4727-9536-bf8919e60ba1","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/powerbi.md#mspowerbi51v1"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1134/","text":"T1134: Access Token Manipulation"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1134/001/","text":"T1134.001: Token Impersonation/Theft"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1134/003/","text":"T1134.003: Make and Impersonate Token"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHOULD"}],"title":"MS.POWERBI.5.1v1","remarks":"If resource keys are allowed, someone can move data without Microsoft Entra ID OAuth bearer token, causing possibly malicious or junk data to be stored. Disabling resource keys reduces risk that an unauthorized individual will make changes.","description":"ResourceKey-based authentication SHOULD be blocked unless a specific use case (e.g., streaming and/or PUSH datasets) merits its use.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"cm-7","statement-ids":["cm-7_smt"]},{"control-id":"ia-5","statement-ids":["ia-5_smt.g"]}]}]}},{"uuid":"f5193489-93b6-4faf-8560-650d7026b0d7","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/powerbi.md#mspowerbi61v1"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1059/","text":"T1059: Command and Scripting Interpreter"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1059/009/","text":"T1059.009: Cloud API"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1048/","text":"T1048: Exfiltration Over Alternative Protocol"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1567/","text":"T1567: Exfiltration Over Web Service"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHOULD"}],"title":"MS.POWERBI.6.1v1","remarks":"External code poses a security and privacy risk as there is no good way to regulate what is done with the data or integrations. Disabling this will reduce the risk of a data leak or malicious actor.","description":"Python and R interactions SHOULD be disabled.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"cm-7","statement-ids":["cm-7_smt"]},{"control-id":"si-3","statement-ids":["si-3_smt"]}]}]}},{"uuid":"7f494fc7-11b6-4f74-8b53-71e216c37fab","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/powerbi.md#mspowerbi71v1"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1048/","text":"T1048: Exfiltration Over Alternative Protocol"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1213/","text":"T1213: Data from Information Repositories"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1213/002/","text":"T1213.002: Sharepoint"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1530/","text":"T1530: Data from Cloud Storage"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1567/","text":"T1567: Exfiltration Over Web Service"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHOULD"}],"title":"MS.POWERBI.7.1v1","remarks":"A document without sensitivity labels may be opened unknowingly, potentially exposing data to someone who is not supposed to have access to it. This policy will help organize and classify data, making it easier to keep data out of the wrong hands.","description":"Sensitivity labels SHOULD be enabled for Power BI and employed for sensitive data per enterprise data protection policies.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"ac-21","statement-ids":["ac-21_smt.b"]},{"control-id":"sc-7.10","statement-ids":["sc-7.10_smt.a"]}]}]}}],"title":"Assess Power BI for Data Exposure Controls, Guest Access, and Sensitivity Labeling","description":"This activity will examine the Power BI tenant configuration to verify compliance with the CISA SCuBA baseline. The assessment evaluates 8 policy checks spanning Publish to Web restrictions to prevent public data exposure, guest user and external invitation controls, service principal scope limitations, ResourceKey-based authentication blocking, Python and R visual execution restrictions, and sensitivity label enforcement for business intelligence content. The assessment method is EXAMINE, using read-only API queries against the tenant's Power BI configuration, and results are compared against the CISA SCuBA Secure Configuration Baseline for Power BI."},{"uuid":"53852402-8cd6-4e1c-a559-f31bb004a66e","steps":[{"uuid":"dfce43a6-851c-492c-a636-5bd256ade4d3","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/powerplatform.md#mspowerplatform11v1"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1567/","text":"T1567: Exfiltration Over Web Service"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1048/","text":"T1048: Exfiltration Over Alternative Protocol"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHALL"}],"title":"MS.POWERPLATFORM.1.1v1","remarks":"Users creating new Power Platform environments may inadvertently bypass data loss prevention (DLP) policy settings or misconfigure the security settings of their environment.","description":"The ability to create production and sandbox environments SHALL be restricted to admins.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"ac-6.10","statement-ids":["ac-6.10_smt"]}]}]}},{"uuid":"54c54c04-c6ce-41ec-bb8b-36a937990bcf","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/powerplatform.md#mspowerplatform12v1"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHALL"}],"title":"MS.POWERPLATFORM.1.2v1","remarks":"Users creating new Power Platform environments may inadvertently bypass DLP policy settings or misconfigure the security settings of their environment.","description":"The ability to create trial environments SHALL be restricted to admins.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"ac-6.10","statement-ids":["ac-6.10_smt"]}]}]}},{"uuid":"e4a06cc7-1196-45b1-b6d6-8b5a9a994e66","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/powerplatform.md#mspowerplatform21v1"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1567/","text":"T1567: Exfiltration Over Web Service"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1048/","text":"T1048: Exfiltration Over Alternative Protocol"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHALL"}],"title":"MS.POWERPLATFORM.2.1v1","remarks":"All users in the tenant have access to the default Power Platform environment. Those users may inadvertently use connectors that share sensitive information with others who should not have access to it. Users requiring Power Apps should be directed to conduct development in other Power Platform environments with DLP connector policies customized to suit the user's needs while also maintaining the agency's security posture.","description":"A DLP policy SHALL be created to restrict connector access in the default Power Platform environment.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"sc-7.10","statement-ids":["sc-7.10_smt"]}]}]}},{"uuid":"db9edd8e-4cfd-4ce7-a55e-7e5438d3bdd8","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/powerplatform.md#mspowerplatform22v1"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1567/","text":"T1567: Exfiltration Over Web Service"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1048/","text":"T1048: Exfiltration Over Alternative Protocol"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHOULD"}],"title":"MS.POWERPLATFORM.2.2v1","remarks":"Users may inadvertently use connectors that share sensitive information with others who should not have access to it. DLP policies provide a way for agencies to detect and prevent unauthorized disclosures.","description":"Non-default environments SHOULD have at least one DLP policy affecting them.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"sc-7.10","statement-ids":["sc-7.10_smt"]}]}]}},{"uuid":"b4f0269c-17cc-48c7-b489-b2c7d05cca10","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/powerplatform.md#mspowerplatform31v1"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1078/","text":"T1078: Valid Accounts"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1078/004/","text":"T1078.004: Cloud Accounts"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1190/","text":"T1190: Exploit Public-Facing Application"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHALL"}],"title":"MS.POWERPLATFORM.3.1v1","remarks":"Provides an additional tenant isolation control on top of Microsoft Entra ID tenant isolation specifically for Power Platform applications to prevent accidental or malicious cross tenant information sharing.","description":"Power Platform tenant isolation SHALL be enabled.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"ac-3","statement-ids":["ac-3_smt"]},{"control-id":"sc-7.5","statement-ids":["sc-7.5_smt"]}]}]}},{"uuid":"373b4103-7405-4221-9bc4-0bf293a7fbc9","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/powerplatform.md#mspowerplatform32v1"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHOULD"}],"title":"MS.POWERPLATFORM.3.2v1","remarks":"Depending on agency needs an allowlist can be configured to allow cross tenant collaboration via connectors.","description":"An inbound/outbound connection allowlist SHOULD be configured.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"ac-3","statement-ids":["ac-3_smt"]},{"control-id":"sc-7.5","statement-ids":["sc-7.5_smt"]}]}]}}],"title":"Assess Power Platform for Environment Governance, Data Loss Prevention, and Tenant Isolation","description":"This activity will examine the Power Platform tenant configuration to verify compliance with the CISA SCuBA baseline. The assessment evaluates 6 policy checks spanning restrictions on environment creation to authorized administrators, data loss prevention policy enforcement for default and non-default environments through connector classification, Power Platform tenant isolation to control cross-tenant data flows, and Content Security Policy enforcement for model-driven and canvas applications. The assessment method is EXAMINE, using read-only API queries against the tenant's Power Platform configuration, and results are compared against the CISA SCuBA Secure Configuration Baseline for Power Platform."},{"uuid":"c98b996e-8dae-40ef-8b40-100ffbe9e5e3","steps":[{"uuid":"61e4e855-e81b-4d81-8eba-ec5ab5030bb1","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/sharepoint.md#mssharepoint11v1"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1048/","text":"T1048: Exfiltration Over Alternative Protocol"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1213/","text":"T1213: Data from Information Repositories"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1213/002/","text":"T1213.002: Sharepoint"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHALL"}],"title":"MS.SHAREPOINT.1.1v1","remarks":"Sharing information outside the organization via SharePoint increases the risk of unauthorized access. By limiting external sharing, administrators decrease the risk of access to information.","description":"External sharing for SharePoint SHALL be limited to Existing guests or Only people in your organization.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"ac-2","statement-ids":["ac-2_smt"]},{"control-id":"ac-3","statement-ids":["ac-3_smt"]},{"control-id":"ia-8","statement-ids":["ia-8_smt"]}]}]}},{"uuid":"a20b7081-e9df-4ee5-8dc1-26e60ee85b5d","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/sharepoint.md#mssharepoint12v1"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1048/","text":"T1048: Exfiltration Over Alternative Protocol"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1213/","text":"T1213: Data from Information Repositories"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1213/002/","text":"T1213.002: Sharepoint"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1530/","text":"T1530: Data from Cloud Storage"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHALL"}],"title":"MS.SHAREPOINT.1.2v1","remarks":"Sharing files outside the organization via OneDrive increases the risk of unauthorized access. By limiting external sharing, administrators decrease the risk of unauthorized access to information.","description":"External sharing for OneDrive SHALL be limited to Existing guests or Only people in your organization.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"ac-2","statement-ids":["ac-2_smt"]},{"control-id":"ac-3","statement-ids":["ac-3_smt"]},{"control-id":"ia-8","statement-ids":["ia-8_smt"]}]}]}},{"uuid":"72c78ccd-bc7b-4397-93e7-566faa78110c","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/sharepoint.md#mssharepoint13v1"},{"rel":"reference","href":"https://learn.microsoft.com/en-us/sharepoint/external-sharing-overview","text":"Overview of external sharing in SharePoint and OneDrive in Microsoft 365 \\\\\\| Microsoft Documents"},{"rel":"reference","href":"https://learn.microsoft.com/en-us/sharepoint/turn-external-sharing-on-or-off","text":"Manage sharing settings for SharePoint and OneDrive in Microsoft 365 \\\\\\| Microsoft Documents"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1048/","text":"T1048: Exfiltration Over Alternative Protocol"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1213/","text":"T1213: Data from Information Repositories"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1213/002/","text":"T1213.002: Sharepoint"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1530/","text":"T1530: Data from Cloud Storage"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHALL"}],"title":"MS.SHAREPOINT.1.3v1","remarks":"By limiting sharing to domains or approved security groups used for interagency collaboration purposes, administrators can help prevent sharing with unknown organizations and individuals.","description":"External sharing SHALL be restricted to approved external domains and/or users in approved security groups per interagency collaboration needs.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"ac-3","statement-ids":["ac-3_smt"]},{"control-id":"ac-6.10","statement-ids":["ac-6.10_smt"]}]}]}},{"uuid":"0ad08cf0-dde6-43c6-8702-7978ce040d5a","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/sharepoint.md#mssharepoint21v1"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1048/","text":"T1048: Exfiltration Over Alternative Protocol"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1213/","text":"T1213: Data from Information Repositories"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1213/002/","text":"T1213.002: Sharepoint"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1565/","text":"T1565: Data Manipulation"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1565/001/","text":"T1565.001: Stored Data Manipulation"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHALL"}],"title":"MS.SHAREPOINT.2.1v1","remarks":"By making the default sharing the most restrictive, administrators prevent accidentally sharing information too broadly.","description":"File and folder default sharing scope SHALL be set to Specific people (only the people the user specifies).","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"ac-6","statement-ids":["ac-6_smt"]}]}]}},{"uuid":"0c986939-6fd7-4dca-b0fe-5282ea3f787c","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/sharepoint.md#mssharepoint22v1"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1080/","text":"T1080: Taint Shared Content"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1565/","text":"T1565: Data Manipulation"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1565/001/","text":"T1565.001: Stored Data Manipulation"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHALL"}],"title":"MS.SHAREPOINT.2.2v1","remarks":"Edit access to files and folders could allow a user to make unauthorized changes. By restricting default permissions to **View**, administrators prevent unintended or malicious modification.","description":"File and folder default sharing permissions SHALL be set to View.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"ac-6","statement-ids":["ac-6_smt"]}]}]}},{"uuid":"6eb1cff6-08f8-4213-be89-e4f8623ffd10","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/sharepoint.md#mssharepoint31v1"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1048/","text":"T1048: Exfiltration Over Alternative Protocol"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1213/","text":"T1213: Data from Information Repositories"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1213/002/","text":"T1213.002: Sharepoint"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1530/","text":"T1530: Data from Cloud Storage"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHALL"}],"title":"MS.SHAREPOINT.3.1v1","remarks":"Links may be used to provide access to information for a short period of time. Without expiration, however, access is indefinite. By setting expiration timers for links, administrators can prevent unintended sustained access to the link.","description":"Expiration days for Anyone links SHALL be set to 30 days or less.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"ac-3","statement-ids":["ac-3_smt"]},{"control-id":"ac-21","statement-ids":["ac-21_smt.b"]}]}]}},{"uuid":"fda85380-893f-42b4-b093-c18c667d1430","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/sharepoint.md#mssharepoint32v1"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1080/","text":"T1080: Taint Shared Content"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1565/","text":"T1565: Data Manipulation"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1565/001/","text":"T1565.001: Stored Data Manipulation"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHALL"}],"title":"MS.SHAREPOINT.3.2v1","remarks":"Unauthorized changes to files can be made if permissions allow editing by anyone. By restricting permissions on links to **View** only, administrators prevent anonymous file changes.","description":"The allowable file and folder permissions for links SHALL be set to View only.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"ac-6","statement-ids":["ac-6_smt"]}]}]}},{"uuid":"10992cf7-a6bc-4dcb-a80b-1b563301e71c","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/sharepoint.md#mssharepoint33v1"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1080/","text":"T1080: Taint Shared Content"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1565/","text":"T1565: Data Manipulation"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1565/001/","text":"T1565.001: Stored Data Manipulation"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHALL"}],"title":"MS.SHAREPOINT.3.3v1","remarks":"A verification code may be issued to provide access to information for a short period. By setting expiration timers for verification code access, administrators can prevent unintended sustained access to documents.","description":"Reauthentication days for people who use a verification code SHALL be set to 30 days or less.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"ia-11","statement-ids":["ia-11_smt"]}]}]}}],"title":"Assess SharePoint Online and OneDrive for External Sharing Restrictions and Default Permissions","description":"This activity will examine the SharePoint Online and OneDrive configuration of the M365 tenant to verify compliance with the CISA SCuBA baseline. The assessment evaluates 8 policy checks spanning external sharing limitations for both SharePoint and OneDrive, approved domain or security group scoping for external collaboration, default sharing scope and permission settings, Anyone link expiration and permission controls, and guest re-authentication requirements. All 8 policies in this baseline are mandatory under CISA BOD 25-01. The assessment method is EXAMINE, using read-only API queries against the tenant's SharePoint and OneDrive configuration, and results are compared against the CISA SCuBA Secure Configuration Baseline for SharePoint Online and OneDrive."},{"uuid":"5f62a033-3847-43ec-bafd-3dc1a7621029","steps":[{"uuid":"45a266d9-c274-44a1-899b-935abd5801b1","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/teams.md#msteams11v1"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHOULD"}],"title":"MS.TEAMS.1.1v1","remarks":"An external participant with control of a shared screen could potentially perform unauthorized actions on the shared screen. This policy reduces that risk by removing an external participant's ability to request control. However, if an agency has a legitimate use case to grant this control, it may be done on a case-by-case basis.","description":"External meeting participants SHOULD NOT be enabled to request control of shared desktops or windows.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"ac-17","statement-ids":["ac-17_smt.a"]}]}]}},{"uuid":"7313a2da-a6f8-4984-9fe3-595c116ef2de","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/teams.md#msteams12v2"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1078/","text":"T1078: Valid Accounts"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1078/001/","text":"T1078.001: Default Accounts"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHALL"}],"title":"MS.TEAMS.1.2v2","remarks":"For agencies that implemented custom policies providing more flexibility to some users to automatically admit \"everyone\" to a meeting - this policy provides protection from anonymous users starting meeting to scrape internal contacts.","description":"Anonymous users SHALL NOT be enabled to start meetings.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"sc-15","statement-ids":["sc-15_smt.a"]}]}]}},{"uuid":"b04e3728-f290-4ab6-88ec-8a42bc2291de","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/teams.md#msteams13v1"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHOULD"}],"title":"MS.TEAMS.1.3v1","remarks":"Automatically allowing admittance to anonymous and dial-in users diminishes control of meeting participation and invites potential data breach. This policy reduces that risk by requiring all anonymous and dial-in users to wait in a lobby until admitted by an authorized meeting participant. If the agency has a use case to admit members of specific trusted organizations and/or B2B guests automatically, custom policies may be created and assigned to authorized meeting organizers.","description":"Anonymous users and dial-in callers SHOULD NOT be admitted automatically.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"sc-15","statement-ids":["sc-15_smt.a"]}]}]}},{"uuid":"922ca471-e6be-4bb5-b032-6c6c9d24ecca","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/teams.md#msteams14v1"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHOULD"}],"title":"MS.TEAMS.1.4v1","remarks":"Requiring internal users to wait in the lobby for explicit admission can lead to admission fatigue. This policy enables internal users to be automatically admitted to the meeting through global policy.","description":"Internal users SHOULD be admitted automatically.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"ac-3","statement-ids":["ac-3_smt"]}]}]}},{"uuid":"ac43c228-bb65-4ba5-854e-2646990181bd","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/teams.md#msteams15v1"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHOULD"}],"title":"MS.TEAMS.1.5v1","remarks":"Automatically admitting dial-in users reduces control over who can participate in a meeting and increases potential for data breaches. This policy reduces the risk by requiring all dial-in users to wait in a lobby until they are admitted by an authorized meeting participant.","description":"Dial-in users SHOULD NOT be enabled to bypass the lobby.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"sc-15","statement-ids":["sc-15_smt.a"]}]}]}},{"uuid":"9a97a8f0-6bff-4984-abe8-b4b2ed456710","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/teams.md#msteams16v1"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHOULD"}],"title":"MS.TEAMS.1.6v1","remarks":"Allowing any user to record a Teams meeting or group call may lead to unauthorized disclosure of shared information, including audio, video, and shared screens. By disabling the meeting recording setting in the Global (Org-wide default) meeting policy, an agency limits information exposure.","description":"Meeting recording SHOULD be disabled.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"cm-7","statement-ids":["cm-7_smt"]}]}]}},{"uuid":"268fdbe7-a572-42ef-beca-dd7ca98f35ce","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/teams.md#msteams17v2"},{"rel":"reference","href":"https://learn.microsoft.com/en-us/microsoftteams/settings-policies-reference#meetings","text":"Meeting policy settings \\\\\\| Microsoft Learn"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHOULD"}],"title":"MS.TEAMS.1.7v2","remarks":"Allowing to always record Live Events can pose data and video recording leakage and other security risks. Limiting recording permissions to only the organizer minimizes the security risk to the organizer's discretion for these Live Events. Administrators can also disable recording for all live events.","description":"Record an event SHOULD NOT be set to Always record.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"ac-21","statement-ids":["ac-21_smt.a"]}]}]}},{"uuid":"4c0be109-33a3-4a6c-b6fc-4492de067406","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/teams.md#msteams21v2"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1199/","text":"T1199: Trusted Relationship"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1204/","text":"T1204: User Execution"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1204/001/","text":"T1204.001: Malicious Link"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHALL"}],"title":"MS.TEAMS.2.1v2","remarks":"The default configuration allows members to communicate with all external users with similar access permissions. This unrestricted access can lead to data breaches and other security threats. This policy provides protection against threats posed by unrestricted access by allowing communication with only trusted domains.","description":"External access for users SHALL only be enabled on a per-domain basis.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"ac-3","statement-ids":["ac-3_smt"]}]}]}},{"uuid":"cf9ce45a-4aa2-468e-9a7b-5993fd8a4ebe","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/teams.md#msteams22v2"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1204/","text":"T1204: User Execution"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1204/001/","text":"T1204.001: Malicious Link"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHALL"}],"title":"MS.TEAMS.2.2v2","remarks":"Allowing contact from unmanaged users can expose users to email and contact address harvesting. This policy provides protection against this type of harvesting.","description":"Unmanaged users SHALL NOT be enabled to initiate contact with internal users.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"cm-7","statement-ids":["cm-7_smt"]},{"control-id":"si-8","statement-ids":["si-8_smt"]}]}]}},{"uuid":"034d265f-7df8-403f-a78d-0c310d51da2d","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/teams.md#msteams23v2"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1204/","text":"T1204: User Execution"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1204/001/","text":"T1204.001: Malicious Link"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHOULD"}],"title":"MS.TEAMS.2.3v2","remarks":"Contact with unmanaged users can pose the risk of data leakage and other security threats. This policy provides protection by disabling internal user access to unmanaged users.","description":"Internal users SHOULD NOT be enabled to initiate contact with unmanaged users.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"cm-7","statement-ids":["cm-7_smt"]},{"control-id":"sc-7.10","statement-ids":["sc-7.10_smt.a"]}]}]}},{"uuid":"94b2f653-90d6-4bb6-9643-cb7b75f239b4","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/teams.md#msteams41v1"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1204/","text":"T1204: User Execution"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1204/001/","text":"T1204.001: Malicious Link"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1204/002/","text":"T1204.002: Malicious File"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHALL"}],"title":"MS.TEAMS.4.1v1","remarks":"Microsoft Teams email integration associates a Microsoft, not tenant domain, email address with a Teams channel. Channel emails are addressed using the Microsoft-owned domain `<teams.ms>`. By disabling Teams email integration, an agency prevents potentially sensitive Teams messages from being sent through external email gateways.","description":"Teams email integration SHALL be disabled.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"si-8","statement-ids":["si-8_smt"]},{"control-id":"sc-7.10","statement-ids":["sc-7.10_smt.a"]},{"control-id":"ac-4","statement-ids":["ac-4_smt"]}]}]}},{"uuid":"587319da-067a-4fef-8caf-237fabbad093","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/teams.md#msteams51v2"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1195/","text":"T1195: Supply Chain Compromise"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHOULD"}],"title":"MS.TEAMS.5.1v2","remarks":"Allowing Teams integration with all Microsoft apps can expose the agency to potential vulnerabilities present in those apps. By only allowing specific apps and blocking all others, the agency will better manage its app integration and potential exposure points.","description":"Agencies SHOULD only allow installation of Microsoft apps approved by the agency.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"cm-11","statement-ids":["cm-11_smt"]}]}]}},{"uuid":"8dc70ce3-4724-4a3d-84ec-0fe0e64f60c6","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/teams.md#msteams52v2"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1195/","text":"T1195: Supply Chain Compromise"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1528/","text":"T1528: Steal Application Access Token"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHOULD"}],"title":"MS.TEAMS.5.2v2","remarks":"Allowing Teams integration with third-party apps can expose the agency to potential vulnerabilities present in an app not managed by the agency. By allowing only specific apps approved by the agency and blocking all others, the agency can limit its exposure to third-party app vulnerabilities.","description":"Agencies SHOULD only allow installation of third-party apps approved by the agency.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"cm-11","statement-ids":["cm-11_smt"]}]}]}},{"uuid":"1745f3e7-32ac-49b4-a531-394f08835793","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/teams.md#msteams53v2"},{"rel":"reference","href":"https://learn.microsoft.com/en-us/microsoftteams/teams-app-permission-policies","text":"Use app permission policies to control user access to apps \\\\\\| Microsoft Learn"},{"rel":"reference","href":"https://learn.microsoft.com/en-us/microsoftteams/platform/concepts/deploy-and-publish/apps-upload","text":"Upload your app in Microsoft Teams \\\\\\| Microsoft Learn"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1195/","text":"T1195: Supply Chain Compromise"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1528/","text":"T1528: Steal Application Access Token"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHOULD"}],"title":"MS.TEAMS.5.3v2","remarks":"Allowing custom apps integration can expose the agency to potential vulnerabilities present in an app not managed by the agency. By allowing only specific apps approved by the agency and blocking all others, the agency can limit its exposure to custom app vulnerabilities.","description":"Agencies SHOULD only allow installation of custom apps approved by the agency.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"cm-11","statement-ids":["cm-11_smt"]}]}]}},{"uuid":"e93b699a-d37f-4656-a704-a74d462e9a94","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/teams.md#msteams61v1"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1213/","text":"T1213: Data from Information Repositories"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1530/","text":"T1530: Data from Cloud Storage"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHALL"}],"title":"MS.TEAMS.6.1v1","remarks":"Teams users may inadvertently disclose sensitive information to unauthorized individuals. Data loss prevention policies provide a way for agencies to detect and prevent unauthorized disclosures.","description":"A DLP solution SHALL be enabled. The selected DLP solution SHOULD offer services comparable to the native DLP solution offered by Microsoft.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"sc-7.10","statement-ids":["sc-7.10_smt"]}]}]}},{"uuid":"963093a1-3299-4a9e-9c8e-89b0051f625e","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/teams.md#msteams62v1"},{"rel":"reference","href":"https://learn.microsoft.com/en-us/microsoft-365/compliance/dlp-overview-plan-for-dlp?view=o365-worldwide","text":"Plan for data loss prevention (DLP) \\\\\\| Microsoft Learn"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1213/","text":"T1213: Data from Information Repositories"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1530/","text":"T1530: Data from Cloud Storage"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHALL"}],"title":"MS.TEAMS.6.2v1","remarks":"Teams users may inadvertently share sensitive information with others who should not have access to it. Data loss prevention policies provide a way for agencies to detect and prevent unauthorized sharing of sensitive information.","description":"The DLP solution SHALL protect personally identifiable information (PII)","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"sc-7.10","statement-ids":["sc-7.10_smt"]}]}]}},{"uuid":"c4fc1f31-0fae-4f82-8c6a-4c3db20524ce","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/teams.md#msteams71v1"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1566/","text":"T1566: Phishing"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1566/001/","text":"T1566.001: Spearphishing Attachment"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHOULD"}],"title":"MS.TEAMS.7.1v1","remarks":"Teams can be used as a mechanism for delivering malware. In many cases, malware can be detected through scanning, reducing the risk for end users.","description":"Attachments included with Teams messages SHOULD be scanned for malware.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"si-3","statement-ids":["si-3_smt.a"]}]}]}},{"uuid":"9c74778d-3552-40ac-83f7-f3ea163af154","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/teams.md#msteams72v1"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1204/","text":"T1204: User Execution"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1204/002/","text":"T1204.002: Malicious File"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHOULD"}],"title":"MS.TEAMS.7.2v1","remarks":"Teams can be used as a mechanism for delivering malware. In many cases, malware can be detected through scanning, reducing the risk for end users.","description":"Users SHOULD be prevented from opening or downloading files detected as malware.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"si-3","statement-ids":["si-3_smt.a"]}]}]}},{"uuid":"40a2e5b5-d0e4-4eaa-9069-e3344d00c975","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/teams.md#msteams81v1"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1204/","text":"T1204: User Execution"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1204/001/","text":"T1204.001: Malicious Link"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1204/002/","text":"T1204.002: Malicious File"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1566/","text":"T1566: Phishing"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1566/001/","text":"T1566.001: Spearphishing Attachment"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1189/","text":"T1189: Drive-by Compromise"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHOULD"}],"title":"MS.TEAMS.8.1v1","remarks":"Users may be directed to malicious websites via links in Teams. Blocking access to known malicious URLs can help prevent users from accessing known malicious websites.","description":"URL comparison with a blocklist SHOULD be enabled.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"si-3","statement-ids":["si-3_smt.a"]}]}]}},{"uuid":"5cf09325-25bb-4ede-b5e0-a27fcaa42077","links":[{"rel":"canonical","href":"https://github.com/cisagov/ScubaGear/tree/main/PowerShell/ScubaGear/baselines/teams.md#msteams82v1"},{"rel":"reference","href":"https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-links-policies-configure?view=o365-worldwide","text":"Set up Safe Links policies in Microsoft Defender for Office 365 \\\\\\| Microsoft Learn"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1204/","text":"T1204: User Execution"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1204/001/","text":"T1204.001: Malicious Link"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1204/002/","text":"T1204.002: Malicious File"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1566/","text":"T1566: Phishing"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1566/001/","text":"T1566.001: Spearphishing Attachment"},{"rel":"mitre","href":"https://attack.mitre.org/techniques/T1189/","text":"T1189: Drive-by Compromise"}],"props":[{"name":"method","value":"EXAMINE"},{"ns":"http://cisa.gov/ns/oscal","name":"criticality","value":"SHOULD"}],"title":"MS.TEAMS.8.2v1","remarks":"Users may click on malicious links in Teams, leading to compromise or authorized data disclosure. Enabling user click tracking lets agencies know if a malicious link may have been visited after the fact to help tailor a response to a potential incident.","description":"User click tracking SHOULD be enabled.","reviewed-controls":{"control-selections":[{"include-controls":[{"control-id":"au-12","statement-ids":["au-12_smt.c"]}]}]}}],"title":"Assess Microsoft Teams for Meeting Security, External Access Controls, and App Management","description":"This activity will examine the Microsoft Teams configuration of the M365 tenant to verify compliance with the CISA SCuBA baseline. The assessment evaluates 20 policy checks spanning meeting lobby bypass restrictions for anonymous and dial-in users, external participant control policies, meeting recording defaults, external access domain allowlisting, unmanaged user contact restrictions, Teams email integration controls, third-party and custom application installation governance, data loss prevention for sensitive information in Teams messages, and Safe Attachments and Safe Links protections for Teams content. The assessment method is EXAMINE, using read-only API queries against the tenant's Teams configuration, and results are compared against the CISA SCuBA Secure Configuration Baseline for Teams."}]},"reviewed-controls":{"control-selections":[{"include-all":{}}]},"back-matter":{"resources":[{"uuid":"080172e1-3306-4f73-99b6-c1facbc21077","props":[{"ns":"http://comply0.com/ns/oscal","name":"type","value":"system-security-plan"}],"title":"\\[System Name\\] SSP","rlinks":[{"href":"./ssp.xml","media-type":"application/xml"},{"href":"https://registry.oscal.io/api/v1/pirooz-javan/system-security-plans/17eb373b-6c3a-4ef9-a021-0f8995cb4ce2","media-type":"application/json"},{"href":"./ssp.yaml","media-type":"application/yaml"}]},{"uuid":"6392cc05-4bc6-4aaf-97b1-c758d9978f58","props":[{"name":"version","value":"Revision 5"}],"title":"NIST SP 800-53r5","rlinks":[{"href":"https://raw.githubusercontent.com/usnistgov/oscal-content/refs/tags/v1.4.0/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5_catalog.xml","media-type":"application/xml"},{"href":"https://raw.githubusercontent.com/usnistgov/oscal-content/refs/tags/v1.4.0/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json","media-type":"application/json"},{"href":"https://raw.githubusercontent.com/usnistgov/oscal-content/refs/tags/v1.4.0/nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5_catalog.yaml","media-type":"application/yaml"}]}]}}}