What Is CISA SCuBA and Why Should Houston Businesses Care About Microsoft 365 Security?
If your business runs on Microsoft 365 — and most businesses in Conroe, The Woodlands, and the greater Houston area do — there is a very good chance your tenant is misconfigured in ways that leave you exposed. Not because your IT provider is incompetent, but because the default M365 settings are not secure settings. They are convenience settings.
CISA, the Cybersecurity and Infrastructure Security Agency, recognized this problem and published a solution. It’s called SCuBA — Secure Cloud Business Applications — and it’s the most specific, technically rigorous security baseline ever written for Microsoft 365. At Galaxy IT Solutions, it’s the standard we use to evaluate and harden every client’s M365 environment. Here’s what it means and why it matters for your business.
What Is CISA SCuBA?
SCuBA stands for Secure Cloud Business Applications. It’s a federal initiative from CISA that defines exactly how cloud productivity platforms like Microsoft 365 should be configured to minimize security risk. The SCuBA project produced a set of baselines — detailed, policy-by-policy configuration requirements — covering the core Microsoft 365 apps your business relies on every day.
The SCuBA baseline covers:
- Azure Active Directory / Entra ID (identity and access management)
- Microsoft Defender for Office 365 (email threat protection)
- Exchange Online (email configuration)
- SharePoint Online and OneDrive (file storage and sharing)
- Microsoft Teams (collaboration)
- Power Platform (low-code apps)
For each of these, SCuBA specifies what should and should not be enabled — not as vague recommendations, but as concrete, auditable settings. CISA even released an open-source tool called ScubaGear that automatically scans your M365 tenant and generates a compliance report showing exactly where you pass and where you fail.
Was SCuBA Designed for Businesses Like Mine?
SCuBA was originally mandated for federal civilian agencies through CISA’s Binding Operational Directive 22-01 and expanded to cloud environments under BOD 23-02. But the baselines themselves are public, free to use, and directly applicable to any organization running Microsoft 365 — including small and mid-sized businesses.
The security threats that motivated SCuBA are the same ones targeting Houston-area businesses: credential theft, business email compromise, misconfigured guest access, overprivileged accounts, and unmonitored external sharing. These are not federal agency problems. They are SMB problems. The difference is that federal agencies are now required to fix them. Your business should choose to.
What Does a Misconfigured M365 Tenant Actually Look Like?
When we run a SCuBA assessment on a new client’s Microsoft 365 environment, here are the issues we find most often:
Legacy Authentication Is Enabled
Legacy authentication protocols like IMAP, POP3, and older SMTP paths do not support multi-factor authentication. Attackers specifically target them because MFA simply does not apply. SCuBA requires these to be blocked. Most tenants we inherit have them open.
MFA Is Not Enforced with Conditional Access
Many tenants have MFA “available” but not enforced through proper Conditional Access policies in Entra ID. Users who skip enrollment or access from non-compliant devices bypass MFA entirely. SCuBA defines specific Conditional Access policies that close these gaps.
Guest Access Is Unrestricted
SharePoint and Teams allow external guest users by default with minimal controls. We routinely find client environments where former vendors, contractors, or unknown external accounts still have access to sensitive files — sometimes years after a relationship ended.
Audit Logging Is Not Configured for Retention
If a breach occurs and you have not enabled unified audit logging with adequate retention, you cannot investigate what happened, when, or how. SCuBA addresses logging and alert policies across the entire tenant.
Phishing-Resistant MFA Is Not in Use
SMS-based two-factor authentication is better than nothing, but it can be defeated through SIM-swapping and real-time phishing attacks. SCuBA recommends phishing-resistant methods — like FIDO2 security keys or Microsoft Authenticator with number matching — as the authentication standard for privileged accounts.
Why No Other MSP in the Conroe or Houston Area Is Doing This
Most managed service providers configure Microsoft 365 using vendor best-practice guides or their own internal checklists. These are not bad, but they are not systematic. They do not have the depth of a federal security baseline, they are not updated as the threat landscape changes, and they do not produce an auditable compliance report you can show to cyber insurance carriers, clients, or regulators.
Galaxy IT Solutions’ owner Justin Jones holds a NIST Cybersecurity Framework Practitioner credential and has built our M365 security practice around the CISA SCuBA baseline specifically because it is the most rigorous, defensible standard available. When we harden your tenant, we do it against a documented baseline — not a gut feeling.
This matters more than you might think. Cyber insurance underwriters are increasingly asking detailed questions about M365 configuration. A documented SCuBA assessment gives you something concrete to provide.
What a SCuBA-Based M365 Hardening Engagement Looks Like
When Galaxy IT runs a Microsoft 365 security assessment and hardening engagement, here is what happens:
- Tenant scan with ScubaGear: We run CISA’s open-source assessment tool against your tenant and generate a full compliance report across every SCuBA policy area.
- Gap analysis and risk ranking: We review every failed control, prioritize by risk level, and walk you through what each one means in plain language.
- Remediation: We implement the required configuration changes — Conditional Access policies, legacy auth blocks, guest access restrictions, Defender for Office 365 tuning, audit log configuration, and more.
- Ongoing monitoring: Configuration drift is real. We monitor your tenant as part of our managed service to catch new vulnerabilities, new user accounts with excessive privileges, and changes that introduce risk.
Your Microsoft 365 Tenant Is Not Secure by Default
Microsoft builds M365 to be easy to start using, not easy to secure. The default settings prioritize collaboration and accessibility. Moving to a hardened configuration requires deliberate, technically informed action — and it requires knowing what you’re looking for.
Houston and Montgomery County businesses that use M365 for email, file storage, and communication are running their entire business on a platform that needs to be secured properly. The CISA SCuBA baseline tells us exactly what “properly” means. Galaxy IT Solutions knows how to get you there.
Ready to find out how your Microsoft 365 tenant scores against the CISA SCuBA baseline? Call Galaxy IT Solutions at (346) 406-1700 or visit galaxyit.solutions to schedule your M365 security assessment.