SCuBA compliance tools for Microsoft 365

CISA SCuBA gives Microsoft 365 a published secure configuration baseline, and a small set of tools assess your tenant against it. This page explains what SCuBA is, the tools that check it (CISA ScubaGear and Maester), the gaps they leave, and how Siemserva adds ranked posture, compliance mapping, and validated remediation on top.

What is CISA SCuBA?

SCuBA stands for Secure Cloud Business Applications, a project from the US Cybersecurity and Infrastructure Security Agency (CISA). Its goal is to improve the security of cloud business application environments. For Microsoft 365 it publishes the M365 Secure Configuration Baselines (SCBs), a set of recommended configuration settings organized by workload.

The Microsoft 365 baselines cover the major workloads, including:

Entra ID (Azure AD)
Exchange Online
SharePoint & OneDrive
Teams
Defender for Office 365
Power Platform

SCuBA originated as guidance for US federal civilian executive branch agencies, where related CISA binding operational directives apply. Outside that scope it is not a legal mandate, but it has been widely adopted as a strong, public baseline for securing Microsoft 365.

The SCuBA assessment tools

Two tools are the usual way teams check a tenant against the SCuBA baselines.

CISA ScubaGear

The official open-source PowerShell tool from CISA. It reads your Microsoft 365 configuration, checks it against the SCuBA Secure Configuration Baselines, and produces pass/fail reports per control. It is free and transparent.

Compare ScubaGear & Siemserva

Maester

A community and MVP test framework for Microsoft 365 security, built on Pester. It includes a set of SCuBA tests alongside other security checks, and fits well into a security-as-code workflow you can run repeatedly.

Compare Maester & Siemserva

The gap these tools leave

ScubaGear and Maester are genuinely useful, and they are transparent and free. They do, however, stop short of what a security manager or an MSP needs to act and report.

  • Pass/fail output. You get whether a control passed, but not a prioritized view of what to do first.
  • No ranked prioritization. Findings are not ordered by Severity or business impact, so triage is manual.
  • No validated remediation. They tell you a control failed, not a vetted, step-by-step fix you can trust.
  • Limited executive and client reporting. The raw reports are built for engineers, not for an executive summary or an MSP client deliverable.

How Siemserva complements SCuBA

Siemserva does not replace SCuBA tooling, it builds on the same idea. It aligns to SCuBA-style baselines alongside 650+ native checks across Microsoft 365, Intune, Entra ID, and Purview, then turns raw results into something you can act on and hand to a stakeholder.

  • Ranks findings by Severity so you know what to fix first.
  • Maps each finding to recognized compliance frameworks, not just one baseline.
  • Adds AI-generated, Senserva-validated remediation for each issue. AI is optional and bring-your-own-model via MCP, working with Claude or any AI.
  • Supports MSP multi-tenant work, with client-ready reports. No agents and no cloud service, on Windows and Mac.

Want to see it first? There is a free Advanced Microsoft 365 Security Simulator with no access to your tenant. You can also review compliance and frameworks.

Get a key

Frequently asked

Is ScubaGear free?

Yes. CISA ScubaGear is a free, open-source PowerShell tool published by CISA. It checks a Microsoft 365 tenant against the SCuBA Secure Configuration Baselines and produces pass/fail reports at no cost.

Does Siemserva replace ScubaGear?

No. Siemserva complements SCuBA tooling. ScubaGear and Maester give transparent pass/fail checks against the baselines. Siemserva aligns to SCuBA-style baselines alongside 650+ native checks, then ranks findings, maps them to compliance frameworks, and adds AI-generated, Senserva-validated remediation.

Is SCuBA mandatory?

SCuBA originated as CISA guidance for US federal civilian executive branch agencies, where related binding operational directives apply. For other organizations it is not a legal mandate, but it is widely adopted as a strong general baseline for securing Microsoft 365.

Can MSPs run this across tenants?

Yes. Siemserva supports MSP multi-tenant work, so you can assess SCuBA-style posture and 650+ checks across many client tenants, rank findings, and produce client-ready reports with validated remediation.

Helpful links

Authoritative references for CISA SCuBA and the tools that assess it. Each opens in a new tab.

CISA SCuBA project

The Secure Cloud Business Applications project and its baselines.
ScubaGear (GitHub)

CISA's open-source tool that checks Microsoft 365 against the SCuBA baselines.
M365 Secure Configuration Baselines

The published SCuBA baselines for Microsoft 365 services.
Maester

The open-source, community-driven Microsoft 365 security test framework.

Try the Advanced Microsoft 365 Security Simulator

See exactly what Siemserva finds on a rich, realistic simulated tenant, with no access to your environment needed. Launch it right after install, or ask for a free key.

Get a free key