<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">

<head>

<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">

<meta name="Generator" content="Microsoft Word 15 (filtered medium)">

<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}

o\:* {behavior:url(#default#VML);}

w\:* {behavior:url(#default#VML);}

.shape {behavior:url(#default#VML);}

</style><![endif]--><style><!--

/* Font Definitions */

@font-face

        {font-family:"Cambria Math";

        panose-1:2 4 5 3 5 4 6 3 2 4;}

@font-face

        {font-family:Calibri;

        panose-1:2 15 5 2 2 2 4 3 2 4;}

@font-face

        {font-family:"Franklin Gothic Book";

        panose-1:2 11 5 3 2 1 2 2 2 4;}

/* Style Definitions */

p.MsoNormal, li.MsoNormal, div.MsoNormal

        {margin:0in;

        font-size:11.0pt;

        font-family:"Calibri",sans-serif;}

a:link, span.MsoHyperlink

        {mso-style-priority:99;

        color:blue;

        text-decoration:underline;}

p.xxmsonormal, li.xxmsonormal, div.xxmsonormal

        {mso-style-name:x_x_msonormal;

        margin:0in;

        font-size:11.0pt;

        font-family:"Calibri",sans-serif;}

p.xxmsobodytext, li.xxmsobodytext, div.xxmsobodytext

        {mso-style-name:x_x_msobodytext;

        margin:0in;

        font-size:11.0pt;

        font-family:"Calibri",sans-serif;}

p.xxparagraph0, li.xxparagraph0, div.xxparagraph0

        {mso-style-name:x_x_paragraph0;

        margin:0in;

        font-size:11.0pt;

        font-family:"Calibri",sans-serif;}

span.xxcontentpasted4

        {mso-style-name:x_x_contentpasted4;}

span.xxnormaltextrun

        {mso-style-name:x_x_normaltextrun;}

.MsoChpDefault

        {mso-style-type:export-only;

        font-size:10.0pt;}

@page WordSection1

        {size:8.5in 11.0in;

        margin:1.0in 1.0in 1.0in 1.0in;}

div.WordSection1

        {page:WordSection1;}

--></style><!--[if gte mso 9]><xml>

<o:shapedefaults v:ext="edit" spidmax="1026" />

</xml><![endif]--><!--[if gte mso 9]><xml>

<o:shapelayout v:ext="edit">

<o:idmap v:ext="edit" data="1" />

</o:shapelayout></xml><![endif]-->

</head>

<body lang="EN-US" link="blue" vlink="purple" style="word-wrap:break-word">

<div class="WordSection1">

<p class="MsoNormal">FYSA<o:p></o:p></p>

<div>

<div>

<div>

<p class="xxmsobodytext" style="mso-margin-top-alt:12.55pt;margin-right:31.7pt;margin-bottom:8.0pt;margin-left:0in">

<span style="font-family:"Franklin Gothic Book",sans-serif;color:black;background:white">As the nation’s cyber defense agency, the Cybersecurity and Infrastructure Security Agency (CISA) recently launched the Secure Cloud Business Applications (SCuBA) project

 that was funded through the </span><span style="color:black"><a href="https://www.whitehouse.gov/briefing-room/legislation/2021/01/20/president-biden-announces-american-rescue-plan/"><span style="font-family:"Franklin Gothic Book",sans-serif;background:white">American

 Rescue Plan Act of 2021</span></a></span><span style="font-family:"Franklin Gothic Book",sans-serif;color:black;background:white">. The project was established to develop consistent, effective, modern, and manageable security configurations that will help

 secure agency information assets stored within cloud environments.  </span><span style="color:black"><o:p></o:p></span></p>

<p class="xxparagraph0"><span class="xxcontentpasted4"><span style="font-family:"Franklin Gothic Book",sans-serif;color:#030303;background:white">Today, CISA

<a href="https://www.cisa.gov/blog/2022/10/20/scuba-dives-deeper-help-federal-agencies-secure-their-cloud-environments-publishes" title="https://www.cisa.gov/blog/2022/10/20/scuba-dives-deeper-help-federal-agencies-secure-their-cloud-environments-publishes">

announced</a> it has published a series of security configuration baselines for Microsoft 365 (M365) as a part of the Secure Cloud Business Applications (SCuBA) project, which collectively will help agencies adopt necessary security and resilience practices

 when utilizing cloud services. </span></span><span class="xxcontentpasted4"><span style="font-family:"Franklin Gothic Book",sans-serif;color:black;background:white">The CISA M365 SCBs build on previous security configuration baselines developed by the Federal

 Chief Information Officers Council’s Cyber Innovation Tiger Team (CITT).  </span></span><span class="xxnormaltextrun"><span style="font-family:"Franklin Gothic Book",sans-serif;color:black;background:white"> </span></span><span style="font-size:10.0pt;color:#030303"><o:p></o:p></span></p>

<p class="xxmsonormal"><span style="font-family:"Franklin Gothic Book",sans-serif;color:black;background:white"> </span><span style="font-family:"Arial",sans-serif;color:black"><o:p></o:p></span></p>

<p class="xxmsonormal"><span class="xxcontentpasted4"><span style="font-family:"Franklin Gothic Book",sans-serif;color:black;background:white">These baseline documents were developed to assist federal agencies in rapidly assessing their M365 services, specifically

 these eight: Microsoft Teams, SharePoint, Power Platform, Power BI, OneDrive for Business, Exchange Online, Defender for Office 365 and Azure Active Directory. </span></span><span style="font-family:"Franklin Gothic Book",sans-serif;color:black;background:white"> </span><span style="font-family:"Arial",sans-serif;color:black"><o:p></o:p></span></p>

<p class="xxmsonormal"><span style="font-family:"Franklin Gothic Book",sans-serif;color:black;background:white"> </span><span style="font-family:"Arial",sans-serif;color:black"><o:p></o:p></span></p>

<p class="xxmsonormal"><span class="xxcontentpasted4"><span style="font-family:"Franklin Gothic Book",sans-serif;color:black;background:white">While these documents are principally intended for use by federal agencies, CISA recommends that all organizations

 utilizing cloud services review the M365 security configuration baseline documents and implement practices therein where appropriate. </span></span><span style="font-family:"Arial",sans-serif;color:black"><o:p></o:p></span></p>

<p class="xxmsonormal"><span style="font-family:"Franklin Gothic Book",sans-serif;color:black;background:white"> </span><span style="font-family:"Arial",sans-serif;color:black"><o:p></o:p></span></p>

<p class="xxmsonormal"><span class="xxcontentpasted4"><span style="font-family:"Franklin Gothic Book",sans-serif;color:black;background:white">Until November 24, the eight baseline products are

<a href="https://github.com/cisagov/ScubaGear" title="https://github.com/cisagov/ScubaGear">

open for public comment</a>. We encourage you to review them and provide feedback because we want to ensure our guidance enables the best flexibility to keep pace with evolving technologies and capabilities and protect the federal enterprise. Comments should

 be submitted to: </span></span><span style="font-family:"Arial",sans-serif;color:black"><a href="mailto:QSMO@CISA.dhs.gov"><span style="font-family:"Franklin Gothic Book",sans-serif;background:white">QSMO@CISA.dhs.gov</span></a></span><span class="xxcontentpasted4"><span style="font-family:"Franklin Gothic Book",sans-serif;color:black;background:white">.

  </span></span><span style="font-family:"Arial",sans-serif;color:black"><o:p></o:p></span></p>

<p class="xxmsonormal"><span style="font-family:"Franklin Gothic Book",sans-serif;color:black;background:white"> </span><span style="font-family:"Arial",sans-serif;color:black"><o:p></o:p></span></p>

<p class="xxmsonormal"><span class="xxcontentpasted4"><span style="font-family:"Franklin Gothic Book",sans-serif;color:black;background:white">We look forward to receiving and reviewing your feedback on this important effort to improve federal cloud cybersecurity. </span></span><span style="font-family:"Arial",sans-serif;color:black"><o:p></o:p></span></p>

<p class="xxmsonormal"><span style="font-family:"Franklin Gothic Book",sans-serif;color:black;background:white"> </span><span style="font-family:"Arial",sans-serif;color:black"><o:p></o:p></span></p>

</div>

</div>

</div>

<p class="MsoNormal"><b><span style="color:#1F497D">Theresa A. Masse<o:p></o:p></span></b></p>

<p class="MsoNormal"><span style="font-size:10.0pt;color:#1F497D">Cybersecurity State Coordinator/Advisor, Region 10 (Oregon)

<o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-size:10.0pt;color:#1F497D">Cybersecurity and Infrastructure Security Agency<o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-size:10.0pt;color:#1F497D">Department of Homeland Security<o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-size:10.0pt;color:#1F497D">Phone: (503) 930-5671

<o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-size:10.0pt;color:#1F497D">Email:</span><span style="font-size:10.0pt;color:#777777">

</span><a href="mailto:theresa.masse@cisa.dhs.gov"><span style="font-size:10.0pt;color:#0563C1">theresa.masse@cisa.dhs.gov</span></a><u><span style="font-size:10.0pt;color:#0760C1"><o:p></o:p></span></u></p>

<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>

<p class="MsoNormal"><img border="0" width="97" height="97" style="width:1.0138in;height:1.0138in" id="Picture_x0020_1" src="cid:image001.png@01D8E458.2FDC6EA0"><span style="color:#1F497D"><o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-size:12.0pt;color:black"><o:p> </o:p></span></p>

</div>

</body>

</html>