Commercial Routing Assistance
Free Tools for Cloud Environments
CISA TOOLS
The Cyber Security Evaluation Tool
CISA developed the Cyber Security Evaluation Tool (CSET) using industry-recognized standards, frameworks, and
recommendations to assist organizations in evaluating their enterprise and asset cybersecurity posture. CSET asks
detailed questions about organizations’ system components, architectures, and operational policies and procedures.
CSET uses provided answers to generate a report highlighting strengths and weaknesses and offering prioritized
recommendations for optimizing an organization’s cybersecurity posture.
As
of CSET version 11.5, the tool includes a Cross-Sector Cyber Performance Goals (CPG) assessment intended to help
organizations determine the extent to which they have implemented CISA’s CPGs. The CPGs
, developed by CISA and the
National Institute of Standards and Technology (NIST), provide a minimum set of best practices and protection guidance
that CISA and NIST recommend all organizations follow. CPGs are derived from existing cybersecurity frameworks and
guidance to protect against the most common and impactful TTPs.
Net
work administrators of all organizations to include hybrid environments can use CSET to identify gaps and areas for
future investment.
See CI
SA’s CSET GitHub
page for directions on downloading and using CSET.
SCuBAGear M365 Secure Configuration Baseline Assessment Tool
SCuBAGear is a CISA-created automation script for comparing Federal Civilian Executive Branch (FCEB) agency tenant
configurations against CISA M365 baseline recommendations. SCuBAGear is part of CISA’s Secure Cloud Business
Applications (SCuBA) project, which provides guidance for FCEB agencies securing their cloud business application
environments and protecting federal information created, accessed, shared, and stored in those environments. Although
tailored to FCEB agencies, the project provides security guidance applicable to all organizations with cloud environments.
CISA created the SCuBA program in response to the Sol
arWinds Orion software supply chain compromise. During the
SolarWinds Orion supply chain compromise, threat actors changed domain federation trust settings using Azure Active
Directory (AAD) administrative permissions; the threat actors configured the domain to accept authorization tokens signed
using their own security assertion markup language (SAML) signing certificate. The actors used these tokens to access
resources in hosted environments, such as email, for data exfiltration via an authorized application programmable
interface (API). As part of SCuBA, CISA developed multiple documents that collectively provide guidance on cloud security
and hardening:
• The SCuBA Technical Ref
erence Architecture (TRA) – describes essential components of security services and
capabilities to secure and harden cloud business applications, including the platforms hosting the applications.
These security services and capabilities prevent and mitigate vulnerabilities and threats from affecting the cloud
business applications during implementation, configuration, and administration. The scope of the TRA includes
cloud business applications, delivered through a Software-as-a-Service (SaaS) model to users, and the security
services used to secure and monitor these applications.
• The draft Hybrid
Identity Solutions Architecture – presents potential approaches for addressing identity
management in a hybrid environment.
• M365 security configuration baseline (SCB) guides – pr
ovide minimum viable secure configuration baselines for
Microsoft Defender for Office 365, Azure Active Directory, Exchange Online, OneDrive for Business, Power BI,
Power Platform, SharePoint Online, and Teams.
The SCuBAGear M365 SCB Assessment Tool verifies an organization’s M365 tenant configuration conforms to the
minimum viable security configurations described in the M365 SCB guides. The tool creates an HTML report highlighting
policies that deviate from the SCB guides. Network administrators of all organizations with M365 tenant(s) can use the
tool to quickly identify and address configuration gaps.
See CISA’s SCuBAGear GitHub page
for directions on installing and using the tool.