Lifetime Citizen Portal Access — AI Briefings, Alerts & Unlimited Follows
CISA outlines free 'Scuba' tools, baselines and workshops to help secure cloud business apps
Loading...
Summary
The Cybersecurity and Infrastructure Security Agency (CISA) described 'Scuba,' a free suite of secure-configuration baselines, open-source assessment tools and training engagements aimed at helping organizations harden Microsoft 365, Google Workspace and other cloud business applications.
An agency official at the Cybersecurity and Infrastructure Security Agency (CISA) described a set of free resources called "Scuba" designed to help organizations reduce cloud security risk by bringing application settings in line with secure baselines.
The official said misconfigurations were “the initial access vector for nearly one third of all cloud environment attacks during 2024,” and argued that default application settings often leave users exposed. To address that risk, CISA offers Scuba, which the agency says is publicly available at no cost and includes configuration guidance, assessment tools and engagement services.
Scuba combines product-specific secure configuration baselines for critical business applications — including Microsoft 365 and Google Workspace — with automated open-source assessment tools such as Scuba Gear and Scuba Goggles that produce visual reports for a quick appraisal of an organization’s security posture. "Scuba provides configuration guidance to bring cloud business applications in line with a secure baseline and recommended security settings," the agency official said.
The offering also includes implementation guidance and technical reference architectures, including hybrid identity recommendations, to help organizations interpret baseline findings and make informed decisions about remediation. CISA noted it uses the Extensible Visibility Reference Framework (EVRF) to help agencies gain visibility into important data and potential security gaps.
CISA described a range of engagement formats for Scuba—technical exchange meetings, workshops, pilot programs to collect operational feedback, demonstrations and one-on-one sessions—intended to educate federal and public users about how the tools can help secure their platforms. The official encouraged organizations to provide feedback on Scuba tools to support continued refinement.
For more information or to participate in Scuba engagements, the agency official directed organizations to contact CISA's Cybersecurity Shared Services office or visit www.cisa.gov/scuba.
The presentation did not include named speakers, detailed case studies, independent validation of the cited 2024 statistic, or specific enrollment procedures beyond the website reference.
