Achieve Federal-Grade M365 Security: Governing with Qualys SSPM and SCuBA

Shrikant Dhanawade
Shrikant Dhanawade, Director, Product Management, Cloud Security, Qualys
- 10 min read

Table of Contents

Qualys SaaS Security Posture Management (SSPM) introduces native support for the Secure Cloud Business Applications (SCuBA) compliance framework, bringing CISA’s toughest M365 security benchmarks directly into your continuous posture monitoring workflow.

Key Takeaways

  • CISA’s Secure Cloud Business Applications (SCuBA) initiative is now a continuous compliance standard, not a one-time audit. Qualys SSPM continuously monitors your M365 tenant against SCuBA baselines.
  • Entra ID, Exchange Online, Microsoft Defender, SharePoint Online, OneDrive, and Teams; all five CISA SCuBA baselines run simultaneously.
  • SaaS risk is now unified with IaaS and PaaS in a single risk view, giving security and compliance teams a consolidated view and eliminating siloed SaaS reporting.
  • Cut audit prep from weeks to hours; SCuBA compliance evidence directly accelerates FedRAMP ATO, CMMC 2.0 certification, and cyber insurance renewals.
  • Already included in your existing SSPM, no additional licensing, no additional agents, no procurement delay.

What Is SCuBA and Why Does It Matter for Enterprise Security

The Secure Cloud Business Applications (SCuBA) project is a cybersecurity initiative developed by the Cybersecurity and Infrastructure Security Agency (CISA) to address the growing risk surface of cloud-based productivity tools, particularly Microsoft 365. SCuBA provides prescriptive, testable security baselines that define the minimum-security posture every organization should maintain when operating M365 services.

Unlike generic benchmarks, SCuBA baselines are built to counter real-world attack patterns, including the nation-state tactics that compromised federal agencies in high-profile breaches. They’re being rapidly adopted not only by federal civilian agencies but also by regulated industries, including finance, healthcare, and critical infrastructure.

SCuBA compliance is no longer optional for organizations operating at scale in the cloud. With CISA mandating its adoption across federal civilian agencies and private-sector adoption accelerating rapidly, failing to align with SCuBA baselines means accepting measurable, auditable risk.

5
New SCuBA policy packs now in Qualys SSPM		M365
Full Microsoft 365 service coverage		24/7
Continuous automated compliance monitoring		0
Manual audits needed to stay SCuBA-aligned

SCuBA Comes to Qualys SSPM: What’s New

Qualys has expanded its SaaS Security Posture Management (SSPM) capabilities, delivered as an integrated part of Qualys TotalCloud™, with native support for SCuBA security baselines. This is a significant milestone for cloud security teams that manage Microsoft 365 environments at enterprise scale.

Until now, organizations had to rely on a combination of manual audits, standalone scripts (such as CISA’s own ScubaGear tool), and disparate compliance reports to assess their M365 posture against SCuBA requirements. Qualys SSPM closes that gap by operationalizing SCuBA baselines as continuous, automated compliance checks, surfaced directly within the TotalCloud platform, where your entire cloud risk picture lives.

Included in TotalCloud QLUs (Qualys Units)
SCuBA compliance monitoring is included as part of the SSPM within Qualys TotalCloud QLU. Customers already subscribed to TotalCloud SSPM gain access to all five SCuBA policy packs immediately, with no additional licensing fees.

Note: The SSPM offering is available in the SaaSDR product from Qualys.

The Five New SCuBA Policies Now Available in Qualys SSPM

Qualys SSPM now ships with five dedicated SCuBA security baseline policy packs, each mapped to a critical Microsoft 365 service. Here is what each policy covers:

Identity and Access

SCuBA Security Baseline for Microsoft Entra ID
Controls covering conditional access policies, MFA enforcement, privileged identity management, and identity governance for your Microsoft Entra (formerly Azure AD) environment.

Email Security

SCuBA Security Baseline for Microsoft Exchange Online

Baseline checks for anti-phishing policies, DKIM/DMARC/SPF enforcement, safe link and attachment policies, and audit log configurations for Exchange Online.

Threat Protection

SCuBA Baseline for Microsoft Defender

Posture checks aligned to Microsoft Defender for Office 365, covering threat intelligence integration, alert policies, and automated investigation and response settings.

Data Storage

SCuBA Security Baseline for Microsoft SharePoint Online and OneDrive

Controls governing external sharing settings, data loss prevention, sensitivity labels, and access controls for SharePoint and OneDrive workloads.

Collaboration

SCuBA Security Baseline for Microsoft Teams

Checks targeting external access, guest user permissions, meeting recording policies, and data retention settings within Microsoft Teams.

How Qualys SSPM Enforces SCuBA Compliance

Qualys SSPM connects to your Microsoft 365 tenant via API integrations and continuously interrogates configuration states across all five service domains. Here is how the end-to-end process works within TotalCloud. 

Continuous Posture Assessment 

Rather than point-in-time audits, Qualys SSPM continuously monitors your M365 configuration. Any drift from SCuBA-mandated settings, such as a conditional access policy being disabled or an external sharing permission being widened, is detected immediately and flagged as a posture finding within the TotalCloud console. 

Customize Security Controls  

Critically, not every SCuBA control is a one-size-fits-all mandate; CISA’s framework explicitly permits organizations to tailor controls where their internal policies or operational requirements diverge from the baseline defaults. Qualys SSPM supports this flexibility, allowing security teams to exempt or customize control applicability to reflect their organization’s accepted risk posture, without losing auditability or compliance traceability.  

Hyper-Prioritization, Autonomous Remediation 

Not all SCuBA control failures carry equal risk, and Qualys SSPM knows the difference. Findings are hyper-prioritized by layering threat intelligence, asset criticality, and business context on top of every control failure, so your team works a risk-ranked queue rather than a flat compliance list.  

SSPM also validates findings against compensating controls already active in your environment, ensuring remediation effort is never wasted on risks that are already mitigated. When a supported control drifts from its SCuBA-mandated baseline, SSPM can automatically apply the corrective configuration action, closing the window between detection and resolution that attackers routinely exploit, and turning SCuBA compliance from a periodic posture snapshot into a continuously self-correcting security state. 

Why This Matters: The M365 Threat Landscape

Microsoft 365 is the world’s most widely deployed enterprise productivity platform, and one of the most aggressively targeted. Threat actors, including nation-state groups, have repeatedly exploited misconfigured M365 tenants to gain persistent access, exfiltrate sensitive data, and move laterally across connected on-premises environments.

CISA developed SCuBA in direct response to these threats. The baselines encode the specific configuration hardening measures that would have prevented or significantly limited the impact of documented, large-scale M365 compromises. For organizations that process sensitive government data, operate in regulated industries, or simply cannot afford the reputational and financial cost of a breach, SCuBA alignment is becoming a minimum viable posture.

Security teams that manually audit M365 configurations against SCuBA baselines face an enormous operational burden. Qualys SSPM eliminates that burden entirely, replacing periodic, error-prone manual checks with continuous, automated coverage across all five M365 service baselines simultaneously.

Business Benefits for Security and Compliance Teams

Organizations that deploy Qualys SSPM SCuBA monitoring gain measurable advantages across their security operations and compliance programs:

  • Reduce audit preparation time dramatically.
    With continuous SCuBA monitoring and auto-generated compliance reports, the evidence collection process for audits and assessments is reduced from weeks to hours.
  • Eliminate configuration drift before it becomes a breach.
    Real-time detection means misconfigurations are caught and remediated before they can be exploited, not discovered months later during a post-incident review.
  • Accelerate FedRAMP ATO and CMMC 2.0 compliance journeys.
    SCuBA alignment is foundational to several federal compliance frameworks. Demonstrating continuous SCuBA compliance directly supports FedRAMP authorization to operate and CMMC certification efforts. TotalCloud has achieved FedRAMP High Authorization.
  • Unify SaaS, IaaS, and PaaS security postures in a single platform.
    TotalCloud already manages your cloud infrastructure risk. Adding M365 SCuBA compliance means one platform, one risk language, and one reporting structure for your entire cloud estate.
  • No additional tooling or licensing required.
    SCuBA support is included in the existing SSPM QLU, with no procurement cycles, no integration projects, and no additional training needed for teams already using TotalCloud.
  • Meet cyber insurance requirements with documented evidence.
    Insurers increasingly require demonstrable M365 security controls. Continuous SCuBA compliance monitoring provides the documented, timestamped evidence that underwriters demand.

Conclusion: SaaS Configuration Integrity Is Now a Strategic Requirement

Enterprise security is entering a phase where resilience depends less on isolated security tooling and more on the operational consistency of digital ecosystems. Collaboration platforms, identity systems, and SaaS applications now influence how organizations govern data access, operational continuity, regulatory accountability, and institutional trust at scale. That shift is changing the role of security baselines. They are no longer static compliance artifacts. They are becoming operational design standards for modern cloud environments. By embedding SCuBA governance directly into continuous posture operations, organizations can transition from reactive validation cycles to a more durable model of cloud assurance that scales with both business growth and regulatory complexity.

Strengthen Microsoft 365 security with continuous SCuBA-aligned posture management inside Qualys TotalCloud™

Start a Free Trial

Frequently Asked Questions (FAQs)

What is SCuBA, and who created it?

SCuBA stands for Secure Cloud Business Applications. It is a cybersecurity project developed by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to establish prescriptive, testable security baselines for widely used cloud productivity platforms, starting with Microsoft 365.

Is SCuBA compliance mandatory for my organization?

SCuBA compliance is currently mandated for federal civilian agencies under CISA guidance. However, organizations in regulated industries, including defense contractors, healthcare, financial services, and critical infrastructure, are rapidly adopting SCuBA baselines as a best-practice standard. Many consider it a prerequisite for FedRAMP ATO and CMMC 2.0 alignment.

Which Microsoft 365 services are covered by Qualys SSPM SCuBA support?

Qualys SSPM now includes SCuBA security baseline checks for five M365 services: Microsoft Entra ID (identity and access), Exchange Online (email security), Microsoft Defender for Office 365 (threat protection), SharePoint Online and OneDrive (data storage and sharing), and Microsoft Teams (collaboration).

How does Qualys SSPM differ from running CISA’s free ScubaGear tool?

CISA’s ScubaGear is a point-in-time PowerShell-based assessment tool. Qualys SSPM provides continuous, automated SCuBA compliance monitoring, detecting configuration drift in real time, surfacing findings with remediation guidance, integrating into your ITSM workflows, and providing unified visibility alongside all other cloud risk in TotalCloud.

Is SCuBA support included in my existing TotalCloud SSPM subscription?

Yes. SCuBA compliance monitoring is included in the SSPM QLU within Qualys TotalCloud. If you are already subscribed to TotalCloud SSPM, all five SCuBA policy packs are available to you at no additional cost and require no additional licensing or procurement.

How quickly can my team get started with SCuBA compliance monitoring in Qualys SSPM?

Organizations already using Qualys TotalCloud SSPM can activate SCuBA compliance checks directly within the platform. The onboarding process leverages your existing Microsoft 365 API connection; no new connectors or agents are required. Most teams can have SCuBA posture findings surfaced within a single configuration session.

Does Qualys SSPM provide remediation guidance for SCuBA findings?

Yes. Each SCuBA compliance finding in Qualys SSPM includes step-by-step remediation guidance referenced to CISA’s published SCuBA documentation. Findings show the affected resource, current configuration state, the specific SCuBA control violated, and the exact change required to bring the control into compliance.

Who should prioritize SCuBA and SSPM?

Federal agencies, contractors, and regulated organizations that use NIST SP 800-53 or Zero Trust architectures should prioritize SSPM to maintain continuous compliance, reduce SaaS risk, and ensure the secure operation of business-critical applications.

Share your Comments

Comments

Your email address will not be published. Required fields are marked *