CISA SCuBA M365 Secure Baseline (Target) — Adapter Technical Specification
CISA SCuBA M365 Secure Baseline (Target) — Adapter Technical Specification
Status: active · Class: modernization · Mission: integration · Phase: phase-1
Canon source: canon/modernization-registry.yaml (propagated by uiao/tools/sync_canon.py).
The YAML frontmatter and this banner are regenerated from canon on every sync. Do not hand-edit. Author new material only below the ## Overview heading.
This document is a stub. Replace every _TODO — ..._ block with authored content that is consistent with UIAO canon. Canon invariants (gcc-boundary, ssot-mutation: never, etc.) must never be contradicted.
Overview
The CISA SCuBA Baseline Adapter is an integration-class modernization adapter that applies the declarative CISA SCuBA security posture to M365 tenants. Unlike its conformance counterpart (scubagear, which assesses), this adapter is the change-maker — it writes the baseline configuration into the tenant.
It pairs with scubagear to form the canonical assess-then-remediate cycle: scubagear reads the current state, scuba applies the desired state. Both operate within the GCC-Moderate boundary.
Implementation: src/uiao/adapters/scubagear_adapter.py. Conformance: 30/30 PASS.
Scope
Target surfaces / subsystems: aad-baseline, defender-baseline, exo-baseline, powerbi-baseline, powerplatform-baseline, sharepoint-baseline, teams-baseline
Reads: CISA SCuBA baseline definitions (7 workloads: AAD, Defender, EXO, PowerBI, Power Platform, SharePoint, Teams). Emits: ClaimSet with baseline-application claims, EvidenceObject with provenance. Does NOT: assess current state (that’s scubagear), modify configurations outside the declared baseline scope, bypass GCC-Moderate boundary.
Controls
NIST SP 800-53 Rev 5 controls this adapter supports: CM-2, CM-6, CM-7
| Control | Role | Adapter capability |
|---|---|---|
| CM-2 Baseline Configuration | Primary | Applies the declarative SCuBA security baseline to tenant configuration. |
| CM-6 Configuration Settings | Primary | Writes specific configuration settings per SCuBA workload baseline. |
| CM-7 Least Functionality | Supporting | Baseline application disables unnecessary services/features per SCuBA guidance. |
Operational profile
| Field | Value |
|---|---|
| Runtime | powershell-7.4 |
| Runtime pin | TBD |
| Runner class | github-hosted |
| Tenancy | per-customer |
| Evidence class | baseline |
| Retention | 3 year(s) |
Canon invariants
gcc-boundary: gcc-moderatessot-mutation: nevercertificate-anchored: trueobject-identity-only: true
Notes from canon
Pair with conformance adapter scubagear (canon/adapter-registry.yaml) which assesses the applied baseline without mutating it.
References
- UIAO-CANON-002
- https://github.com/cisagov/ScubaGoggles
Generated by uiao/tools/sync_canon.py. See uiao/ARCHITECTURE.md §4 for the cross-repo sync contract. See uiao-docs/_quarto.yml for rendering configuration.