Add Indicators to Baselines #1884
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
dagarwal-ecs
added
the
baseline-document
adhilto
requested changes
Dec 1, 2025
Collaborator
adhilto
left a comment
adhilto
left a comment
There was a problem hiding this comment.
I love how this looks, definitely a big improvement.
Most of my comments apply to all the baselines, but I only left them one time rather than duplicate them. Also a lot them are subjective so feel free to push back on anything.
|
|
||
| **Resource Tenant & Home Tenant**: In scenarios where guest users are involved the **resource tenant** hosts the M365 target resources that the guest user is accessing. The **home tenant** is the one that hosts the guest user's identity. | ||
|
|
||
| **BOD 25-01 Requirement**: This indicator means that policy is required under CISA BOD 25-01 |
Collaborator
There was a problem hiding this comment.
Minor tweak that I think reads better:
(also I recommend that all of these sentences end with a period for consistency)
Suggested change
| **BOD 25-01 Requirement**: This indicator means that policy is required under CISA BOD 25-01 | |
| **BOD 25-01 Requirement**: This indicator means that the policy is required under CISA BOD 25-01. |
adhilto
requested changes
Dec 2, 2025
|
|
||
| **BOD 25-01 Requirement**: This indicator means that policy is required under CISA BOD 25-01 | ||
|
|
||
| **Automated Check**: This indicator means that the policy can be automatically checked via ScubaGear |
Collaborator
There was a problem hiding this comment.
Suggested change
| **Automated Check**: This indicator means that the policy can be automatically checked via ScubaGear | |
| **Automated Check**: This indicator means that the policy can be automatically checked via ScubaGear. |
|
|
||
| **Sensitive Accounts**: This term denotes a set of user accounts that have access to sensitive and high-value information. Certain accountsβlike those belonging to CEOs, CFOs, CISOs, and IT administratorsβhave access to highly sensitive data and critical systems, making them prime targets for cyberattacks. These accounts, referred to as priority accounts, require enhanced security measures to minimize the risk of compromise. | ||
|
|
||
| **BOD 25-01 Requirement**: This indicator means that policy is required under CISA BOD 25-01 |
Collaborator
There was a problem hiding this comment.
Suggested change
| **BOD 25-01 Requirement**: This indicator means that policy is required under CISA BOD 25-01 | |
| **BOD 25-01 Requirement**: This indicator means that the policy is required under CISA BOD 25-01. |
|
|
||
| **BOD 25-01 Requirement**: This indicator means that policy is required under CISA BOD 25-01 | ||
|
|
||
| **Automated Check**: This indicator means that the policy can be automatically checked via ScubaGear |
Collaborator
There was a problem hiding this comment.
Suggested change
| **Automated Check**: This indicator means that the policy can be automatically checked via ScubaGear | |
| **Automated Check**: This indicator means that the policy can be automatically checked via ScubaGear. |
| a connector to connect to the Dataverse table and perform create, read, | ||
| update, and delete (CRUD) operations. | ||
|
|
||
| **BOD 25-01 Requirement**: This indicator means that policy is required under CISA BOD 25-01 |
Collaborator
There was a problem hiding this comment.
Suggested change
| **BOD 25-01 Requirement**: This indicator means that policy is required under CISA BOD 25-01 | |
| **BOD 25-01 Requirement**: This indicator means that the policy is required under CISA BOD 25-01. |
|
|
||
| **BOD 25-01 Requirement**: This indicator means that policy is required under CISA BOD 25-01 | ||
|
|
||
| **Automated Check**: This indicator means that the policy can be automatically checked via ScubaGear |
Collaborator
There was a problem hiding this comment.
Suggested change
| **Automated Check**: This indicator means that the policy can be automatically checked via ScubaGear | |
| **Automated Check**: This indicator means that the policy can be automatically checked via ScubaGear. |
| The custom policy SHOULD include an action to block access to sensitive | ||
| information by restricted apps and unwanted Bluetooth applications. | ||
|
|
||
| [](/defender.md#msdefender46v1-instructions) |
Collaborator
There was a problem hiding this comment.
This link is broken, I think this fixes it
Suggested change
| [](/defender.md#msdefender46v1-instructions) | |
| [](./defender.md#msdefender46v1-instructions) |
| #### MS.DEFENDER.5.2v1 | ||
| The alerts SHOULD be sent to a monitored address or incorporated into a Security Information and Event Management (SIEM). | ||
|
|
||
| [](/defender.md#msdefender52sv1-instructions) |
Collaborator
There was a problem hiding this comment.
Also broken
Suggested change
| [](/defender.md#msdefender52sv1-instructions) | |
| [](./defender.md#msdefender52sv1-instructions) |
| #### MS.DEFENDER.6.3v1 | ||
| Audit logs SHALL be maintained for at least the minimum duration dictated by OMB M-21-31. | ||
|
|
||
| [](/defender.md#msdefender63v1-instructions) |
Collaborator
There was a problem hiding this comment.
Also broken
Suggested change
| [](/defender.md#msdefender63v1-instructions) | |
| [](./defender.md#msdefender63v1-instructions) |
| #### MS.POWERPLATFORM.4.1v1 | ||
| Content Security Policy (CSP) SHALL be enforced for model-driven and canvas Power Apps. | ||
|
|
||
| [](./powerplatform.md#mspowerplatform32v1-instructions) |
Collaborator
There was a problem hiding this comment.
Wrong link
Suggested change
| [](./powerplatform.md#mspowerplatform32v1-instructions) | |
| [](./powerplatform.md#mspowerplatform41v1-instructions) |
| Domain impersonation protection SHOULD be added for key suppliers and partners in both the standard and strict preset policies. | ||
|
|
||
|  | ||
| [](../../../docs/configuration/configuration.md#defender-configurations) |
Collaborator
There was a problem hiding this comment.
Broken anchor
Suggested change
| [](../../../docs/configuration/configuration.md#defender-configurations) | |
| [](../../../docs/configuration/configuration.md#defender-configuration) |
mitchelbaker-cisa
requested changes
Dec 3, 2025
| #### MS.AAD.3.5v1 | ||
| The authentication methods SMS, Voice Call, and Email One-Time Passcode (OTP) SHALL be disabled. | ||
|
|
||
| [](./aad.md#msaad35v1-instructions) |
Collaborator
There was a problem hiding this comment.
This is an automated check.
Suggested change
| [](./aad.md#msaad35v1-instructions) | |
|  |
Also, MS.AAD.3.5v1 is currently not included in BOD 25-01, but it's one of the conditional policies and will be included once v1.8.0 is published. Since the conditional policies and indicator features are both slated for v1.8.0, we should be fine to preemptively add the BOD 25-01 Requirement indicator here as well.
| If phishing-resistant MFA has not been enforced, an alternative MFA method SHALL be enforced for all users. | ||
|
|
||
| [](https://www.cisa.gov/news-events/directives/bod-25-01-implementation-guidance-implementing-secure-practices-cloud-services) | ||
|  |
Collaborator
There was a problem hiding this comment.
MS.AAD.3.2v1 is configurable.
Suggested change
|  | |
|  | |
| [](../../../docs/configuration/configuration.md#conditional-access-policy-exclusions) |
| #### MS.AAD.3.9v1 | ||
| Device code authentication SHOULD be blocked. | ||
|
|
||
|  |
Collaborator
There was a problem hiding this comment.
MS.AAD.3.9v1 is configurable but we don't have it listed in the Conditional Access Policy Exclusion section. Could you also add it to the list of supported policies in configuration.md?
Suggested change
|  | |
|  | |
| [](../../../docs/configuration/configuration.md#conditional-access-policy-exclusions) |
|
|
||
| <!--Policy: MS.EXO.2.2v3; Criticality: SHALL --> | ||
| [](https://www.cisa.gov/news-events/directives/bod-25-01-implementation-guidance-implementing-secure-practices-cloud-services) | ||
|  |
Collaborator
There was a problem hiding this comment.
Is configurable with PreferredDnsResolver param.
Suggested change
|  | |
|  | |
| [](../../../docs/configuration/configuration.md#automatic-forwarding-to-remote-domains) |
| #### MS.EXO.3.1v1 | ||
| DKIM SHOULD be enabled for all domains. | ||
|
|
||
|  |
Collaborator
There was a problem hiding this comment.
Is configurable with PreferredDnsResolver param.
Suggested change
|  | |
|  | |
| [](../../../docs/configuration/configuration.md#automatic-forwarding-to-remote-domains) |
| A DMARC policy SHALL be published for every second-level domain. | ||
|
|
||
| [](https://www.cisa.gov/news-events/directives/bod-25-01-implementation-guidance-implementing-secure-practices-cloud-services) | ||
|  |
Collaborator
There was a problem hiding this comment.
EXO 4.1 - 4.3 Is configurable with PreferredDnsResolver param.
Suggested change
|  | |
|  | |
| [](../../../docs/configuration/configuration.md#automatic-forwarding-to-remote-domains) |
|
|
||
| ### Policies | ||
|
|
||
| #### MS.POWERPLATFORM.5.1v1 |
Collaborator
There was a problem hiding this comment.
If you rebase your feature branch with main, powerplatform.md will get updated with the new MS.POWERPLATFORM.6.1v1 policy. This will need to have the "Automated Check" indicator.
| #### MS.SHAREPOINT.1.3v1 | ||
| External sharing SHALL be restricted to approved external domains and/or users in approved security groups per interagency collaboration needs. | ||
|
|
||
|  |
Collaborator
There was a problem hiding this comment.
Add "BOD 25-01 Requirement" indicator for Sharepoint 1.3, 3.1, 3.2, and 3.3.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
π£ Description
Add the 5 discussed indicators to the baseline and key terminology
π Motivation and context
Closes #1864
π§ͺ Testing
Read through the baselines and key terminologies
β Pre-approval checklist
β Pre-merge checklist
PR passed smoke test check.
Feature branch has been rebased against changes from parent branch, as needed
Use
Rebase branchbutton below or use this reference to rebase from the command line.Resolved all merge conflicts on branch
Notified merge coordinator that PR is ready for merge via comment mention
Demonstrate changes to the team for questions and comments.
(Note: Only required for issues of size
Mediumor larger)β Post-merge checklist