Compliance Frameworks
Maintained by: Aether365 Team Audience: Security administrators and compliance officers Scope: CIS, EIDSCA, CISA SCuBA, and NIS2 framework descriptions
Aether365 evaluates your Microsoft 365 tenant against four established security frameworks. Each framework is maintained by a different authority and has a different focus area, scope, and audience.
CIS Microsoft 365 Foundations Benchmark
Maintained by: Center for Internet Security (CIS) Version: v3.0 Audience: All organisations using Microsoft 365 Scope: Account security, Entra ID, Exchange, Teams, SharePoint, audit logging
CIS is the most widely adopted M365 security benchmark. It defines a clear, actionable set of controls, each with detailed implementation guidance. Controls are categorized as Level 1 or Level 2:
| Level | Description | When to apply |
|---|---|---|
| L1 | Foundational controls with minimal operational impact | All organisations |
| L2 | Stricter controls that may affect user experience | Security-sensitive environments |
Check ID format: CIS.M365.{section}.{subsection}.{item} - for example, CIS.M365.1.1.1
CIS checks cover sections 1 through 9 of the benchmark, including:
- Section 1: Identity and Access Management
- Section 2: Microsoft Entra ID
- Section 3: Microsoft 365 Apps
- Section 4: Microsoft Teams
- Section 5: Email Security (Exchange Online)
- Section 6: SharePoint Online
- Section 7: OneDrive
- Section 8: Microsoft Defender
- Section 9: Audit Logging
EIDSCA (Entra ID Security Config Analyzer)
Maintained by: Microsoft and the open-source community Audience: Organisations with significant Entra ID usage Scope: Entra ID configuration depth
EIDSCA focuses specifically on Entra ID (formerly Azure Active Directory) and covers areas that CIS does not address at the same level of depth. Key areas:
- Authentication method registration and SSPR policies
- Conditional access gaps and baseline policy coverage
- Privileged Identity Management (PIM) configuration
- Token lifetime and session controls
- Guest user and B2B collaboration settings
- External identity provider trust settings
EIDSCA is especially useful if your organisation relies heavily on Entra ID features like Privileged Identity Management, external collaboration, or custom authentication flows.
Check ID format: EIDSCA.{category}{number} - for example, EIDSCA.PR01
CISA SCuBA M365 Security Baseline
Maintained by: U.S. Cybersecurity and Infrastructure Security Agency (CISA) Version: Current published baseline Audience: US federal agencies and organisations working with them; regulated industries Scope: Full M365 product suite
SCuBA (Secure Cloud Business Applications) is the US federal government's security baseline for cloud productivity platforms. It is structured by M365 product rather than by control category:
| Product | Checks cover |
|---|---|
| Microsoft Entra ID | Identity and access management |
| Microsoft Defender for Office 365 | Threat protection policies |
| Exchange Online | Email transport, anti-phishing, encryption |
| Microsoft Teams | External access, meeting policies |
| SharePoint Online and OneDrive | Sharing, access control |
| Microsoft 365 Apps | Macro policies, add-in management |
| Power Platform | Connector policies (Enterprise only) |
SCuBA is relevant beyond US federal environments. Its clear policy statements and automated test format make it a useful baseline for any organisation seeking rigorous, independently maintained guidance.
Check ID format: MS.{PRODUCT}.{number}.{subnumber} - for example, MS.AAD.1.1
NIS2
Maintained by: European Union Directive: EU 2022/2502 (NIS2) Audience: Organisations operating in the EU, especially operators of essential and important entities Scope: Technical and organisational measures under Article 21
NIS2 is not a technical benchmark - it is a regulatory directive. Aether365 maps M365 configuration controls to the technical requirements that NIS2 mandates under Article 21, which requires organisations to take appropriate measures to manage cybersecurity risk.
NIS2 checks in Aether365 focus on:
| NIS2 Area | M365 controls |
|---|---|
| Access control and authentication | MFA, privileged access, conditional access |
| Incident handling | Audit logging, alert policies, security events |
| Business continuity | Backup and recovery settings, data residency |
| Supply chain security | App consent policies, external connector settings |
| Basic cyber hygiene | Legacy authentication, patch-related settings |
NIS2 Compliance Scope
Aether365 covers the M365-specific technical controls relevant to NIS2. Full NIS2 compliance requires a broader programme of technical and organisational measures beyond your M365 configuration. Aether365 results do not constitute a NIS2 compliance certification.
Framework Comparison
| Dimension | CIS | EIDSCA | CISA SCuBA | NIS2 |
|---|---|---|---|---|
| Authority | CIS | Open source / Microsoft | US CISA | EU regulation |
| Focus | Broad M365 | Entra ID depth | Product-by-product | Risk-based regulatory |
| Level of detail | High | Very high | High | Moderate |
| Suitable for EU organisations | Yes | Yes | Yes | Required |
| Suitable for US federal | Yes | Yes | Required | Not applicable |
| Suitable for all organisations | Yes | Yes | Yes | If EU-regulated |
| Check count in Aether365 | ~60 | ~40 | ~50 | ~30 |
All frameworks run as part of a Compliance Scan. You cannot select individual frameworks per scan - all applicable checks run together and results are tagged by framework for filtering.