Framework Comparison
Maintained by: Aether365 Team Audience: Security administrators and compliance officers Scope: Side-by-side comparison of CIS, EIDSCA, CISA SCuBA, and NIS2 frameworks
Side-by-side comparison of the four security frameworks supported by Aether365.
Overview
| CIS | EIDSCA | CISA SCuBA | NIS2 | |
|---|---|---|---|---|
| Full name | CIS Microsoft 365 Foundations Benchmark | Entra ID Security Config Analyzer | Secure Cloud Business Applications M365 Baseline | EU Network and Information Systems Directive 2 |
| Published by | Center for Internet Security | Microsoft (open-source) | CISA (US federal agency) | European Union |
| Primary audience | Commercial organisations worldwide | Organisations using Entra ID | US federal agencies | EU essential/important entities |
| Focus area | Broad M365 configuration | Entra ID identity security | M365 product-by-product | Cybersecurity risk management |
| Number of checks | ~100 | ~80 | ~150 | ~50 |
| Update cadence | Major releases every 12-18 months | Continuous (GitHub) | Major releases annually | Legislative cycle |
| Licensing | Free to use | Open-source (MIT) | Public domain | EU regulation |
CIS Microsoft 365 Foundations Benchmark
Best for: Organisations that want a commercially recognised, auditor-friendly baseline.
CIS benchmarks are the de-facto standard in commercial security programmes. The M365 benchmark covers:
- Account and authentication - MFA, legacy auth, password policies
- Microsoft 365 Admin Center settings - guest access, sharing, external collaboration
- Exchange Online - email authentication (SPF, DKIM, DMARC), mail flow rules, anti-phishing
- SharePoint Online and OneDrive - sharing settings, external access controls
- Microsoft Teams - meeting policies, guest access, external federation
- Entra ID - conditional access, role assignments, security defaults
Profile levels:
| Level | Description |
|---|---|
| L1 | Foundational controls. Implement first. Lower disruption risk. |
| L2 | Higher security. May require planning and user communication. |
Aether365 checks include the profile level in every result so you can prioritise L1 first.
EIDSCA (Entra ID Security Config Analyzer)
Best for: Organisations that want deep identity security coverage beyond what CIS covers.
EIDSCA was co-developed with Microsoft engineers and targets Entra ID configuration specifically. It covers areas that CIS either omits or covers only partially:
- Privileged Identity Management (PIM) - just-in-time access, role activation settings
- Authentication methods - FIDO2, authenticator app settings, Windows Hello
- Conditional access policies - device compliance, sign-in risk, user risk
- Application governance - OAuth app permissions, consent policies
- Security defaults and baseline - Microsoft's own baseline recommendations
- Identity protection - risk policies, breach credential detection
EIDSCA checks map to the Secure Score categories in Microsoft Entra and complement CIS checks with finer-grained Entra ID coverage.
CISA SCuBA M365 Security Baseline
Best for: US federal agencies subject to CISA guidance; organisations that want comprehensive product-level coverage.
SCuBA (Secure Cloud Business Applications) is structured by M365 product rather than by security category:
| Product baseline | Coverage |
|---|---|
| AAD (Azure Active Directory) | Identity, MFA, conditional access |
| Exchange Online | Email security, anti-phishing, mail flow |
| Teams | Meeting security, guest access, data loss |
| SharePoint & OneDrive | Sharing, external access, DLP |
| Power Platform | App creation policies, guest access |
| Defender for Office 365 | ATP policies, safe links, safe attachments |
Each product section contains required and optional policies. Aether365 marks optional policies clearly in the result detail.
SCuBA is technically targeted at US federal agencies (FISMA-covered systems) but the policies are broadly applicable to any organisation.
NIS2 (EU Network and Information Systems Directive 2)
Best for: EU-based organisations that operate essential or important services and must demonstrate NIS2 compliance.
NIS2 is a regulatory framework, not a technical benchmark. It specifies categories of controls that organisations must implement - it does not prescribe exact configuration values. Aether365's NIS2 checks map M365 configuration to NIS2 article requirements:
| NIS2 Article | Control category | Example M365 checks |
|---|---|---|
| Art. 21(2)(a) | Risk management | Security policies, audit logging |
| Art. 21(2)(b) | Incident handling | Alert policies, audit log retention |
| Art. 21(2)(c) | Business continuity | Backup, data retention settings |
| Art. 21(2)(d) | Supply chain security | Third-party app permissions |
| Art. 21(2)(e) | Acquisition security | Application consent policies |
| Art. 21(2)(f) | Access control | MFA, privileged access, PIM |
| Art. 21(2)(g) | Cryptography | Encryption settings, TLS policy |
| Art. 21(2)(h) | HR security | Offboarding, guest account review |
| Art. 21(2)(i) | Authentication | MFA, password policies, legacy auth |
Important: Passing NIS2 checks in Aether365 does not certify NIS2 compliance. NIS2 compliance requires organisational processes, legal assessments, and reporting obligations beyond technical configuration. Aether365's NIS2 checks give you confidence that your M365 configuration does not contradict NIS2 requirements.
Which Framework Should I Use?
You do not need to choose one. Aether365 runs all frameworks and presents results together. There is significant overlap between frameworks - a single configuration setting may be checked by CIS, EIDSCA, and CISA. Aether365 deduplicates overlapping checks and shows each finding once with cross-references to every framework that covers it.
Starting point recommendations:
| Situation | Start with |
|---|---|
| No prior framework exposure | CIS L1 - foundational and broadly understood |
| Identity security focus | EIDSCA - deepest Entra ID coverage |
| US federal or government-adjacent | CISA SCuBA |
| EU regulatory requirement | NIS2, then fill gaps with CIS |
| Need to pass a security audit | CIS - most recognised by external auditors |
| Want comprehensive coverage | Run all four frameworks simultaneously |
Check Count by Framework
Check counts vary as frameworks are updated. Current approximate counts in Aether365:
| Framework | Total checks | Typically pass rate (SMB) | Typically pass rate (Enterprise) |
|---|---|---|---|
| CIS (L1) | ~60 | 55-70% | 70-85% |
| CIS (L1+L2) | ~100 | 45-65% | 65-80% |
| EIDSCA | ~80 | 50-65% | 65-80% |
| CISA SCuBA | ~150 | 40-60% | 60-75% |
| NIS2 | ~50 | 55-70% | 70-85% |
Pass rates are illustrative estimates. Your rate depends heavily on your existing configuration, licenses, and whether you have deployed conditional access policies.