prowler Add additional M365 compliance framework support for CISA M365 Secure Configuration Baselines

New feature motivation

The goal of this feature request is to expand Prowler’s compliance coverage to include CISA SCuBA (Secure Cloud Business Applications) baselines for Microsoft 365 services. SCuBA is a U.S. government endorsed, vendor-neutral framework that provides detailed, risk-informed secure configuration guidance for widely used SaaS platforms like M365 (and Google Workspace).

It also doesn't appear that any other CSPM platform supports native SCuBA mapping (including Wiz, Prisma Cloud, Tenable, Qualys, MS Defender). Those platforms tend to focus only on CIS benchmarks, so supporting SCuBA out-of-the-box would give Prowler an advantage.

Adding SCuBA support would allow Prowler to:

Support security teams in implementing Zero Trust-aligned controls using a well-defined, public framework.
Enable broader use across public sector and regulated industries (e.g., SLED, healthcare, critical infrastructure) that rely on federal benchmarks for security assurance.
Complement existing CIS-based checks by adding an authoritative U.S. government configuration standard tailored for SaaS environments.

SCuBA is gaining traction beyond government, and incorporating these baselines into Prowler would provide immediate value to a growing audience looking to validate M365 environments against trusted, prescriptive security standards.

Solution Proposed

Add support for additional Microsoft 365-related compliance frameworks based on the CISA SCuBA baselines. These are publicly available configuration baselines maintained by CISA and could significantly expand Prowler’s M365 assessment capabilities.

Based on the CISA SCuBA Project and the associated ScubaGear GitHub repository, I’d like to suggest adding compliance mappings and checks for the following M365 services -- as defined by CISA.