HockeyGear - Canada's Answer to CISA's ScubaGear
Hey there fellow Canadian! Do you happen to run a tenant? Perhaps you've heard of or even used ScubaGear before? Maybe you've wondered if there was a way to test your tenant against Government of Canada guidelines? Well, so did I. If Cybersecurity and Infrastructure Security Agency could have a dedicated application for testing Microsoft 365 tenants against governement security standards, then why shouldn't Canada? Hence, I introduce to you the Canuck equivalent: HockeyGear.
What Exactly Is HockeyGear?
HockeyGear is a Microsoft 365 tenant protection toolkit built specifically with Canadian public‑sector realities in mind. It audits, hardens, and reports against the same standards federal departments are expected to follow: ITSG‑33, the GC Cloud Guardrails, and CCCS Microsoft 365 guidance. In other words, it gives Canadian administrators a way to validate their cloud posture against the rules that actually apply to them, not just generic best practices.
If you’ve ever tried to map CISA’s ScubaGear output to Canadian requirements, you already know the pain: different terminology, different controls, different expectations. HockeyGear closes that gap by providing a purpose‑built assessment aligned to Canadian cybersecurity doctrine.
Why I Built It
I’ve spent years managing tenants, supporting cloud migrations, and helping teams interpret government security requirements. One pattern kept repeating: Admins weren’t lacking effort; they were lacking tools.
ScubaGear proved that automated tenant assessments could be both accessible and powerful. But Canada needed its own version; one that speaks our language, reflects our standards, and supports our institutions. HockeyGear is my attempt to give Canadian admins something that feels familiar, practical, and proudly homegrown.
What You Can Do With HockeyGear
- Run automated audits against Canadian government cloud security expectations
- Generate reports that map findings directly to ITSG‑33 and GC Guardrails
- Identify misconfigurations before they become incidents
- Harden your tenant using actionable, Canada‑specific recommendations
- Support compliance teams with evidence‑based output they can actually use
Whether you’re in federal, provincial, municipal, education, healthcare, or simply a Canadian organization that wants to follow strong national guidance, HockeyGear gives you a structured way to validate your Microsoft 365 environment.
How It Works
HockeyGear follows a simple idea: make Canadian‑aligned tenant assessments easy, repeatable, and trustworthy. Under the hood, it uses a structured workflow that mirrors how security teams already think about cloud posture.
1. Connect to Your Tenant Securely
HockeyGear uses Microsoft’s official Graph API endpoints to gather configuration data from your Microsoft 365 tenant. No hacks, no workarounds just clean, supported API calls that respect least‑privilege principles.
2. Collect the Right Signals
Instead of pulling everything under the sun, HockeyGear focuses on the controls that matter for Canadian organizations. It gathers configuration details across:
- Identity & access management
- Conditional access
- Exchange Online
- SharePoint & OneDrive
- Teams
- Security defaults
- Logging & monitoring
- Compliance settings
This keeps the assessment focused, fast, and aligned with Canadian guidance.
3. Map Findings to Canadian Standards
This is where HockeyGear separates itself from generic tools. Every finding is mapped directly to:
- ITSG‑33 controls
- GC Cloud Guardrails
- CCCS Microsoft 365 guidance
The output doesn’t just tell you what is misconfigured it tells you why it matters in a Canadian context.
4. Generate a Clear, Actionable Report
The toolkit produces a structured report that highlights:
- Passed controls
- Failed controls
- Items requiring review
- Recommended remediation steps
- Relevant Canadian policy references
This makes it easy for admins, auditors, and security teams to understand the current posture and plan next steps.
5. Improve, Iterate, Repeat
Because HockeyGear is open source, organizations can:
- Extend the assessment
- Add custom controls
- Integrate it into CI/CD pipelines
- Automate recurring posture checks
It’s built to grow with your environment and with the Canadian cloud community.
Open Source, Transparent, and Built for the Community
HockeyGear is fully open source and available on GitHub. That means you can inspect the code, contribute improvements, fork it for your own environment, or simply use it as‑is. My goal is to build a community around Canadian cloud security- a place where admins can share ideas, raise issues, and help shape the future of the toolkit.
If ScubaGear can support an entire nation’s cloud posture, there’s no reason HockeyGear can’t do the same here.
A Call to Canadian Admins
If you manage a tenant in Canada, I’d love for you to try HockeyGear, break it, improve it, and help it grow. The more eyes and hands on it, the stronger it becomes, and the more secure our collective cloud footprint will be.
Canada deserves tools built for Canadians. HockeyGear is my contribution to that mission. Let me know your thoughts Communications Security Establishment Canada | Centre de la sécurité des télécommunications Canada and same with you!
Until next time, admins!
Comments