Article Details
Scrape Timestamp (UTC): 2024-12-17 20:06:11.490
Original Article Text
Click to Toggle View
CISA orders federal agencies to secure Microsoft 365 tenants. CISA has issued this year's first binding operational directive (BOD 25-01), ordering federal civilian agencies to secure their cloud environments by implementing a list of required secure configuration baselines (SCBs). While CISA has only finalized the SCBs for Microsoft 365, it plans to release additional baselines for other cloud platforms, starting with Google Workspace (anticipated to enter scope in Q2 of FY 2025). This government-wide directive aims to reduce the attack surface of federal networks by requiring mandatory secure practices for cloud services to protect Federal Civilian Executive Branch (FCEB) systems and assets. BOD 25-01 requires FCEB agencies to deploy CISA-developed automated configuration assessment tools (ScubaGear for Microsoft 365 audits), integrate with the cybersecurity agency's continuous monitoring infrastructure, and remediate any deviations from the secure configuration baselines within predefined timeframes. "Recent cybersecurity incidents highlight the significant risks posed by misconfigurations and weak security controls, which attackers can use to gain unauthorized access, exfiltrate data, or disrupt services," CISA said today. "This Directive requires federal civilian agencies to identify specific cloud tenants, implement assessment tools, and align cloud environments to CISA's Secure Cloud Business Applications (SCuBA) secure configuration baselines." For all in-scope cloud tenants, FCEB agencies must take the following actions: The current list of mandatory policies is available on the Required Configurations website. At the moment, it only includes secure configuration baselines for Microsoft 365 products, including Azure Active Directory / Entra ID, Microsoft Defender, Exchange Online, Power Platform, SharePoint Online & OneDrive, and Microsoft Teams. While BOD 25-01 only applies to federal civilian agencies, CISA strongly advises all organizations to adopt this directive and prioritize securing their cloud environments to significantly reduce their attack surface and breach risks. Last year, CISA issued another binding operational directive (BOD 23-02) ordering federal agencies to secure Internet-exposed or misconfigured networking equipment within 14 days of discovery. Two years before, the cybersecurity agency's BOD 22-01 mandated FCEB agencies to reduce the increased risk behind known exploited vulnerabilities by mitigating them within an aggressive timeline.
Daily Brief Summary
CISA has issued binding operational directive (BOD 25-01) mandating federal civilian agencies to implement secure configuration baselines for their cloud services, initially focusing on Microsoft 365.
The directive is part of a broader effort to minimize the attack surface on federal networks by enforcing stronger security practices across cloud platforms.
Agencies are required to deploy CISA-developed tools, such as ScubaGear for Microsoft 365, to conduct audits and integrate with the agency's continuous monitoring infrastructure.
The initiative aims to address risks posed by misconfigurations and weak security controls in cloud environments, which can lead to unauthorized access, data exfiltration, or service disruptions.
Besides Microsoft 365, CISA plans to extend these security baselines to other cloud platforms like Google Workspace, with implementation expected in the second quarter of FY 2025.
Although BOD 25-01 specifically targets federal civilian agencies, CISA strongly recommends that all organizations adopt these practices to enhance their cloud security and reduce potential breach risks.
Previous directives by CISA, including BOD 23-02 and BOD 22-01, have focused on securing internet-exposed or misconfigured network equipment and mitigating known exploited vulnerabilities under strict deadlines.