CISA orders federal agencies to secure Microsoft 365 tenants

​CISA has issued this year's first binding operational directive (BOD 25-01), ordering federal civilian agencies to secure their cloud environments by implementing a list of required secure configuration baselines (SCBs).

While CISA has only finalized the SCBs for Microsoft 365, it plans to release additional baselines for other cloud platforms, starting with Google Workspace (anticipated to enter scope in Q2 of FY 2025).

This government-wide directive aims to reduce the attack surface of federal networks by requiring mandatory secure practices for cloud services to protect Federal Civilian Executive Branch (FCEB) systems and assets.

BOD 25-01 requires FCEB agencies to deploy CISA-developed automated configuration assessment tools (ScubaGear for Microsoft 365 audits), integrate with the cybersecurity agency's continuous monitoring infrastructure, and remediate any deviations from the secure configuration baselines within predefined timeframes.

"Recent cybersecurity incidents highlight the significant risks posed by misconfigurations and weak security controls, which attackers can use to gain unauthorized access, exfiltrate data, or disrupt services," CISA said today.

"This Directive requires federal civilian agencies to identify specific cloud tenants, implement assessment tools, and align cloud environments to CISA's Secure Cloud Business Applications (SCuBA) secure configuration baselines."

For all in-scope cloud tenants, FCEB agencies must take the following actions:

1. Identify all cloud tenants within the scope of this Directive no later than Friday, February 21st, 2025.
2. Deploy all SCuBA assessment tools for in-scope cloud tenants no later than Friday, April 25th, 2025, and begin continuous reporting on the requirements of this Directive.
3. Implement all mandatory SCuBA policies effective as of this Directive's issuance no later than Friday, June 20th, 2025.
4. Implement all future updates to mandatory SCuBA policies.
5. Implement all mandatory SCuBA Secure Configuration Baselines and begin continuous monitoring for new cloud tenants before granting an Authorization to Operate (ATO).

The current list of mandatory policies is available on the Required Configurations website. At the moment, it only includes secure configuration baselines for Microsoft 365 products, including Azure Active Directory / Entra ID, Microsoft Defender, Exchange Online, Power Platform, SharePoint Online & OneDrive, and Microsoft Teams.

While BOD 25-01 only applies to federal civilian agencies, CISA strongly advises all organizations to adopt this directive and prioritize securing their cloud environments to significantly reduce their attack surface and breach risks.

Last year, CISA issued another binding operational directive (BOD 23-02) ordering federal agencies to secure Internet-exposed or misconfigured networking equipment within 14 days of discovery.

Two years before, the cybersecurity agency's BOD 22-01 mandated FCEB agencies to reduce the increased risk behind known exploited vulnerabilities by mitigating them within an aggressive timeline.