CISA orders federal agencies to secure Microsoft 365 cloud apps

The Cybersecurity and Infrastructure Security Agency (CISA) on Dec. 17 issued Binding Operational Directive (BOD) 25-01, which ordered federal civilian agencies to implement CISA’s secure cloud practices for Microsoft 365 environments.

BOD 25-01 requires federal civilian agencies to identify specific cloud tenants, implement CISA’s assessment tools, and align cloud environments to CISA’s Secure Cloud Business Applications (SCuBA) secure configuration baselines.

For now, CISA has only completed the recommendations for Microsoft 365 cloud products, but will follow with other cloud tools next year. For example, a set of recommendations for Google Workspace is expected by the first part of 2025.

Based on yesterday's BOD, agencies were ordered to identity all the Microsoft cloud tenants by Feb. 21, 2025, deploy all SCuBA assessment tools by April 25, 2025, and implement all SCuBA polices by June 20, 2025. The SCuBA tools lay out detailed recommendations for securing the following Microsoft 365 products: Defender for Office 365, Entra ID, Exchange Online, SharePoint and OneDrive for Business, Power BI, Power Platform, and Teams.

CISA said it issued BOD 25-01 because recent cybersecurity incidents highlighted the significant risks posed by misconfigurations and weak security controls in cloud environments. The agency said attackers can take advantage of these security gaps to gain unauthorized access, exfiltrate data, or disrupt services.

The aim: further reduce the attack surface of federal government cloud networks.

CISA’s directive highlights known cloud risks and that misconfigured systems expose agencies to threats, said Jason Soroko, senior fellow at Sectigo. Soroko added that setting baselines and enforcing them reduces the attack surface.

While many security pros often think that private companies will follow these important CISA directives, Soroko pointed out that for a typical mid-sized business, implementing similar controls is costly, adding that tools, consultants, and training strain budgets.

“They have a hard enough time understanding the merits of MFA,” said Soroko. “These businesses typically only have IT generalists who are motivated to keep the lights on rather than go through configurations with a fine-toothed comb.”

While government guidance often influences larger private sector companies, Soroko said adoption lags.

“Many firms resist due to cost and complexity,” said Soroko. “Still, clear government standards can slowly shift industry norms, but it normally only works if it forces vendors who are also selling into government contracts.”

Billy Hoffman, Field CTO at IONIX, added that these are clear and reasonable steps, showing not only government agencies but also private business, how they should approach securing their cloud environments. Hoffman said the first step is to build an inventory of all cloud tenets and assets and determine who’s the owner.

“While simple in concept, it's size and scale can make this challenging,” said Hoffman. “I routinely speak with large companies that find cloud accounts they didn't know about. This can happen from acquisitions, shadow IT, or partners and contractors. Government agencies usually have a much more centralized IT organization, as well as stricter controls on budgets and spending, so they tend to have less shadow IT."

The new BOD from CISA requires federal agencies to improve their IT hygiene for cloud hosted services supporting their needs, said Jim Routh, chief trust officer at Saviynt. Routh said the configuration management requirements in cloud computing are different from IT assets hosted in proprietary data centers.

“Federal agencies with legacy infrastructure (non-cloud) must apply a different way to manage the configuration of cloud hosted IT assets that includes discovery, asset inventory management, configuration management and vulnerability management,” added Routh.