US government urges federal agencies to patch Microsoft 365 now

3 days ago 3
Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
(Image credit: Shutterstock)

  • CISA issues BOD 25-01, the first binding directive of the year
  • It addresses Microsoft 365 security, which is under threat
  • Other cloud providers will be added soon, as well

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued its first binding operational directive for 2025, which includes a set of rules and requirements to make sure the Microsoft 365 cloud environments meet its cybersecurity standards.

BOD 25-01 is mandatory for all Federal Civilian Executive Branch (FCEB) systems and assets, but CISA advises enterprises in the private sector to follow along, as well.

It revolves around deploying a custom automation configuration assessment tool (ScubaGear for Microsoft 365 audits), integrating with CISA’s continuous monitoring infrastructure, and then fixing any deviations from the list of required secure configuration baselines (SCB).

Mandatory policies

"Recent cybersecurity incidents highlight the significant risks posed by misconfigurations and weak security controls, which attackers can use to gain unauthorized access, exfiltrate data, or disrupt services," CISA said.

"This Directive requires federal civilian agencies to identify specific cloud tenants, implement assessment tools, and align cloud environments to CISA's Secure Cloud Business Applications (SCuBA) secure configuration baselines."

Here is what CISA demands FCEB organizations do:

- Identify all cloud tenants within the scope of this Directive by February 21, 2025.
- Deploy all SCuBA assessment tools for in-scope cloud tenants no later than Friday, April 25, 2025
- Implement all mandatory SCuBA policies effective as of the Directive’s issuance no later than Friday, June 20, 2025
- Implement all future updates to mandatory SCuBA policies
- Implement all mandatory SCuBA Secure Configuration Baselines

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

The list of all mandatory policies can be found on the Required Configurations website. At press time, it included secure configuration baselines for Microsoft 365, Azure Active DIrectory / Entra ID, Microsoft Defender, Exchange Online, Power Platform, SharePoint Online & OneDrive, and Microsoft Teams.

Google and other cloud platforms are set to follow in the coming months.

CISA also has a list of mandatory actions, you can read more about those here.

Via BleepingComputer

You might also like

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read Entire Article