Skip to main content
close search
site logo
Dive Brief

CISA orders federal agencies to meet security baselines in Microsoft 365

The mandate to secure cloud environments is responsive to recent cybersecurity incidents, but not one specific threat, agency officials said.

Published Dec. 18, 2024 Updated an hour ago
Matt Kapko's headshot
Senior Reporter
View of Microsoft store in NYC, July 2024
View of the Microsoft store on Fifth Avenue on July 19, 2024, in New York City. CISA ordered federal civilian agencies to secure Microsoft cloud environments in a directive on Dec. 17, 2024. Adam Gray via Getty Images

Dive Brief:

  • The Cybersecurity and Infrastructure Security Agency ordered federal civilian agencies to meet configuration baselines in their Microsoft 365 environments, the agency said Tuesday in a binding operational directive.
  • “In a number of recent cybersecurity incidents, the improper configuration of security controls in cloud environments introduced substantial risk and has resulted in actual compromises,” Matt Hartman, deputy executive assistant director for cybersecurity at CISA, said in a Tuesday media briefing.
  • The mandate requires federal civilian agencies to identify all Microsoft 365 cloud tenants by Feb. 21, 2025, and implement CISA’s Secure Cloud Business Applications (SCuBA) secure configuration baselines by June 20, 2025. 

Dive Insight:

CISA said the mandate to secure cloud environments is a response to recent cybersecurity incidents, but not one specific threat. Officials declined to provide details about recent malicious activity that prompted the agency’s binding operational directive.

The directive continues CISA’s work to create a consistent approach to securing federal cloud environments, an effort that began after the 2019 supply chain attack spree targeting SolarWinds.

“Outdated security configurations expose systems to exploits that can be easily mitigated by recommended and mandatory security configurations,” Hartman said.

The order requires federal civilian agencies to provide CISA with the tenant name and system owning agency for all Microsoft 365 cloud tenants and update that inventory in annual reports to the agency.

“While this directive only applies to federal civilian agencies, the threat to cloud environments extends to every sector. We urge all organizations to adopt this guidance,” CISA Director Jen Easterly said in a statement. “When it comes to reducing cyber risk and ensuring resilience, we all have a role to play.”

CISA’s current list of required configurations includes baselines for multiple Microsoft 365 services, including Azure Active Directory and Entra ID, Microsoft Defender, Exchange Online, Microsoft Teams, Power Platform, SharePoint Online and OneDrive.

The directive only applies to Microsoft 365 environments, but CISA said it may release SCuBA secure configuration baselines for other cloud services.

”Microsoft has been an active supporter and participant in helping CISA develop SCuBA to create a consistent baseline across civilian agencies,” a Microsoft spokesperson said in a Wednesday email. “We support CISA’s expeditious efforts and close partnership in the co-development of actionable and scalable security guidance via the directive issued yesterday.”

Editor’s note: This story has been updated to include comments provided by Microsoft.

 

Filed Under: Policy & Regulation

Editors' picks

Company Announcements

View all | Post a press release
DigiCert Releases First-of-Its-Kind Open-Source DCV Library to Elevate Industry Standards
From DigiCert
December 18, 2024
Chemonics International Data Breach Investigation
From Migliaccio & Rathod LLP
December 04, 2024
Why Cybersecurity Leaders Trust the MITRE ATT&CK Evaluations
From Cynet Security
December 05, 2024
Only Cynet Delivers 100% Protection and 100% Detection Visibility in the 2024 MITRE ATT&CK Eva…
From Cynet Security
December 11, 2024
Editors' picks
Latest in Policy & Regulation
Industry Dive is an Informa TechTarget business.
© 2024 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.