US government urges federal agencies to patch Microsoft 365 now

News
By
published

CISA issues binding directive concerning Microsoft 365

Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
(Image credit: Shutterstock)
  • CISA issues BOD 25-01, the first binding directive of the year
  • It addresses Microsoft 365 security, which is under threat
  • Other cloud providers will be added soon, as well

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued its first binding operational directive for 2025, which includes a set of rules and requirements to make sure the Microsoft 365 cloud environments meet its cybersecurity standards.

BOD 25-01 is mandatory for all Federal Civilian Executive Branch (FCEB) systems and assets, but CISA advises enterprises in the private sector to follow along, as well.

It revolves around deploying a custom automation configuration assessment tool (ScubaGear for Microsoft 365 audits), integrating with CISA’s continuous monitoring infrastructure, and then fixing any deviations from the list of required secure configuration baselines (SCB).

Mandatory policies

"Recent cybersecurity incidents highlight the significant risks posed by misconfigurations and weak security controls, which attackers can use to gain unauthorized access, exfiltrate data, or disrupt services," CISA said.

"This Directive requires federal civilian agencies to identify specific cloud tenants, implement assessment tools, and align cloud environments to CISA's Secure Cloud Business Applications (SCuBA) secure configuration baselines."

Here is what CISA demands FCEB organizations do:

- Identify all cloud tenants within the scope of this Directive by February 21, 2025.
- Deploy all SCuBA assessment tools for in-scope cloud tenants no later than Friday, April 25, 2025
- Implement all mandatory SCuBA policies effective as of the Directive’s issuance no later than Friday, June 20, 2025
- Implement all future updates to mandatory SCuBA policies
- Implement all mandatory SCuBA Secure Configuration Baselines

The list of all mandatory policies can be found on the Required Configurations website. At press time, it included secure configuration baselines for Microsoft 365, Azure Active DIrectory / Entra ID, Microsoft Defender, Exchange Online, Power Platform, SharePoint Online & OneDrive, and Microsoft Teams.

Google and other cloud platforms are set to follow in the coming months.

CISA also has a list of mandatory actions, you can read more about those here.

Via BleepingComputer

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
AI security shield
The US wants security requirements as standard to stop sensitive data from falling into enemy hands
Image of someone clicking a cloud icon.
Microsoft's new expanded logging capabilities could mean big changes for US government devices
Digital US flag
Biden orders review, new rules governing US national cybersecurity
A digital themed isometric showing a neon padlock in the foreground, and a technological diagram of a processor logic board in the background.
CISA tells agencies to patch BeyondTrust bug now
China
US Government officials urged to lock down devices amid telecoms breach
Representational image depecting cybersecurity protection
CISA says Oracle and Mitel have critical security flaws being exploited
Latest in Security
Woman using iMessage on iPhone
Apple to take legal action against British Government over backdoor request
A laptop with a red screen with a white skull on it with the message: "RANSOMWARE. All your files are encrypted."
Major ransomware attack sees Tata Technologies hit - 1.4TB dataset with over 730,000 files allegedly stolen
Security
Broadcom releases fixes for multiple VMware security flaws
A graphic showing fleet tracking locations over a city.
Lost & Found tracking site hit by major data breach - over 800,000 could be affected
US President Donald Trump speaks to the press as he signs an executive order to create a US sovereign wealth fund, in the Oval Office of the White House on February 3, 2025, in Washington, DC.
US set to pause cyber-offensive operations against Russia - but CISA says it won't stop
Web DDoS attacks see major surge as AI allows more powerful attacks
Latest in News
Microsoft UK CEO Darren Hardman AI Tour London 2025
Microsoft - UK can help drive the global AI future, but only with the proper buy-in
Asus Prime OC RTX 5070 graphics card with three fans, shown at an angle
Asus reveals Nvidia RTX 5070 launch pricing, and while one model is at MSRP – thankfully – the others make me want to give up my search for a next-gen GPU
Philips Hue lights being dimmed
Got Philips Hue lights? A free app update delivers these 3 improvements
Woman using iMessage on iPhone
Apple to take legal action against British Government over backdoor request
iPad Air M3
The new iPad Air M3 is good value – but I’d still buy this iPad Pro model instead
Samsung Galaxy Z Fold 6
Samsung shows off a creaseless folding phone display – and it improves on the Galaxy Z Fold 6 design in 3 key ways
More about security
Security

Broadcom releases fixes for multiple VMware security flaws
A laptop with a red screen with a white skull on it with the message: "RANSOMWARE. All your files are encrypted."

Major ransomware attack sees Tata Technologies hit - 1.4TB dataset with over 730,000 files allegedly stolen
Woman using iMessage on iPhone

Apple to take legal action against British Government over backdoor request
See more latest
Most Popular
Woman using iMessage on iPhone
Apple to take legal action against British Government over backdoor request
Internet outage
Microsoft launches new hyper-powered disaster recovery service for Cloud PCs
MacBook Air M4
Apple finally unveils the MacBook Air with the M4 chip – but the best news is the new price
65-inch Philips OLED Roku TV on a blue gradient background.
You can now get a Philips OLED TV with a Roku interface out of the box
Mac Studio M4 Max (2025)
Apple levels up the Mac Studio with the M4 Max and unveils its most powerful chip ever, the M3 Ultra
Google Chrome logo on a mobile phone's screen
Google asks US government to drop breakup plan over national security fears
Activo Volcano IEMs
These more affordable audiophile wired earbuds from a brand I love could knock Sennheiser off its perch
Asus Prime OC RTX 5070 graphics card with three fans, shown at an angle
Asus reveals Nvidia RTX 5070 launch pricing, and while one model is at MSRP – thankfully – the others make me want to give up my search for a next-gen GPU
Microsoft UK CEO Darren Hardman AI Tour London 2025
Microsoft - UK can help drive the global AI future, but only with the proper buy-in
Samsung Galaxy Z Fold 6
Samsung shows off a creaseless folding phone display – and it improves on the Galaxy Z Fold 6 design in 3 key ways