Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

US government urges federal agencies to patch Microsoft 365 now

Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol.

  • CISA issues BOD 25-01, the first binding directive of the year
  • It addresses Microsoft 365 security, which is under threat
  • Other cloud providers will be added soon, as well

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued its first binding operational directive for 2025, which includes a set of rules and requirements to make sure the Microsoft 365 cloud environments meet its cybersecurity standards.

BOD 25-01 is mandatory for all Federal Civilian Executive Branch (FCEB) systems and assets, but CISA advises enterprises in the private sector to follow along, as well.

It revolves around deploying a custom automation configuration assessment tool (ScubaGear for Microsoft 365 audits), integrating with CISA’s continuous monitoring infrastructure, and then fixing any deviations from the list of required secure configuration baselines (SCB).

Mandatory policies

"Recent cybersecurity incidents highlight the significant risks posed by misconfigurations and weak security controls, which attackers can use to gain unauthorized access, exfiltrate data, or disrupt services," CISA said.

"This Directive requires federal civilian agencies to identify specific cloud tenants, implement assessment tools, and align cloud environments to CISA's Secure Cloud Business Applications (SCuBA) secure configuration baselines."

Here is what CISA demands FCEB organizations do:

- Identify all cloud tenants within the scope of this Directive by February 21, 2025.
- Deploy all SCuBA assessment tools for in-scope cloud tenants no later than Friday, April 25, 2025
- Implement all mandatory SCuBA policies effective as of the Directive’s issuance no later than Friday, June 20, 2025
- Implement all future updates to mandatory SCuBA policies
- Implement all mandatory SCuBA Secure Configuration Baselines

The list of all mandatory policies can be found on the Required Configurations website. At press time, it included secure configuration baselines for Microsoft 365, Azure Active DIrectory / Entra ID, Microsoft Defender, Exchange Online, Power Platform, SharePoint Online & OneDrive, and Microsoft Teams.

Google and other cloud platforms are set to follow in the coming months.

CISA also has a list of mandatory actions, you can read more about those here.

Via BleepingComputer

You might also like

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.