Cyble Microsoft 365

Overview

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has directed the Federal Civilian Executive Branch to implement more than 50 policies to secure Microsoft 365 environments.

The new policies, Binding Operational Directive (BOD) 25-01: Implementing Secure Practices for Cloud Services, apply to Azure Active Directory/Entra ID, Microsoft Defender, Exchange Online, Power Platform, SharePoint Online and OneDrive, and Microsoft Teams.

CISA has the authority to secure the more than 100 agencies that make up the FCEB, which doesn’t include Defense, National Security, and Intelligence agencies. However, CISA said it “strongly recommends all stakeholders implement these policies … Doing so will reduce significant risk and enhance collective resilience across the cybersecurity community.”

CISA plans guidance for other cloud environments next year, including Google Workspace. The new cloud security directive comes amid a flurry of activity from CISA, including a draft National Cyber Incident Response Plan, as the agency’s leadership prepares to depart next month when the new Administration takes office.

Microsoft 365 Security Issues

The Microsoft guidance comes after a year in which Microsoft 365 security came under heavy scrutiny. A U.S. Cyber Safety Review Board (CSRB) report earlier this year detailed “a cascade of security failures at Microsoft” that allowed China-linked threat actors in July 2023 to access “the official email accounts of many of the most senior U.S. government officials managing our country’s relationship with the People’s Republic of China.” A Congressional hearing followed, along with pledges by Microsoft to make security a top priority.

Amazon recently paused a Microsoft 365 rollout after discovering security issues, according to a Bloomberg report, bringing fresh attention to the issue.

CISA’s Microsoft 365 Directive

CISA’s timeline gives federal civilian agencies until June 20, 2025, to “comply with a defined set of these Secure Cloud Baselines, deploy automated configuration assessment tools to check compliance, and to remediate deviations from these policies under BOD 25-01.”

The first policy in the directive requires Azure AD and Entra ID implementations to block legacy protocols that don’t allow multi-factor authentication (MFA).

Other Azure AD and Entra ID policies require that high-risk users and sign-ins be blocked, enforcing phishing-resistant MFA or an alternative, and setting the Authentication Methods Manage Migration feature to Migration Complete. Roughly two-thirds of the 21 policies in the Azure AD and Entra ID section involve securing privileged accounts.

Defender policies call for enabling standard and strict preset security policies, protecting sensitive accounts and information, and enabling logging and alerts.

Exchange policies include disabling SMTP AUTH and automatic forwarding to external domains, implementing SPF and DMARC policies, and enabling external sender warnings and mailbox auditing.

Power Platform policies call for limiting trial, production, and sandbox creation to admins, creating a DLP policy to restrict connector access in the default Power Platform environment, and enabling tenant isolation.

SharePoint Online and OneDrive policies include limiting external sharing and file and folder sharing, and preventing custom scripts on self-service created sites.

Teams controls include limiting access for external, unmanaged, and anonymous users, blocking contact with Skype, and disabling email integration.

CISA also provides assessment tools and guidance through the Secure Cloud Business Applications (SCuBA) project.

Conclusion

CISA has provided federal agencies with strong best practices for securing Microsoft 365 environments. These policies, based on principles of least privilege and strict authentication and access control, could also apply to other cloud environments.

Cyble’s Cloud Security Posture Management (CSPM) and threat intelligence tools offer organizations automated, cost-effective cloud compliance and monitoring, with the ability to detect misconfigurations and leaks before they turn into major incidents.

The post CISA Orders Federal Agencies to Secure Microsoft 365 Environments appeared first on Cyble.