US Government Mandates Security Measures for Microsoft 365 Environments

Federal US government agencies have been given six months to secure their Microsoft 365 environments according to specific guidelines, the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has announced. CISA has the option to oblige federal government agencies to take certain actions via a “Binding Operational Directive” in order to protect federal information and systems.

Binding Operational Directive 25-01 is about implementing ‘secure practices’ for cloud services. Government agencies must follow the ‘secure configuration baselines’ drawn up by CISA. “Maintaining secure configuration baselines is essential in the dynamic cybersecurity landscape, where vendor changes, software updates and evolving security best practices shape the threat environment,” CISA said.

Just as software suppliers regularly release security updates, it is also necessary to adjust security configurations, according to the American cyber agency. “Outdated security configurations expose systems to exploits that are easily resolved through recommended and mandatory security configurations.” In addition, such configurations are also developing, CISA continues.

The order now issued applies to all cloud environments for which CISA has established ecure configuration baselines. Currently, this is only Microsoft 365. Federal government agencies must now provide information about their Microsoft 365 environments to CISA by February 21. An assessment tool must then be used before April 25 to assess the current configurations. Finally, the mandatory configurations must be completed before June 20. The configuration includes specific settings for Azure Active Directory / Entra ID, Microsoft Defender, Exchange Online, Power Platform, SharePoint Online & OneDrive and Microsoft Teams.

In short: