Full Report
U.S. government agencies are required to bring their Microsoft 365 cloud services into compliance with a recent Binding Operational Directive. Here’s how Tenable can help.OverviewMalicious threat actors are constantly targeting cloud environments. The risk of compromise can be reduced by enforcing secure configurations of security controls. With this goal in mind, the Cybersecurity and Infrastructure Security Agency (CISA) created the Secure Cloud Business Applications (SCuBA) project. The SCuBA project currently provides secure configuration baselines for Microsoft 365 and Google Workspace.In December 2024, as part of the SCuBA project, CISA released a Binding Operational Directive (BOD) 25-01: Implementation Guidance for Implementing Secure Practices for Cloud Services. This directive requires U.S. government agencies and departments in the federal civilian executive branch to implement secure configuration baselines for certain software as a service (SaaS) products.ScopeThe scope of the BOD 25-01 includes all production or operational cloud tenants (operating in or as a federal information system) utilizing Microsoft 365. CISA may release additional SCuBA Secure Configuration Baselines for other cloud products which would fall under the scope of this directive. The complete list of required configurations is available here.While the CISA BOD 25-01 applies to government agencies, any organization using Microsoft 365 would reduce the risk of compromise by adhering to these baselines.Required actionsAccording to BOD 25-01, there are several required actions for in-scope cloud tenant agencies that shall be completed by the following dates:February 21, 2025 - following CISA reporting instructions:submit tenant name and system owning agency/component for each tenantsubmit an updated the inventory annually in the first quarterApril 25, 2025 - deploy SCuBA assessment tools and begin continuous reportingJune 20, 2025 - implement all mandatory SCuBA policies identified at BOD 25-01 Required Configurations.In-scope cloud tenants are also required to:Implement all future updates to mandatory SCuBA policiesImplement all mandatory SCuBA Secure Configuration Baselines and begin continuous monitoring prior to granting an Authorization to Operate for new cloud tenants.Required configurationsAs of March 2025, the following configurations are required for BOD 25-01:Microsoft 365 (M365)Microsoft Entra IDMS.AAD.1.1v1Legacy authentication SHALL be blocked.MS.AAD.2.1v1Users detected as high risk SHALL be blocked.MS.AAD.2.3v1Sign-ins detected as high risk SHALL be blocked.MS.AAD.3.1v1Phishing-resistant MFA SHALL be enforced for all users.MS.AAD.3.2v1If Phishing-resistant MFA has not been enforced yet, then an alternative MFA method SHALL be enforced for all users.MS.AAD.3.3v1If Phishing-resistant MFA has not been enforced yet and Microsoft Authenticator is enabled, it SHALL be configured to show login context information.MS.AAD.3.4v1The Authentication Methods Manage Migration feature SHALL be set to Migration Complete.MS.AAD.3.6v1Phishing-resistant MFA SHALL be required for Highly Privileged Roles.MS.AAD.5.1v1Only administrators SHALL be allowed to register applications.MS.AAD.5.2v1Only administrators SHALL be allowed to consent to applications.MS.AAD.5.3v1An admin consent workflow SHALL be configured for applications.MS.AAD.5.4v1Group owners SHALL NOT be allowed to consent to applications.MS.AAD.6.1v1User passwords SHALL NOT expire.MS.AAD.7.1v1A minimum of two users and a maximum of eight users SHALL be provisioned with the Global Administrator role.MS.AAD.7.2v1Privileged users SHALL be provisioned with finer-grained roles instead [of] Global Administrator.MS.AAD.7.3v1Privileged users SHALL be provisioned cloud-only accounts that are separate from an on-premises directory or other federated identity providers.MS.AAD.7.4v1Permanent active role assignments SHALL NOT be allowed for highly privileged roles except for emergency and service accounts.MS.AAD.7.5v1Provisioning users to highly privileged roles SHALL NOT occur outside of a PAM system, because this bypasses critical controls the PAM system provides.MS.AAD.7.6v1Activation of the Global Administrator role SHALL require approval.MS.AAD.7.7v1Eligible and Active highly privileged role assignments SHALL trigger an alert.MS.AAD.7.8v1User activation of the Global Administrator role SHALL trigger an alert.Microsoft DefenderMS.DEFENDER.1.1v1The standard and strict preset security policies SHALL be enabled.MS.DEFENDER.1.2v1All users SHALL be added to Exchange Online Protection in either the standard or strict preset security policy.MS.DEFENDER.1.3v1All users SHALL be added to Defender for Office 365 Protection in either the standard or strict preset security policy.MS.DEFENDER.1.4v1Sensitive accounts SHALL be added to Exchange Online Protection in the strict preset security policy.MS.DEFENDER.1.5v1Sensitive accounts SHALL be added to Defender for Office 365 Protection in the strict preset security policy.MS.DEFENDER.4.1v2A custom policy SHALL be configured to protect PII and sensitive information, as defined by the agency, blocking at a minimum: credit card numbers, U.S. Individual Taxpayer Identification Numbers (ITINs), and U.S. Social Security numbers (SSNs).MS.DEFENDER.5.1v1At a minimum, the alerts required by the CISA M365 Secure Configuration Baseline for Exchange Online SHALL be enabled.MS.DEFENDER.6.1v1Microsoft Purview Audit (Standard) logging SHALL be enabled.MS.DEFENDER.6.2v1Microsoft Purview Audit (Premium) logging SHALL be enabled for ALL users.Exchange OnlineMS.EXO.1.1v1Automatic forwarding to external domains SHALL be disabled.MS.EXO.2.2v2An SPF policy SHALL be published for each domain that fails all non-approved senders.MS.EXO.4.1v1A DMARC policy SHALL be published for every second-level domain.MS.EXO.4.2v1The DMARC message rejection option SHALL be p=reject.MS.EXO.4.3v1The DMARC point of contact for aggregate reports SHALL include [email protected] AUTH SHALL be disabled.MS.EXO.6.1v1Contact folders SHALL NOT be shared with all domains.MS.EXO.6.2v1Calendar details SHALL NOT be shared with all domains.MS.EXO.7.1v1External sender warnings SHALL be implemented.MS.EXO.13.1v1Mailbox auditing SHALL be enabled.Power PlatformMS.POWERPLATFORM.1.1v1The ability to create production and sandbox environments SHALL be restricted to admins.MS.POWERPLATFORM.1.2v1The ability to create trial environments SHALL be restricted to admins.MS.POWERPLATFORM.2.1v1A DLP policy SHALL be created to restrict connector access in the default Power Platform environment.MS.POWERPLATFORM.3.1v1Power Platform tenant isolation SHALL be enabled.SharePoint Online and OneDriveMS.SHAREPOINT.1.1v1External sharing for SharePoint SHALL be limited to Existing Guests or Only People in your Organization.MS.SHAREPOINT.1.2v1External sharing for OneDrive SHALL be limited to Existing Guests or Only People in your Organization.MS.SHAREPOINT.2.1v1File and folder default sharing scope SHALL be set to Specific People (only the people the user specifies).MS.SHAREPOINT.2.2v1File and folder default sharing permissions SHALL be set to View only.Microsoft TeamsMS.TEAMS.1.2v1Anonymous users SHALL NOT be enabled to start meetings.MS.TEAMS.2.1v1External access for users SHALL only be enabled on a per-domain basis.MS.TEAMS.2.2v1Unmanaged users SHALL NOT be enabled to initiate contact with internal users.MS.TEAMS.3.1v1Contact with Skype users SHALL be blocked.MS.TEAMS.4.1v1Teams email integration SHALL be disabled.Additional configurationsIn addition to the required configurations, the following configurations can also be evaluated:Microsoft 365 (M365)Microsoft Entra IDMS.AAD.2.2v1A notification SHOULD be sent to the administrator when high-risk users are detected.MS.AAD.3.7v1Managed devices SHOULD be required for authentication.MS.AAD.3.8v1Managed Devices SHOULD be required to register MFA.MS.AAD.7.9v1User activation of other highly privileged roles SHOULD trigger an alert.MS.AAD.8.1v1Guest users SHOULD have limited or restricted access to Microsoft Entra ID directory objects.MS.AAD.8.2v1Only users with the Guest Inviter role SHOULD be able to invite guest users.Microsoft DefenderMS.DEFENDER.2.1v1User impersonation protection SHOULD be enabled for sensitive accounts in both the standard and strict preset policies.MS.DEFENDER.2.2v1Domain impersonation protection SHOULD be enabled for domains owned by the agency in both the standard and strict preset policies.MS.DEFENDER.2.3v1Domain impersonation protection SHOULD be added for important partners in both the standard and strict preset policies.MS.DEFENDER.3.1v1Safe attachments SHOULD be enabled for SharePoint, OneDrive, and Microsoft Teams.MS.DEFENDER.4.2v1The custom policy SHOULD be applied to Exchange, OneDrive, SharePoint, Teams chat, and Devices.MS.DEFENDER.4.3v1The action for the custom policy SHOULD be set to block sharing sensitive information with everyone.MS.DEFENDER.4.4v1Notifications to inform users and help educate them on the proper use of sensitive information SHOULD be enabled in the custom policy.Exchange OnlineMS.EXO.3.1v1DKIM SHOULD be enabled for all domains.MS.EXO.4.4v1An agency point of contact SHOULD be included for aggregate and failure reports.MS.EXO.12.1v1IP allow lists SHOULD NOT be created.MS.EXO.12.2v1Safe lists SHOULD NOT be enabled.Power PlatformMS.POWERPLATFORM.2.2v1Non-default environments SHOULD have at least one DLP policy affecting them.MS.POWERPLATFORM.5.1v1The ability to create Power Pages sites SHOULD be restricted to admins.SharePoint Online and OneDriveMS.SHAREPOINT.1.3v1External sharing SHALL be restricted to approved external domains and/or users in approved security groups per interagency collaboration needs.MS.SHAREPOINT.3.1v1Expiration days for Anyone links SHALL be set to 30 days or less.MS.SHAREPOINT.3.2v1The allowable file and folder permissions for links SHALL be set to View only.MS.SHAREPOINT.3.3v1Reauthentication days for people who use a verification code SHALL be set to 30 days or less.Microsoft TeamsMS.TEAMS.1.1v1External meeting participants SHOULD NOT be enabled to request control of shared desktops or windows.MS.TEAMS.1.3v1Anonymous users and dial-in callers SHOULD NOT be admitted automatically.MS.TEAMS.1.4v1Internal users SHOULD be admitted automatically.MS.TEAMS.1.5v1Dial-in users SHOULD NOT be enabled to bypass the lobby.MS.TEAMS.1.6v1Meeting recording SHOULD be disabled.MS.TEAMS.1.7v1Record an event SHOULD be set to Organizer can record.MS.TEAMS.2.3v1Internal users SHOULD NOT be enabled to initiate contact with unmanaged users.MS.TEAMS.5.1v1Agencies SHOULD only allow installation of Microsoft apps approved by the agency.MS.TEAMS.5.2v1Agencies SHOULD only allow installation of third-party apps approved by the agency.MS.TEAMS.5.3v1Agencies SHOULD only allow installation of custom apps approved by the agency.How Tenable can helpTenable Vulnerability Management and Nessus customers can audit the posture of their Microsoft 365 environment with the CISA SCuBA for Microsoft 365 audit files:CISA SCuBA Microsoft 365 Entra IDCISA SCuBA Microsoft 365 DefenderCISA SCuBA Microsoft 365 Exchange OnlineCISA SCuBA Microsoft 365 Power PlatformCISA SCuBA Microsoft 365 SharePoint Online OneDriveCISA SCuBA Microsoft 365 TeamsMore details for configuring your SCuBA Microsoft 365 environment for Compliance Auditing are available at Configure Azure for a Compliance Audit.
Analysis Summary
# Regulation/Compliance: CISA BOD 25-01 (Security Configuration Benchmarks for Microsoft 365)
## Overview
This regulation outlines essential security configuration settings, specified through Security Configuration Baselines (SCuBA), that U.S. Government Agencies must implement and maintain across their Microsoft 365 environments (including Entra ID, Defender, Exchange Online, Power Platform, SharePoint Online/OneDrive, and Teams) to mitigate common cyber risks.
## Key Details
- Issuing Authority: Cybersecurity and Infrastructure Security Agency (CISA)
- Effective Date: The article does not specify the effective date for BOD 25-01 itself, but it mandates compliance with configuration standards.
- Jurisdiction: U.S. Federal Government Agencies.
- Status: In Effect (Implied, as it discusses required compliance).
## Requirements
### Mandatory Requirements (Based on 'SHALL' directives implicit in baseline standards)
1. **SharePoint/OneDrive Link Permissions (MS.SHAREPOINT.3.1v1):** Allowable file and folder permissions for shared links *must* be set to **View only**. (Note: The article implies a 30-day or less setting for some link permissions as well, though the specific requirement name is truncated.)
2. **SharePoint/OneDrive Reauthentication (MS.SHAREPOINT.3.3v1):** Reauthentication days for users utilizing a verification code *must* be set to **30 days or less**.
3. **Application Installation Control (MS.TEAMS.5.1v1, MS.TEAMS.5.2v1, MS.TEAMS.5.3v1):** Agencies *must* only allow the installation of Microsoft, third-party, and custom applications that have been explicitly **approved** by the agency.
### Recommended Practices (Based on 'SHOULD' directives)
1. **External Meeting Desktop Control (MS.TEAMS.1.1v1):** External meeting participants *should not* be enabled to request control of shared desktops or windows.
2. **Anonymous/Dial-in Admission (MS.TEAMS.1.3v1):** Anonymous users and dial-in callers *should not* be admitted automatically.
3. **Dial-in Bypass Lobby (MS.TEAMS.1.5v1):** Dial-in users *should not* be enabled to bypass the lobby.
4. **Meeting Recording (MS.TEAMS.1.6v1):** Meeting recording *should* be disabled globally where possible. (If recording is enabled, **MS.TEAMS.1.7v1**: Set "Record an event" to "Organizer can record".)
5. **Unmanaged User Contact (MS.TEAMS.2.3v1):** Internal users *should not* be enabled to initiate contact with unmanaged users.
6. **Internal User Admission (MS.TEAMS.1.4v1):** Internal users *should* be admitted automatically to meetings.
## Affected Organizations
- Industries: U.S. Federal Government Agencies.
- Organization Size: Not explicitly segmented by size; applies to all covered agencies.
- Geographic Scope: Within the jurisdiction of the U.S. Federal Government network environments.
## Compliance Timeline
The article summarizes specific control settings but **does not detail a general compliance deadline** for BOD 25-01. Agencies must work to implement these settings as mandated by the binding operational directive.
## Implementation Guidance
### Assessment Phase
- Use Configuration Audit files (e.g., **CISA SCuBA Microsoft 365 audit files**) with vulnerability management tools (like Tenable Vulnerability Management or Nessus) to audit the current posture of the Microsoft 365 environment against the required baselines (Entra ID, Defender, Exchange Online, etc.).
### Implementation Phase
- Configure specific settings within the M365 tenant administration portals (e.g., security center, Teams admin center) to meet the mandatory 'SHALL' and recommended 'SHOULD' controls outlined in the various SCuBA baselines (e.g., setting link permissions, configuring meeting defaults, restricting app installations).
### Validation Phase
- Re-run the specified **CISA SCuBA audit files** using approved scanners/tools to verify that the applied configurations now align with the directive's specified controls.
## Technical Requirements
The requirements translate directly into specific configurations within the Microsoft 365 tenant:
* **Link Lifespan:** Configure sharing link expiration limits (implied, related to 30-day setting).
* **Access Control Lists (ACLs):** Restrict permissions on shared documents/folders to Read-Only (View only).
* **Authentication Policies:** Enforce short reauthentication periods (30 days or less) for verification codes.
* **Teams Meeting Policies:** Configure lobby settings, automatic admission rules, control sharing permissions, and meeting recording defaults.
* **Application Governance:** Establish rigorous approval workflows for installing any first-party, third-party, or custom applications within Teams.
## Penalties & Enforcement
The article focuses on the *requirements* of the BOD but **does not explicitly detail specific fines or penalties** for non-compliance with CISA BODs.
- **Other Consequences:** Non-compliance with a CISA Binding Operational Directive (BOD) carries significant legal and operational risk for federal agencies, potentially leading to remediation orders, security incidents, system isolation, congressional oversight, and severe organizational repercussions.
- **Enforcement:** BODs are federally mandated directives enforced via established federal cybersecurity governance structures.
## Related Standards
- **CISA SCuBA (Security Configuration Baselines):** The primary standard framework used to define the specific required settings across various Microsoft 365 components (Entra ID, Defender, Exchange Online, Power Platform, SharePoint/OneDrive, Teams).
- **NIST/FISMA/FedRAMP:** While not directly mentioned as the standard applied here, CISA BODs are typically derived from authoritative sources like NIST SP 800-53 and must align with existing federal compliance programs.
## Resources
- Official Documentation: CISA BOD 25-01 (The original directive document itself is the primary source).
- Guidance Documents: Tenable documentation detailing the mapping of SCuBA controls (e.g., documentation on configuring Azure for a Compliance Audit).
- Tools: Tenable Vulnerability Management, Tenable Security Center, and Nessus, utilizing the **CISA SCuBA for Microsoft 365** audit files for validation.
## Practical Recommendations
1. **Prioritize Auditing:** Immediately run the CISA SCuBA audit files for all affected M365 components to establish a baseline of non-compliance.
2. **Address Link Security:** Ensure all external sharing links adhere strictly to the "View only" requirement and review the expiration setting compliance.
3. **Strengthen Teams Defaults:** Review and update meeting policies to disable automatic admission for anonymous users and restrict desktop control requests from external participants.
4. **App Vetting Mandate:** Formalize and enforce the process for agency approval before any new application (including Microsoft Add-ins) is installed in the Teams environment.