CISA’s New Directive and Monitoring Microsoft

Federal agencies must now adhere to new rules outlined in a directive from the Cybersecurity and Infrastructure Security Agency (CISA) to ensure the proper security of their cloud environments, particularly their Microsoft Office 365 cloud products.

In response to the rising number of attacks on cloud environments, CISA issued a new binding operational directive, BOD 25-01 Implementing Secure Practices for Cloud Services, on December 17, 2024. This directive mandates that Federal Civilian Executive Branch agencies adhere to baseline requirements for securely configuring their cloud environments. The purpose of this directive and its baselines is to secure the cloud environments of these agencies better because “the improper configuration of security controls in cloud environments introduced substantial risk and resulted in actual compromises,” as stated in the directive.

The baselines that agencies are required to follow, as they are released, are a set of requirements developed by CISA through its Secure Cloud Business Applications (SCuBA) project. Currently, the CISA has only established SCuBA Secure Configuration Baselines for Microsoft Office 365 cloud tools, but CISA may eventually create baselines for other software-as-a-service (SaaS) products that these agencies commonly use, according to the directive.

Once CISA develops SCuBA baselines for a SaaS product and an agency is utilizing that product, there are four main actions laid out in the directive that a federal agency must take to ensure it complies:

1. The first step is for the agency to implement the applicable SCuBA baselines for its cloud products.
2. The next step is to utilize configuration assessment tools that will allow the agency to determine how well it is following the baselines.
3. To keep the CISA informed about the implementation of these baselines, an agency will also need to continuously report on how they are adhering to the directive’s requirements.
4. Lastly, if an agency finds that its products have deviated from the baselines, the agency will need to take steps to ensure that they are once again in compliance with the baselines.

For more in-depth information about the BOD 25-01 requirements, read the CISA’s directive.

What Are the Requirements for Microsoft?

As stated on the Binding Operational Directive 25-01 Required Configurations website, the Microsoft tools that are included in its SCuBA baselines are Azure Active Directory, Microsoft Defender, Exchange Online, Power Platform, SharePoint Online, OneDrive, and Microsoft Teams. Some of the actions listed on the website that agencies will have to take to follow these baselines include enforcing “phishing-resistant” multi-factor authentication for all Azure Active Directory users, publishing a DMARC policy for all second-level domains in Exchange Online, limiting the external sharing of SharePoint content, and blocking contact with Skype users for Microsoft Teams.

While these are just some of the many requirements federal agencies will have to follow, these actions will allow them to have safer cloud environments.

Nagios Monitors Your Microsoft Assets

Several federal agencies use Nagios to monitor what matters in their IT infrastructure. With this new directive, all agencies need to ensure they comply, but it’s also important for them to make sure that they are monitoring their Microsoft products as well.

Nagios XI can monitor Microsoft Azure Cloud out of the box, but it does not come with out-of-the-box capabilities to monitor Azure Active Directory, Microsoft Defender, Exchange Online, Power Platform, SharePoint Online, OneDrive, and Microsoft Teams. However, it still can monitor them due to its extensibility. Nagios XI’s architecture enables you to integrate plugins so that you can go beyond its built-in capabilities and monitor more of what’s critical in your IT infrastructure.

If you’re looking to extend XI’s monitoring capabilities, the Nagios Exchange is a valuable resource for finding useful plugins that you can integrate into XI. On the Exchange, you’ll find thousands of community-built plugins and add-ons, including some for checking your Azure Active Directory and monitoring SharePoint. If you can’t find a plugin that meets your needs, you can also create your own plugin to monitor your cloud products using our Nagios Plugin Development Guidelines.

Nagios XI also comes with out-of-the-box capabilities for monitoring your on-premises Microsoft assets. XI includes several Configuration Wizards for monitoring components like Exchange Servers, Windows servers, Microsoft 365 subscription services, and more. For example, you can use a Configuration Wizard in XI to monitor a Microsoft SQL Server.

Nagios offers solutions for monitoring assets, whether in the cloud or on-premises, to help secure IT environments and ensure critical systems operate optimally. For federal agencies, the ability to monitor key IT operations, such as Microsoft Office 365 products, is crucial. This capability not only ensures systems function as expected but also supports compliance with the requirements of BOD 25-01.