Freely subscribe to our NEWSLETTER

"The directive forces these agencies to modernize their security controls in order to better protect against malicious actors and software. Given the increase in activity of both nation-state actors and ransomware groups targeting third-parties that contract with the federal government rather than the federal government itself, it has become even more important to not only ensure federal systems are protected, but also the organizations that the federal government contracts with in order to protect data and prevent large-scale incidents. Malicious actors will always go for the weakest link in the chain, which currently are the SMBs that frequently don’t have the knowledge, time, expertise, or budget for implementing recommended security controls.

"Most of the controls being required by the directive are part of Microsoft’s own best practices and should already in place. The controls and scanner are provided for free from CISA, so they can be implemented without any licensing costs. If an organization is using an enterprise M356 license, then they will likely have all the required controls available to them. However, organizations using F3 licenses or purchasing their M365 subscriptions through a third-party provider will likely need to upgrade their licenses or purchase additional licenses to gain access to the security controls required by the directive, such as Microsoft Purview. There will also be a time cost to implement the controls and update internal policies such as password management policies to reflect the new control requirements.

"Controls required by federal agencies frequently influence the controls implemented by private businesses both directly, through direct implementation of the controls based on the agency’s requirements, but also indirectly through regulatory bodies such as HITRUST and PCI-DSS that adopt the federal agency’s requirements as part of their own requirements. Additionally, by adopting federal controls, the effort required by leadership to create their own security controls is reduced while providing a tested and vetted method for ensuring the controls are implemented and can be easily tested through readily-available tools such as CISA’s SCuBA, without additional cost.

"The biggest challenge will be changing the user and management mindset for many of the historical security controls that no longer apply or work in today’s computing environments as well as the cost that would be involved if a business’s current license(s) don’t include the controls prescribed by the mandate. This could be something such as MFA, which may not be included in a business’s current service license and historically is seen by many as an unnecessary extra step, but significantly increases the authentication security of a business. Additionally, there may be regulations in place that a business has to follow that are in conflict with the CISA directive. For example, the new controls require that passwords are set to never expire. Historically, the industry standard was to change passwords every 60-90 days. However, research has shown that this actually decreases password security, but many organizations still do this because it has been the practice for decades and regulations such as PCI-DSS still require it."