Security that empowers your mission

Zero Trust

The Executive Order on Improving the Nation’s Cybersecurity puts Zero Trust at the center of the nation’s cybersecurity strategy, requiring federal agencies to implement advanced security measures to significantly reduce the risk of successful cyberattacks on the government’s digital infrastructure.

The federal Zero Trust strategy outlined in Memorandum 22-09 aligns with the CISA Zero Trust Maturity Model's five pillars: identity, devices, networks, applications and workloads, and data, and emphasizes the importance of visibility and analytics, automation and orchestration, and governance to minimize uncertainty and keep access as granular as possible.

For the DOD and IC communities, the National Security Memorandum-08 and DOD Zero Trust Strategy further emphasizes the importance of Zero Trust architecture in securing the DOD's digital infrastructure against evolving cyber threats.

Secure Cloud Adoption

For the federal government, the move to the cloud itself is a step to improve agency security postures. Underscored by the Section 3 of the Cyber EO, the ZT Memorandum 22-09, and the National cybersecurity Strategy, an increasing number of federal best practices and requirements have emerged to keep federal cloud solutions secure as agencies accelerate their adoption of cloud services.

Similarly, FedRAMP and NIST SP 800-53 set mandatory standards to validate cloud security. Microsoft's government cloud services meet the demanding requirements of FedRAMP, enabling federal agencies to benefit from the cost savings and rigorous security of the Microsoft Cloud.

Microsoft’s investment in DoD IL6 PA for Defense and Intel communities also aligns with the department’s OCONUS cloud strategy including building Azure/Office 365 Secret, and Azure Top Secret classified clouds to provide U.S. Government customers with secure cloud capabilities at all classification and Impact Levels.

As an awardee of the Joint Warfighting Cloud Capability (JWCC) contract, secure cloud technology is directly available to all of the DoD in one vehicle, enabling warfighters and those that support them to leverage the most advanced cloud capabilities to meet their mission objectives.

Identity Modernization

With the expansion of a mobile federal workforce, agencies must redefine their security perimeter to access data anytime, anywhere. Government applications and data moving from on-premises to hybrid and cloud environments increases organizational endpoints and the risk of compromised credentials, devices, and applications.

As protection against these threats, Memorandum 22-09 requires that agencies consolidate their identity platforms to agency-managed identity systems. Similarly, the NIST SP 800-63 Digital Identity Guidelines provide technical requirements for federal agencies implementing digital identity services, including identity proofing and authentication of users interacting with government IT systems over open networks.

With the Microsoft Entra portfolio, enterprise-wide identity management system Azure Active Directory (Azure AD) provides multifactor authentication and authorization to meet identity-related requirements.

Security Operations & Modern Log Management

Security operations centers (SOCs) face rapidly evolving, constantly expanding data streams from across the organization that slow response times and delay threat hunting. To improve security operations, and accelerate the ability to detect, investigate, and remediate cyber threats, Memorandum 21-31 requires federal government agencies to rapidly move toward standardized and comprehensive log event management.

Microsoft provides federal agencies with a suite of security capabilities, including enhanced visibility in asset inventory, rapid threat triage and investigation, enhanced network visibility, cloud-native SIEM/SOAR, user and entity behavior analytics, and cyber threat intelligence capabilities. These solutions, and more, leverage Microsoft's ecosystem of signals collection capabilities to support federal security operations and to operationalize data more effectively.

Secure Software Development

Rooted in trusted source code and secure software development, software supply chain security is essential to protecting agencies and their data. NIST’s definition of “critical software"and security measures for critical software build upon the Cyber EO’s call on agencies to prioritize risk management efforts, including implementing security measures for agency management of critical software. These security measures also align with the NIST Secure Software Development Framework (SSDF) and other recent CISA guidance that highlight the importance of using supported software and deploying patches.

Addressing software security is not new to Microsoft, having long invested in developing best practices for secure software development, source code testing, open source software distribution, and vulnerability disclosure and management programs. Microsoft knows that secure software development and DevSecOps automation are critical components of an agency’s security posture. Ensuring that security is baked in from the start, Microsoft’s SDL exceeds the requirements of SSDF and is monitored continuously.