US Cybersecurity and Infrastructure Security Agency (CISA) has issued the first binding operational directive (BOD) of 2025, requiring federal civilian agencies to secure their cloud environments. The directive aims to reduce the attack surface of federal networks by mandating secure practices for cloud services.
The BOD 25-01 requires federal agencies to identify and secure specific cloud tenants using CISA-developed automated configuration assessment tools. These tools will help agencies assess their cloud environments against CISA’s Secure Cloud Business Applications (SCuBA) secure configuration baselines.
Federal agencies must take the following actions:
* Identify all cloud tenants within the scope of this directive by February 21st, 2025
* Deploy CISA-developed assessment tools for in-scope cloud tenants by April 25th, 2025, and begin continuous reporting
* Implement mandatory SCuBA policies effective June 20th, 2025
* Adopt future updates to mandatory SCuBA policies
CISA strongly advises all organizations to adopt this directive and prioritize securing their cloud environments. This is the third BOD issued by CISA in recent years, following directives for secure internet-exposed equipment and vulnerable systems.
Source: https://www.bleepingcomputer.com/news/security/cisa-orders-federal-agencies-to-secure-microsoft-365-tenants