The Cybersecurity and Infrastructure Security Agency (CISA) has issued a new directive to federal civilian agencies, requiring them to secure their cloud environments. The directive, BOD 25-01, instructs agencies to identify all of its cloud instances, implement assessment tools, and align with the agency’s Secure Cloud Business Applications (SCuBA) configuration baselines.
CISA Director Jen Easterly stated that this directive is a “significant step” towards reducing risk across federal civilian enterprises. Threat actors are increasingly targeting cloud environments, using tactics to gain initial access. CISA urges all organizations to adopt this guidance.
The directive responds to recent threat activity and is part of a post-SolarWinds campaign aimed at creating a centralized approach to securing federal cloud configurations. Common cyber criminals use the same tactics as sophisticated actors.
CISA has developed SCuBA guidelines, issuing instructions for agency use of Google Workspace and Microsoft 365 in previous years. The new directive requires agencies to provide CISA with instance names and system-owning agencies by February 21, 2025. Agencies must deploy assessment tools by April 25, 2025, and implement required policies by June 20, 2025.
CISA will monitor agency adherence and provide additional resources as needed. The agency is committed to using its cybersecurity authorities to gain greater visibility and drive timely risk reduction across federal civilian agencies.
Source: https://cyberscoop.com/cisa-scuba-baselines-cloud-security-directive