CISA has issued this 12 months’s first binding operational directive (BOD 25-01), ordering federal civilian companies to safe their cloud environments by implementing a listing of required safe configuration baselines (SCBs).
Whereas CISA has solely finalized the SCBs for Microsoft 365, it plans to launch extra baselines for different cloud platforms, beginning with Google Workspace (anticipated to enter scope in Q2 of FY 2025).
This government-wide directive goals to scale back the assault floor of federal networks by requiring necessary safe practices for cloud providers to guard Federal Civilian Government Department (FCEB) methods and property.
BOD 25-01 requires FCEB companies to deploy CISA-developed automated configuration evaluation instruments (ScubaGear for Microsoft 365 audits), combine with the cybersecurity company’s steady monitoring infrastructure, and remediate any deviations from the safe configuration baselines inside predefined timeframes.
“Recent cybersecurity incidents highlight the significant risks posed by misconfigurations and weak security controls, which attackers can use to gain unauthorized access, exfiltrate data, or disrupt services,” CISA mentioned at the moment.
“This Directive requires federal civilian agencies to identify specific cloud tenants, implement assessment tools, and align cloud environments to CISA’s Secure Cloud Business Applications (SCuBA) secure configuration baselines.”
For all in-scope cloud tenants, FCEB companies should take the next actions:
- Determine all cloud tenants throughout the scope of this Directive no later than Friday, February twenty first, 2025.
- Deploy all SCuBA evaluation instruments for in-scope cloud tenants no later than Friday, April twenty fifth, 2025, and start steady reporting on the necessities of this Directive.
- Implement all necessary SCuBA insurance policies efficient as of this Directive’s issuance no later than Friday, June twentieth, 2025.
- Implement all future updates to necessary SCuBA insurance policies.
- Implement all necessary SCuBA Safe Configuration Baselines and start steady monitoring for brand spanking new cloud tenants earlier than granting an Authorization to Function (ATO).
The present checklist of necessary insurance policies is offered on the Required Configurations web site. For the time being, it solely contains safe configuration baselines for Microsoft 365 merchandise, together with Azure Lively Listing / Entra ID, Microsoft Defender, Trade On-line, Energy Platform, SharePoint On-line & OneDrive, and Microsoft Groups.
Whereas BOD 25-01 solely applies to federal civilian companies, CISA strongly advises all organizations to undertake this directive and prioritize securing their cloud environments to considerably scale back their assault floor and breach dangers.
Final 12 months, CISA issued one other binding operational directive (BOD 23-02) ordering federal companies to safe Web-exposed or misconfigured networking tools inside 14 days of discovery.
Two years earlier than, the cybersecurity company’s BOD 22-01 mandated FCEB companies to scale back the elevated danger behind recognized exploited vulnerabilities by mitigating them inside an aggressive timeline.
