Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

CISA Issues Binding Operational Directive for Improved Cloud Security

CISA’s Binding Operational Directive 25-01 requires federal agencies to align cloud environments with SCuBA secure configuration baselines.

CISA

The US cybersecurity agency CISA on Tuesday announced a new Binding Operational Directive requiring federal agencies to follow security control baselines for their cloud environments.

The ‘Binding Operational Directive 25-01: Implementing Secure Practices for Cloud Services’ is meant to help federal agencies reduce their attack surface and improve resilience against cyberattacks.

“Recent cybersecurity incidents highlight the significant risks posed by misconfigurations and weak security controls, which attackers can use to gain unauthorized access, exfiltrate data, or disrupt services. This Directive will further reduce the attack surface of the federal government networks,” CISA notes.

Per BOD 25-01, federal agencies are required to identify cloud tenants, implement assessment tools, and bring their cloud environments in line with CISA’s Secure Cloud Business Applications (SCuBA) secure configuration baselines.

By February 21, 2025, the directive mandates, all federal agencies should create and provide an inventory of cloud tenants, which should be updated annually.

It also requires that, by April 25, 2025, the agencies deploy SCuBA assessment tools for in-scope cloud tenants and begin continuous reporting on the directive’s requirements.

By June 20, 2025, federal agencies should implement all mandatory SCuBA policies effective as of BOD 25-01’s issuance, namely the final SCuBA Secure Cloud Configuration Baselines for Microsoft Office 365, as detailed on CISA’s list of required configurations.

“In the future, CISA may release additional SCuBA Secure Configuration Baselines for other cloud products. Upon issuance of applicable Baselines, such products will fall under the scope of this Directive. Any baselines not updated within one year will automatically fall out of scope and will be removed from the SCuBA Secure Configuration Baseline catalog,” CISA explains.

Advertisement. Scroll to continue reading.

BOD 25-01 requires federal agencies to implement future updates to mandatory SCuBA policies, in line with timetables published on the required configurations website, to monitor for new cloud tenants after implementing the mandatory baselines, and to “identify and explain deviations in the output of the SCuBA assessment tools when reported to CISA”.

Per the directive, the cybersecurity agency will maintain and update the list of in-scope policies; notify agencies of policy changes; provide them with instructions, assistance, and support; review and resolve deviations; and assess agency progress and report it to the DHS, OMB, and ONCD.

“Although BOD 25-01 only requires action by Federal Civilian Executive Branch agencies, CISA strongly recommends all stakeholders implement these policies and leverage CISA’s SCuBA assessment tool and the information on this page. Doing so will reduce significant risk and enhance collective resilience across the cybersecurity community,” CISA notes.

Related: CISA Seeking Public Comment on Updated National Cyber Incident Response Plan

Related: US Water Facilities Urged to Secure Access to Internet-Exposed HMIs

Related: Senators Push Overhaul of Classification Rules After Trump, Biden Cases

Related: Microsoft Rolls Out Default NTLM Relay Attack Mitigations

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

MorganFranklin Cyber has appointed Keith Hollender as CEO and member of the Board of Directors.

Lisa Banks has been named Chief Financial Officer at Abnormal Security.

Threat detection and response company Trellix has appointed Vishal Rao as its new CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.