- CISA issues BOD 25-01, the first binding directive of the year
- It focuses on Microsoft 365 security, which is under threat
- Other cloud providers will be added soon
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued its first binding operational guidance for 2025, which includes a set of rules and requirements to ensure Microsoft 365 cloud environments meet cybersecurity standards.
BOD 25-01 is mandatory for all Federal Civilian Executive Branch (FCEB) systems and resources, but CISA also advises private sector companies to participate.
It revolves around implementing a custom automation configuration assessment tool (ScubaGear for Microsoft 365 audits), integrating it with CISA’s continuous monitoring infrastructure, and then resolving any deviations from the list of required secure configuration baselines (SCB).
Mandatory policy
“Recent cybersecurity incidents highlight the significant risks posed by misconfigurations and weak security controls, which attackers can use to gain unauthorized access, exfiltrate data or disrupt services,” CISA said.
“This guidance requires federal civilian agencies to identify specific cloud tenants, implement assessment tools, and align cloud environments with CISA’s Secure Cloud Business Applications (SCuBA) secure configuration baselines.”
This is what CISA requires from FCEB organizations:
– By February 21, 2025, identify all cloud tenants within the scope of this directive.
– Implement all SCUBA assessment tools for affected cloud tenants by Friday, April 25, 2025
– Implement all mandatory SCUBA policies in effect as of the publication of the guideline no later than Friday, June 20, 2025
– Implement all future updates to the mandatory diving policy
– Implement all mandatory SCUBA Secure Configuration Baselines
The list of all mandatory policies can be found at Required configuration website. At the time of writing, it included secure configuration baselines for Microsoft 365, Azure Active Directory / Entra ID, Microsoft Defender, Exchange Online, Power Platform, SharePoint Online & OneDrive, and Microsoft Teams.
Google and other cloud platforms will follow in the coming months.
CISA also has a list of mandatory actions, you can read more about that here.
Via BleepingComputer