- CISA issues BOD 25-01, the first binding directive of the year
- Addresses Microsoft 365 security, which is under threat
- Other cloud providers will also be added soon
The US Cybersecurity and Infrastructure Security Agency (CISA) has issued its first binding operational directive for 2025, which includes a set of rules and requirements to ensure that Microsoft 365 cloud environments meet its cybersecurity standards .
BOD 25-01 is mandatory for all Federal Civil Executive Branch (FCEB) systems and assets, but CISA advises private sector companies to follow it as well.
It involves deploying a custom automation configuration assessment tool (ScubaGear for Microsoft 365 audits), integrating it with CISA’s continuous monitoring infrastructure, and then correcting any deviations from the list of required Secure Configuration Baselines (SCBs).
Mandatory policies
“Recent cybersecurity incidents highlight the significant risks posed by misconfigurations and weak security controls, which attackers can use to gain unauthorized access, exfiltrate data, or disrupt services,” CISA said.
“This Directive requires federal civilian agencies to identify specific cloud tenants, implement assessment tools, and align cloud environments with CISA’s Secure Cloud Business Applications (SCuBA) secure configuration baselines.”
Here is what CISA requires FCEB organizations to do:
– Identify all cloud tenants within the scope of this Directive by February 21, 2025.
– Deploy all SCuBA assessment tools for in-scope cloud tenants by Friday, April 25, 2025.
– Implement all mandatory SCuBA policies in effect as of the issuance of the Directive no later than Friday, June 20, 2025.
– Implement all future updates to SCuBA mandatory policies.
– Implement all required SCuBA secure configuration baselines
The list of all required policies can be found on the Required Settings website. At the time of this publication, it included secure configuration baselines for Microsoft 365, Azure Active Directory/Entra ID, Microsoft Defender, Exchange Online, Power Platform, SharePoint Online and OneDrive, and Microsoft Teams.
Google and other cloud platforms will follow this path in the coming months.
CISA also has a list of mandatory actions, you can read more about them here.
Through beepcomputer
