- CISA issues BOD 25-01, the first binding directive of the year
- It addresses Microsoft 365 security, which is under threat
- Other cloud providers will be added soon, as well
The US Cybersecurity and Infrastructure Security Agency (CISA) has issued its first binding operational directive for 2025, which includes a set of rules and requirements to make sure the Microsoft 365 cloud environments meet its cybersecurity standards.
BOD 25-01 is mandatory for all Federal Civilian Executive Branch (FCEB) systems and assets, but CISA advises enterprises in the private sector to follow along, as well.
It revolves around deploying a custom automation configuration assessment tool (ScubaGear for Microsoft 365 audits), integrating with CISA’s continuous monitoring infrastructure, and then fixing any deviations from the list of required secure configuration baselines (SCB).
Mandatory policies
“Recent cybersecurity incidents highlight the significant risks posed by misconfigurations and weak security controls, which attackers can use to gain unauthorized access, exfiltrate data, or disrupt services,” CISA said.
“This Directive requires federal civilian agencies to identify specific cloud tenants, implement assessment tools, and align cloud environments to CISA’s Secure Cloud Business Applications (SCuBA) secure configuration baselines.”
Here is what CISA demands FCEB organizations do:
– Identify all cloud tenants within the scope of this Directive by February 21, 2025.
– Deploy all SCuBA assessment tools for in-scope cloud tenants no later than Friday, April 25, 2025
– Implement all mandatory SCuBA policies effective as of the Directive’s issuance no later than Friday, June 20, 2025
– Implement all future updates to mandatory SCuBA policies
– Implement all mandatory SCuBA Secure Configuration Baselines
The list of all mandatory policies can be found on the Required Configurations website. At press time, it included secure configuration baselines for Microsoft 365, Azure Active DIrectory / Entra ID, Microsoft Defender, Exchange Online, Power Platform, SharePoint Online & OneDrive, and Microsoft Teams.
Google and other cloud platforms are set to follow in the coming months.
CISA also has a list of mandatory actions, you can read more about those here.
Via BleepingComputer
Leave a comment