CISA has issued this yr’s first binding operational directive (BOD 25-01), ordering federal civilian businesses to safe their cloud environments by implementing a listing of required safe configuration baselines (SCBs).
Whereas CISA has solely finalized the SCBs for Microsoft 365, it plans to launch extra baselines for different cloud platforms, beginning with Google Workspace (anticipated to enter scope in Q2 of FY 2025).
This government-wide directive goals to cut back the assault floor of federal networks by requiring obligatory safe practices for cloud providers to guard Federal Civilian Govt Department (FCEB) techniques and belongings.
BOD 25-01 requires FCEB businesses to deploy CISA-developed automated configuration evaluation instruments (ScubaGear for Microsoft 365 audits), combine with the cybersecurity company’s steady monitoring infrastructure, and remediate any deviations from the safe configuration baselines inside predefined timeframes.
“Latest cybersecurity incidents spotlight the numerous dangers posed by misconfigurations and weak safety controls, which attackers can use to achieve unauthorized entry, exfiltrate knowledge, or disrupt providers,” CISA stated immediately.
“This Directive requires federal civilian businesses to determine particular cloud tenants, implement evaluation instruments, and align cloud environments to CISA’s Safe Cloud Enterprise Purposes (SCuBA) safe configuration baselines.”
For all in-scope cloud tenants, FCEB businesses should take the next actions:
- Determine all cloud tenants throughout the scope of this Directive no later than Friday, February twenty first, 2025.
- Deploy all SCuBA evaluation instruments for in-scope cloud tenants no later than Friday, April twenty fifth, 2025, and start steady reporting on the necessities of this Directive.
- Implement all obligatory SCuBA insurance policies efficient as of this Directive’s issuance no later than Friday, June twentieth, 2025.
- Implement all future updates to obligatory SCuBA insurance policies.
- Implement all obligatory SCuBA Safe Configuration Baselines and start steady monitoring for brand spanking new cloud tenants earlier than granting an Authorization to Function (ATO).
The present listing of obligatory insurance policies is out there on the Required Configurations web site. For the time being, it solely consists of safe configuration baselines for Microsoft 365 merchandise, together with Azure Energetic Listing / Entra ID, Microsoft Defender, Change On-line, Energy Platform, SharePoint On-line & OneDrive, and Microsoft Groups.
Whereas BOD 25-01 solely applies to federal civilian businesses, CISA strongly advises all organizations to undertake this directive and prioritize securing their cloud environments to considerably cut back their assault floor and breach dangers.
Final yr, CISA issued one other binding operational directive (BOD 23-02) ordering federal businesses to safe Web-exposed or misconfigured networking gear inside 14 days of discovery.
Two years earlier than, the cybersecurity company’s BOD 22-01 mandated FCEB businesses to cut back the elevated threat behind recognized exploited vulnerabilities by mitigating them inside an aggressive timeline.