CISA Issues Binding Operational Directive for Improved Cloud Security

3 days ago 9
News Banner

Looking for an Interim or Fractional CTO to support your business?

Read more

The US cybersecurity agency CISA on Tuesday announced a new Binding Operational Directive requiring federal agencies to follow security control baselines for their cloud environments.

The ‘Binding Operational Directive 25-01: Implementing Secure Practices for Cloud Services’ is meant to help federal agencies reduce their attack surface and improve resilience against cyberattacks.

“Recent cybersecurity incidents highlight the significant risks posed by misconfigurations and weak security controls, which attackers can use to gain unauthorized access, exfiltrate data, or disrupt services. This Directive will further reduce the attack surface of the federal government networks,” CISA notes.

Per BOD 25-01, federal agencies are required to identify cloud tenants, implement assessment tools, and bring their cloud environments in line with CISA’s Secure Cloud Business Applications (SCuBA) secure configuration baselines.

By February 21, 2025, the directive mandates, all federal agencies should create and provide an inventory of cloud tenants, which should be updated annually.

It also requires that, by April 25, 2025, the agencies deploy SCuBA assessment tools for in-scope cloud tenants and begin continuous reporting on the directive’s requirements.

By June 20, 2025, federal agencies should implement all mandatory SCuBA policies effective as of BOD 25-01’s issuance, namely the final SCuBA Secure Cloud Configuration Baselines for Microsoft Office 365, as detailed on CISA’s list of required configurations.

“In the future, CISA may release additional SCuBA Secure Configuration Baselines for other cloud products. Upon issuance of applicable Baselines, such products will fall under the scope of this Directive. Any baselines not updated within one year will automatically fall out of scope and will be removed from the SCuBA Secure Configuration Baseline catalog,” CISA explains.

Advertisement. Scroll to continue reading.

BOD 25-01 requires federal agencies to implement future updates to mandatory SCuBA policies, in line with timetables published on the required configurations website, to monitor for new cloud tenants after implementing the mandatory baselines, and to “identify and explain deviations in the output of the SCuBA assessment tools when reported to CISA”.

Per the directive, the cybersecurity agency will maintain and update the list of in-scope policies; notify agencies of policy changes; provide them with instructions, assistance, and support; review and resolve deviations; and assess agency progress and report it to the DHS, OMB, and ONCD.

“Although BOD 25-01 only requires action by Federal Civilian Executive Branch agencies, CISA strongly recommends all stakeholders implement these policies and leverage CISA’s SCuBA assessment tool and the information on this page. Doing so will reduce significant risk and enhance collective resilience across the cybersecurity community,” CISA notes.

Related: CISA Seeking Public Comment on Updated National Cyber Incident Response Plan

Related: US Water Facilities Urged to Secure Access to Internet-Exposed HMIs

Related: Senators Push Overhaul of Classification Rules After Trump, Biden Cases

Related: Microsoft Rolls Out Default NTLM Relay Attack Mitigations

Read Entire Article