- CISA issues first binding directive of the year, BOD 25-01
- It resolves compromised Microsoft 365 security issues
- Other cloud providers will be added soon
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued its first binding operational directive for 2025, which includes a series of rules and requirements to ensure Microsoft 365 cloud The environment meets its cybersecurity standards.
BOD 25-01 is mandatory for all Federal Civilian Executive Branch (FCEB) systems and assets, but CISA recommends that private sector enterprises also follow.
It revolves around deploying a custom automated configuration assessment tool (ScubaGear for Microsoft 365 auditing), integrating with CISA’s continuous monitoring infrastructure, and then remediating any deviations from the required Security Configuration Baseline (SCB) checklist.
mandatory policy
“Recent cybersecurity incidents have highlighted the significant risks posed by misconfigurations and weak security controls, which attackers can exploit to gain unauthorized access, steal data, or disrupt services,” CISA said.
“The directive requires federal civilian agencies to identify specific cloud tenants, implement assessment tools, and align cloud environments with CISA’s Secure Cloud Business Applications (SCuBA) security configuration baseline.”
Here is what CISA requires the FCEB organization to do:
– Identify all cloud tenants within the scope of this directive by February 21, 2025.
– Deploy all SCuBA assessment tools to in-scope cloud tenants by Friday, April 25, 2025
– Implement all mandatory SCuBA policies effective from the issuance of the directive by Friday, June 20, 2025
– Implement all future updates to the mandatory SCuBA policy
– Implement all mandatory SCuBA security baselines
A list of all mandatory policies can be found at Required configuration website. As of press time, it includes security baselines for Microsoft 365, Azure Active DIRECTORY/Entra ID, Microsoft Defender, Exchange Online, Power Platform, SharePoint Online and OneDrive, and Microsoft Teams.
Google Other cloud platforms will follow in the coming months.
CISA also provides a range of enforcement measures, which you can read more about here.
through Computer beeps