The Cybersecurity and Infrastructure Security Agency (CISA) has issued Binding Operational Directive (BOD) 25-01, establishing new requirements for federal civilian agencies to enhance their cloud security practices. The directive, titled “Implementing Secure Practices for Cloud Services,” outlines specific mandates for identifying, securing, and monitoring cloud environments, expanding on previous CISA cloud security initiatives that emphasized device identity and network protection.
Under the new directive, federal agencies must complete several key requirements according to a defined timeline. By February 21, 2025, agencies are required to identify all Microsoft cloud tenants and provide detailed information about each tenant, including the system owning agency or component. The requirement supports Microsoft’s broader push toward enhanced security measures, including its recent moves toward passwordless authentication and improved identity management.
The directive mandates the deployment of Secure Cloud Business Applications (SCuBA) assessment tools for in-scope cloud tenants by April 25, 2025. Agencies must begin continuous reporting to CISA once these tools are implemented, reflecting an increased focus on real-time security monitoring and assessment.
By June 20, 2025, agencies need to implement all mandatory SCuBA policies and align with secure baseline configurations for widely used Software as a Service (SaaS) products. The requirements cover Microsoft Office 365, Exchange Online, Entra ID (formerly Azure Active Directory), SharePoint and OneDrive for Business, Teams, and Power BI and Power Platform. The transition to Entra ID represents Microsoft’s evolving approach to identity and access management, incorporating advanced authentication methods and improved security features.
“While this Directive only applies to federal civilian agencies, the threat to cloud environments extends to every sector. We urge all organizations to adopt this guidance. When it comes to reducing cyber risk and ensuring resilience, we all have a role to play,” said CISA Director Jen Easterly. The statement reinforces CISA’s broader mission to strengthen cybersecurity across both public and private sectors, as demonstrated in their recent mobile security guidelines.
The directive also establishes requirements for continuous monitoring and updates. Agencies must implement future updates to mandatory SCuBA policies according to timelines specified in the Required Configurations website. Additionally, they must monitor for new cloud tenants before granting Authorization to Operate (ATO), a process similar to the FedRAMP authorization procedures used for federal cloud services.
For compliance and oversight, agencies are required to identify and explain any deviations in SCuBA assessment tool outputs when reporting to CISA. The agency will provide implementation support and report progress to the Secretary of Homeland Security, the Director of the Office of Management and Budget, and the National Cyber Director.
Sources: Windows Forum, Infosecurity Magazine, Tech Monitor, CISA, MeriTalk
Follow Us