CISA orders federal agencies to secure their Microsoft cloud environments

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a binding operational directive (BOD 25-01) requiring federal civilian agencies to secure their (Microsoft) cloud environments.

About the CISA BOD 25-01 directive

The Implementing Secure Practices for Cloud Services directive sets out three deadlines for the agencies:

• By February 21, 2025, they have to identify all cloud tenants within the scope of the directive and report to CISA.
• By April 25th, 2025, they must deploy all available tools provided by CISA for automating the assessment of the state of configurations for in-scope cloud tenants. The tools compare tenant configurations to CISA’s Secure Configuration Baselines and provide reports that point out instances of non-compliance. The results must be reported to CISA, either by integrating the tool results feeds with CISA’s continuous monitoring solution, or manually (every quarter).
• By June 20th, 2025,, they must implement secure cloud baselines as outlined here and “begin continuous monitoring for new cloud tenants prior to granting an Authorization to Operate (ATO)”

“In the future, CISA may release additional SCuBA Secure Configuration Baselines for other cloud products,” the agency explained. “As of December 2024, CISA has released finalized SCBs for Microsoft 365 (which is in scope for the BOD at issuance) and draft SCBs for Google Workspace (which are anticipated to enter scope in Q2, FY 2025).”

Secure configuration baselines for Microsoft 365 cloud services include those related to Azure AD/Entra ID, Microsoft Defender, Exchange Online, Power Platform, SharePoint Online & OneDrive, and Microsoft Teams.

As new updates to mandatory SCuBA policies are released, agencies must implement them by the due dates set by CISA.

Detailed BOD 25-01 directive implementation guidelines have been provided by the agency.

The offered guidance can also help other organizations

“Malicious threat actors are increasingly targeting cloud environments and evolving their tactics to gain initial cloud access. The actions required by agencies in this Directive are an important step in reducing risk to the federal civilian enterprise,” CISA Director Jen Easterly noted.

“While this Directive only applies to federal civilian agencies, the threat to cloud environments extends to every sector. We urge all organizations to adopt this guidance. When it comes to reducing cyber risk and ensuring resilience, we all have a role to play.”

Jason Soroko, Senior Fellow at Sectigo, says that enforcing secure configuration baselines reduces the attack surface – a critical defensive step.

“For a typical mid-sized business, implementing similar controls is costly. Tools, consultants, and training strain budgets. They have a hard enough time understanding the merits of MFA. They typically only have IT generalists who are motivated to keep the lights on rather than go through configurations with a fine toothed comb,” he commented for Help Net Security.

“Government guidance often influences private sectors, but adoption lags. Many firms resist due to cost and complexity. Still, clear government standards can slowly shift industry norms, but it normally only works if it forces vendors who are selling into government contracts.”