CISA Releases BOD 25-01: Implementing Secure Practices For Microsoft 365 Cloud Environments
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released its first binding operational directive (BOD) for 2025, outlining mandatory rules and requirements to ensure Microsoft 365 cloud environments adhere to its cybersecurity standards.
Known as BOD 25-01, the directive applies to all Federal Civilian Executive Branch (FCEB) systems and assets. CISA also encourages private sector organizations to adopt these measures as a best practice.
The directive focuses on three key actions and requires agencies to:
🔹 Identify all cloud tenants within scope
🔹 Run Secure Cloud Business Applications (SCuBA) assessment tools
🔹 Remediate deviations from secure configuration baselines
This Directive is in response to malicious threat actors increasingly targeting cloud environments and evolving efforts to gain initial cloud access.
A Binding Operational Directive is a compulsory direction to federal, executive branch, departments and agencies for purposes of safeguarding federal information and information systems. 44 U.S.C. § 3552(b)(1). Section 3553(b)(2) of title 44, U.S. Code, authorizes the Secretary of the Department of Homeland Security (DHS) to develop and oversee the implementation of binding operational directives. Federal agencies are required to comply with these directives. 44 U.S.C. § 3554(a)(1)(B)(ii). These directives do not apply to statutorily defined “national security systems” or to certain systems operated by the Department of Defense or the Intelligence Community. 44 U.S.C. § 3553(b), (d), (e)(2), (e)(3). This directive refers to the systems to which it applies as “Federal Civilian Executive Branch” systems, and to agencies operating those systems as “Federal Civilian Executive Branch” agencies.
Background
Malicious threat actors have increasingly targeted cloud environments and evolved tactics to gain initial cloud access. In recent cybersecurity incidents, the improper configuration of security controls in cloud environments introduced substantial risk and resulted in actual compromises. To combat these threats, the Cybersecurity and Infrastructure Security Agency (CISA) initiated the Secure Cloud Business Applications (SCuBA) project. Through the SCuBA project, CISA developed Secure Configuration Baselines, providing consistent and manageable cloud security configurations and assessment tools, allowing agencies and CISA to improve security for Federal Civilian Executive Branch (FCEB) assets hosted in cloud environments. This Directive requires agencies to implement a set of SCuBA Secure Configuration Baselines for certain Software as a Service (SaaS) products widely used in the FCEB, deploy CISA developed automated configuration assessment tools to measure against the required baselines, integrate with CISA’s continuous monitoring infrastructure, and remediate deviations from the secure configuration baselines. These steps reduce risks highlighted by recent adversary activity and increase resiliency for FCEB agencies against cyber threats.
Maintaining secure configuration baselines is critical in the dynamic cybersecurity landscape, where vendor changes, software updates, and evolving security best practices shape the threat environment. As vendors frequently release new updates and patches to address vulnerabilities, security configurations must also adjust. Outdated security configurations expose systems to exploits that can be easily mitigated by recommended and mandatory security configurations. Additionally, security configuration best practices evolve and refine over time as new threats are discovered and countermeasures developed; this evolution necessitates periodic review and adjustment of security configuration baselines. By regularly updating security configurations, organizations leverage the latest protective measures, reducing the risk of security breaches and maintaining robust defense mechanisms against cyber threats.
This Directive complements existing federal resources for cloud security, including the Federal Risk and Authorization Management Program (FedRAMP), relevant NIST guidance, and the CISA Trusted Internet Connections (TIC) 3.0 Cloud Use Case.
Scope
This Directive applies to all production or operational cloud tenants (operating in or as federal information systems) with an associated and finalized SCuBA Secure Configuration Baselines published by CISA. At the time of issuance of the Directive, CISA has published final SCuBA Secure Cloud Configuration Baselines for Microsoft Office 365. In the future, CISA may release additional SCuBA Secure Configuration Baselines for other cloud products. Upon issuance of applicable Baselines, such products will fall under the scope of this Directive. Any baselines not updated within one year will automatically fall out of scope and will be removed from the SCuBA Secure Configuration Baseline catalog, linked through the Binding Operational Directive 25-01 Required Configurations website.
Recommended by LinkedIn
The following requirements pertain only to mandatory policies referenced within the SCuBA Secure Configuration Baselines as “shall” actions. All such mandatory policies are published on the Binding Operational Directive 25-01 Required Configurations website. SCuBA Secure Configuration Baselines specify both recommended policies that are left to agency discretion to implement (identified as “should” actions within the Baselines) and mandatory SCuBA policies that must be implemented pursuant to the requirements of this Directive (identified as “shall” actions within the Baselines).
Required Actions
For all in-scope cloud tenants Agencies shall:
Agency Authorizing Officials (AOs), in accordance with applicable agency policy, may accept risk for deviations from the mandatory SCuBA policies to account for operational needs.
CISA Actions:
Founder & CEO, Group 8 Security Solutions Inc. DBA Machine Learning Intelligence
3dAmazing work!
Global IT Infrastructure & Security -Life Sciences & Healthcare
3dDoes the non-federal organization have any options to use SCuBA to assess their tenents?
Local Security Officer AXA-Partners CEE (Local CISO) / Partner at GDPR-pro.cz
3dThis should be inspirational for all other governments actually.
Author, Writer, Speaker
4dOutstanding work, CISA. Alternatively, explore the use of competitors, including Ubuntu, which has proven itself admirable over the last few years.
20+ Years Securing Digital Futures | Cybersecurity Consultant | Metadata Engineer | Network Intelligence | Simplifying Complex Challenges into Actionable Insights
4dLessons from BOD 25-01 As cyber threats rise, effective cloud security regulations are essential. U.S. BOD 25-01 focuses on securing federal Microsoft cloud tenants but has notable limitations: Key Limitations: 1. Narrow Focus: Only addresses federal agencies, ignoring private sectors and non-Microsoft platforms. 2. Lacks Certification Standards: No universal security certification for cloud services. 3. Limited Global Alignment: Requires better collaboration with international frameworks. Global Best Practices: - EU Cybersecurity Act: Offers certifications for ICT products. - Australia's Essential Eight: Reduces risks across cloud and on-premises systems. - UK NCSC Guidance: Provides risk assessments for all sectors. Solutions for BOD 25-01: 1. Expand Scope: Include private sectors and various cloud platforms (e.g., AWS, Google Cloud). 2. Adopt Certifications: Implement standardized cybersecurity certifications. 3. Global Collaboration: Coordinate with international frameworks for consistent security. Conclusion: While BOD 25-01 is a positive step, enhancing cloud security requires broader scope and alignment with global practices. Collaboration and certification are vital for a secure digital future.