The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued binding Operational Directive (BOD) 25-01, which orders federal civilian agencies to secure their cloud environments and adhere to Secure Configuration Baselines for Secure Cloud Business Applications (SCuBA).
“Recent cybersecurity incidents highlight the significant risks posed by misconfigurations and weak security controls, which attackers can use to gain unauthorized access, steal data, or disrupt services,” the agency said, adding that the directive “will further reduce the attack surface on Federal agencies. government networks.”
As part of 25-01, agencies are also recommended to deploy automated configuration assessment tools developed by CISA to benchmark against baselines, integrate with the agency's ongoing monitoring infrastructure, and address any deviations from secure configuration baselines.
While the baselines are currently limited to Microsoft 365 (Azure Active Directory/Entra ID, Microsoft Defender, Exchange Online, Power Platform, SharePoint Online, OneDrive, and Microsoft Teams), the cybersecurity agency said it may release additional SCUBA Secure Configuration baselines for other cloud products.
The board, called Implementing Secure Practices for Cloud Services, primarily requires all federal agencies to meet a series of deadlines in the coming year –
Identify all cloud tenants, including tenant name and system owner agency/component for each tenant no later than February 21, 2025 (to be updated annually) Deploy all SCUBA assessment tools for in-scope cloud tenants no later than April 25, 2025, and either merge tool results feeds with Infrastructure for continuous monitoring of CISA or reporting manually on a quarterly basis. Implement all mandatory SCUBA policies no later than June 20, 2025 Implement all future updates to mandatory SCUBA policies within specified timelines. Implement all mandatory ScuBA secure configuration baselines and initiate continuous monitoring of new cloud tenants before Authorization to Operate (ATO) is granted.
CISA also strongly recommends that all organizations implement these policies in order to reduce potential risks and enhance resilience across the board.
“Maintaining secure configuration baselines is critical in a dynamic cybersecurity landscape, where vendor changes, software updates, and evolving security best practices shape the threat landscape,” CISA said. “As vendors frequently release new updates and patches to address vulnerabilities, security configurations must also be modified.”
“By regularly updating security configurations, organizations benefit from the latest protections, reducing the risk of security breaches and maintaining robust defense mechanisms against cyber threats.”
CISA requires the use of E2EE services
News of the binding operational guidance comes as CISA has issued new guidance on mobile communications best practices in response to cyberespionage campaigns organized by China-linked threat actors like Salt Typhoon targeting US telecommunications companies.
“Highly targeted individuals should assume that all communications between mobile devices — including government and personal devices — and Internet services are at risk of interception or tampering,” CISA said.
To this end, individuals holding senior government positions or high political positions are advised to:
Use only end-to-end encrypted (E2EE) messaging apps like Signal Enable phishing-resistant multi-factor authentication (MFA) Stop using SMS as a second factor for authentication Use a password manager to store all passwords Set a phone PIN Mobile accounts to prevent Subscriber Identity Module (SIM) swap attacks Update software regularly Switch to devices with the latest hardware to take advantage of important security features Do not use a personal virtual private network (VPN) due to “questionable security and privacy policies” on iPhones Enable Lockdown Mode Disable the option to send iMessage as a text message Secure Domain Name System (DNS) queries Activate iCloud Private Relay Review and restrict app permissions On Android devices, prioritize getting models from manufacturers with a proven track record From security obligations, use Rich Communications Services (RCS) only if E2EE is enabled, configure DNS to use a trusted resolver, enable Enhanced Safe Browsing protection in Google Chrome, and ensure that Google Play Protect is enabled, Review and restrict app permissions
“While no single solution eliminates all risks, implementing these best practices significantly enhances the protection of sensitive communications against government and other malicious cyber actors,” CISA said.
