The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a new directive aimed at fortifying the security of federal cloud environments in response to increasing cyber threats. Binding Operational Directive (BOD) 25-01, titled “Implementing Secure Practices for Cloud Services,” mandates that federal civilian agencies enhance cloud security by adopting stringent configuration baselines and assessment tools developed by CISA’s Secure Cloud Business Applications (SCuBA) initiative.
The directive emphasises the growing risk of cyberattacks exploiting vulnerabilities in cloud environments due to misconfigurations and weak security controls. To address these challenges, agencies are required to identify and inventory their cloud tenants, deploy automated assessment tools, and implement secure configuration baselines for widely used software as a service (SaaS) products. These measures aim to reduce vulnerabilities and improve the resilience of federal systems against cyber threats. The directive applies to all operational cloud tenants managed by Federal Civilian Executive Branch (FCEB) agencies, provided SCuBA baselines have been finalised for those systems. At present, the only published baseline covers Microsoft Office 365, though CISA plans to release additional baselines for other widely used cloud services in the future.
“While this Directive only applies to federal civilian agencies, the threat to cloud environments extends to every sector,” said CISA Director Jen Easterly. “We urge all organisations to adopt this guidance. When it comes to reducing cyber risk and ensuring resilience, we all have a role to play.”
Compliance deadlines and reporting requirements
CISA has set specific deadlines for compliance. Agencies must submit an inventory of their cloud tenants by 21 February 2025, detailing the tenant names and associated organisational components. Following this, SCuBA assessment tools must be deployed by 25 April 2025, enabling agencies to monitor and report compliance. Mandatory SCuBA policies, published on CISA’s official website, must be implemented by 20 June 2025. Additionally, these policies must be applied to any new cloud tenants prior to their operational authorisation.
To ensure consistent monitoring, agencies have two options for reporting. They may integrate SCuBA tool results with CISA’s continuous monitoring system for automated reporting or opt for manual quarterly submissions in an approved machine-readable format. Agencies encountering operational challenges that necessitate deviations from mandatory policies must document these exceptions and report them to CISA for review.
CISA has committed to maintaining updated policies on its website, providing official notifications of changes and offering detailed guidance on implementing SCuBA tools and configurations. Technical support and troubleshooting assistance will also be available to help agencies meet compliance requirements, said the cybersecurity agency. For agencies opting for manual reporting, CISA will ensure the process is streamlined and efficient. Within one year of the directive’s release, CISA will conduct a comprehensive review of agency progress and submit a detailed report to the Secretary of Homeland Security, the Office of Management and Budget (OMB), and the National Cyber Director.
The directive builds on the SCuBA project, which offers standardised cloud security configurations. These efforts address vulnerabilities exposed by outdated practices, ensuring agencies stay aligned with evolving security standards. Federal agencies are expected to leverage these resources alongside existing frameworks like the Federal Risk and Authorization Management Program (FedRAMP) and CISA’s Trusted Internet Connections (TIC) 3.0. The move underscores the US government’s broader push for a defensible cybersecurity posture across federal systems, particularly in light of sophisticated threat activity targeting cloud environments.
Read more: CISA, FBI call for enhanced security in software product development process
