The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued Binding Operational Directive (BOD) 25-01, ordering federal civilian agencies to secure their cloud environments and abide by Secure Cloud Business Applications (SCuBA) secure configuration baselines.
“Recent cybersecurity incidents highlight the significant risks posed by misconfigurations and weak security controls, which attackers can use to gain unauthorized access, exfiltrate data, or disrupt services,” the agency said, adding the directive “will further reduce the attack surface of the federal government networks.”
As part of 25-01, agencies are also recommended to deploy CISA-developed automated configuration assessment tools to measure against the baselines, integrate with the agency’s continuous monitoring infrastructure, and address any deviations from the secure configuration baselines.
While the baselines are currently limited to Microsoft 365 (Azure Active Directory / Entra ID, Microsoft Defender, Exchange Online, Power Platform, SharePoint Online, OneDrive, and Microsoft Teams) the cybersecurity agency said it may release additional SCuBA Secure Configuration Baselines for other cloud products.
The BOD, named Implementing Secure Practices for Cloud Services, primarily requires all federal agencies to meet a series of deadlines next year –
CISA is also strongly recommending all organizations to implement these policies in order to reduce potential risks and enhance resilience across the board.
“Maintaining secure configuration baselines is critical in the dynamic cybersecurity landscape, where vendor changes, software updates, and evolving security best practices shape the threat environment,” CISA said. “As vendors frequently release new updates and patches to address vulnerabilities, security configurations must also adjust.”
“By regularly updating security configurations, organizations leverage the latest protective measures, reducing the risk of security breaches and maintaining robust defense mechanisms against cyber threats.”
News of the Binding Operational Directive comes as CISA has released new guidance on mobile communications best practices in response to cyber espionage campaigns orchestrated by China-linked threat actors like Salt Typhoon targeting U.S. telecommunications companies.
“Highly targeted individuals should assume that all communications between mobile devices – including government and personal devices – and internet services are at risk of interception or manipulation,” CISA said.
To that end, individuals who are senior government or senior political positions are being advised to –
“While no single solution eliminates all risks, implementing these best practices significantly enhances protection of sensitive communications against government-affiliated and other malicious cyber actors,” CISA said.
