CISA has issued this 12 months’s first binding operational directive (BOD 25-01), ordering federal civilian companies to protected their cloud environments by way of imposing a listing of required protected configuration baselines (SCBs).
Whilst CISA has handiest finalized the SCBs for Microsoft 365, it plans to free up further baselines for different cloud platforms, beginning with Google Workspace (expected to go into scope in Q2 of FY 2025).
This government-wide directive goals to cut back the assault floor of federal networks by way of requiring obligatory protected practices for cloud products and services to give protection to Federal Civilian Govt Department (FCEB) methods and property.
BOD 25-01 calls for FCEB companies to deploy CISA-developed automatic configuration review gear (ScubaGear for Microsoft 365 audits), combine with the cybersecurity company’s steady tracking infrastructure, and remediate any deviations from the protected configuration baselines inside of predefined timeframes.
“Contemporary cybersecurity incidents spotlight the numerous dangers posed by way of misconfigurations and vulnerable safety controls, which attackers can use to achieve unauthorized get right of entry to, exfiltrate knowledge, or disrupt products and services,” CISA stated lately.
“This Directive calls for federal civilian companies to spot explicit cloud tenants, put in force review gear, and align cloud environments to CISA’s Protected Cloud Industry Programs (SCuBA) protected configuration baselines.”
For all in-scope cloud tenants, FCEB companies should take the next movements:
Establish all cloud tenants inside the scope of this Directive no later than Friday, February twenty first, 2025.
Deploy all SCuBA review gear for in-scope cloud tenants no later than Friday, April twenty fifth, 2025, and start steady reporting at the necessities of this Directive.
Enforce all obligatory SCuBA insurance policies efficient as of this Directive’s issuance no later than Friday, June twentieth, 2025.
Enforce all long term updates to obligatory SCuBA insurance policies.
Enforce all obligatory SCuBA Protected Configuration Baselines and start steady tracking for brand spanking new cloud tenants prior to granting an Authorization to Function (ATO).
The present checklist of obligatory insurance policies is to be had at the Required Configurations web site. At the present time, it handiest comprises protected configuration baselines for Microsoft 365 merchandise, together with Azure Lively Listing / Entra ID, Microsoft Defender, Alternate On-line, Energy Platform, SharePoint On-line & OneDrive, and Microsoft Groups.
Whilst BOD 25-01 handiest applies to federal civilian companies, CISA strongly advises all organizations to undertake this directive and prioritize securing their cloud environments to noticeably cut back their assault floor and breach dangers.
Remaining 12 months, CISA issued some other binding operational directive (BOD 23-02) ordering federal companies to protected Web-exposed or misconfigured networking apparatus inside of 14 days of discovery.
Two years prior to, the cybersecurity company’s BOD 22-01 mandated FCEB companies to cut back the larger possibility in the back of identified exploited vulnerabilities by way of mitigating them inside of an competitive timeline.
