The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued Binding Operational Directive (BOD) 25-01, ordering federal civilian agencies to secure their cloud environments and abide by Secure Cloud Business Applications (SCuBA) secure configuration baselines.
“Recent cybersecurity incidents highlight the significant risks posed by misconfigurations and weak security controls, which attackers can use to gain unauthorized access, exfiltrate data, or disrupt services,” the agency said, adding the directive “will further reduce the attack surface of the federal government networks.”
As part of 25-01, agencies are also recommended to deploy CISA-developed automated configuration assessment tools to measure against the baselines, integrate with the agency’s continuous monitoring infrastructure, and address any deviations from the secure configuration baselines.
While the baselines are currently limited to Microsoft 365 (Azure Active Directory / Entra ID, Microsoft Defender, Exchange Online, Power Platform, SharePoint Online, OneDrive, and Microsoft Teams) the cybersecurity agency said it may release additional SCuBA Secure Configuration Baselines for other cloud products.
The BOD, named Implementing Secure Practices for Cloud Services, primarily requires all federal agencies to meet a series of deadlines next year –
- Identify all cloud tenants, including tenant name and the system owning agency/component for each tenant no later than February 21, 2025 (to be updated annually)
- Deploy all SCuBA assessment tools for in-scope cloud tenants no later than April 25, 2025, and either integrate the tool results feeds with CISA’s continuous monitoring infrastructure or report them manually on a quarterly basis
- Implement all mandatory SCuBA policies no later than June 20, 2025
- Implement all future updates to mandatory SCuBA policies within specified timelines
- Implement all mandatory SCuBA Secure Configuration Baselines and begin continuous monitoring for new cloud tenants prior to granting an Authorization to Operate (ATO)
CISA is also strongly recommending all organizations to implement these policies in order to reduce potential risks and enhance resilience across the board.
“Maintaining secure configuration baselines is critical in the dynamic cybersecurity landscape, where vendor changes, software updates, and evolving security best practices shape the threat environment,” CISA said. “As vendors frequently release new updates and patches to address vulnerabilities, security configurations must also adjust.”
“By regularly updating security configurations, organizations leverage the latest protective measures, reducing the risk of security breaches and maintaining robust defense mechanisms against cyber threats.”
CISA Pushes for Use of E2EE Services
News of the Binding Operational Directive comes as CISA has released new guidance on mobile communications best practices in response to cyber espionage campaigns orchestrated by China-linked threat actors like Salt Typhoon targeting U.S. telecommunications companies.
“Highly targeted individuals should assume that all communications between mobile devices – including government and personal devices – and internet services are at risk of interception or manipulation,” CISA said.
To that end, individuals who are senior government or senior political positions are being advised to –
- Use only end-to-end encrypted (E2EE) messaging applications such as Signal
- Enable phishing-resistant multi-factor authentication (MFA)
- Stop using SMS as a second factor for authentication
- Use a password manager to store all passwords
- Set a PIN for mobile phone accounts to prevent subscriber identity module (SIM)-swapping attacks
- Update software on a regular basis
- Switch to devices with the latest hardware to take advantage of critical security features
- Do not use a personal virtual private network (VPN) due to “questionable security and privacy policies”
- On iPhone devices, enable Lockdown Mode, disable the option to send an iMessage as a text message, secure Domain Name System (DNS) queries, activate iCloud Private Relay, and review and restrict app permissions
- On Android devices, prioritize getting models from manufacturers that have a track record of security commitments, use Rich Communication Services (RCS) only if E2EE is enabled, configure DNS to use a trusted resolver, enable Enhanced Protection for Safe Browsing in Google Chrome, make sure Google Play Protect is enabled, and review and restrict app permissions
“While no single solution eliminates all risks, implementing these best practices significantly enhances protection of sensitive communications against government-affiliated and other malicious cyber actors,” CISA said.
