Introduction
The US federal agencies are required to enhance their cybersecurity practices for cloud services [12], as mandated by the Cybersecurity and Infrastructure Security Agency (CISA) through Binding Operational Directive 25-01 [7] [8] [12]. This directive focuses on securing federal civilian agencies’ Microsoft 365 environments to address vulnerabilities and risks associated with cloud misconfigurations and outdated security controls, which have been exploited in recent cyberattacks [4].
Description
The US federal agencies and departments are mandated to adopt enhanced cybersecurity practices for cloud services as outlined by the Cybersecurity and Infrastructure Security Agency (CISA) through Binding Operational Directive 25-01 [12], titled “Implementing Secure Practices for Cloud Services,” issued on December 17, 2024. This directive specifically targets the security of federal civilian agencies’ Microsoft 365 environments, addressing risks associated with cloud misconfigurations and outdated security controls that have been exploited in recent cyberattacks [4], including those linked to a Chinese hacking group and the SolarWinds incident. The initiative aims to create a consistent approach to securing federal cloud environments in response to vulnerabilities exposed by these incidents [3], particularly the 2019 SolarWinds supply chain attack [3]. It seeks to bolster the security of software-as-a-service (SaaS) applications, as malicious actors increasingly target these systems [4], leading to significant risks such as unauthorized access, data exfiltration [8], and service disruptions [8].
To mitigate these vulnerabilities, CISA has launched the Secure Cloud Business Applications (SCuBA) project [6] [7] [11], which includes the development of Secure Configuration Baselines (SCBs) designed to standardize security configurations for critical components such as Azure Active Directory/Entra ID, Microsoft Teams [3] [4] [5] [7], Exchange Online [3] [4] [5] [7], SharePoint Online [3] [4] [5] [7], OneDrive [3] [4] [5] [7], and Microsoft Defender [4] [5] [7]. These SCBs establish consistent security protocols for cloud environments [6], requiring Federal Civilian Executive Branch (FCEB) agencies to adhere to these baselines, utilize automated compliance assessment tools [6], and address any deviations [5] [6] [7] [9] [11]. Agencies are required to utilize CISA’s ScubaGear assessment tool for Microsoft 365 audits to ensure compliance with these baselines and to integrate with CISA’s continuous monitoring infrastructure to address any deviations.
The directive specifies key actions that federal agencies must undertake [12], including:
- By February 21, 2025 [12], identifying and maintaining an updated inventory of all operational Microsoft 365 cloud tenants within the directive’s scope via the CyberScope SCuBA Tenant Inventory site, along with the corresponding system owning agency/component [12]. Annual updates are mandated [10].
- By April 25, 2025, deploying all SCuBA assessment tools for in-scope cloud tenants and addressing any identified gaps, initiating continuous compliance reporting to CISA [4] [12], which may include automated reporting or manual uploads.
- By June 20, 2025, implementing all mandatory SCuBA policies and Secure Configuration Baselines as specified on the CISA-managed Binding Operational Directive 25-01 Required Configurations website [12], with ongoing compliance updates as necessary.
- Ensuring compliance with future updates to mandatory SCuBA policies according to the timelines provided on the Required Configurations website.
- Implementing all mandatory SCuBA Secure Configuration Baselines and beginning continuous monitoring for new cloud tenants before granting an Authorization to Operate (ATO).
- Documenting and justifying any operationally required deviations in the output of the SCuBA assessment tools when reported to CISA.
CISA will assist agencies in meeting these requirements and will monitor compliance [12], reporting progress to the Secretary of Homeland Security [12], the Director of the Office of Management and Budget (OMB) [12], and the National Cyber Director [12]. The directive is designed to complement existing federal cloud security resources [12], including the Federal Risk and Authorization Management Program (FedRAMP) and relevant National Institute of Standards and Technology (NIST) guidance [12]. Currently, the only finalized SCuBA Secure Configuration Baseline pertains to Microsoft 365, with plans to expand these baselines to include other cloud platforms, such as Google Workspace [4], in the future [3] [4] [5] [12]. A new website has been established to provide agencies with the required cloud security configurations [9], which include specific settings and rationale for changes [9], along with mappings to MITRE ATT&CK to illustrate the protections offered by these configurations [9]. Baselines not updated within one year will be removed from the SCuBA catalog [11]. The directive emphasizes that mandatory policies are labeled as “shall” actions, while “should” actions are recommended but not obligatory [11].
CISA encourages all organizations [3] [4] [8], beyond federal civilian agencies [2] [3] [4] [5] [7] [8] [10], to adopt similar security measures [3] [8], highlighting the widespread threat to cloud environments [3] [10]. For inquiries regarding the SCuBA program [11], assessment tools [1] [2] [4] [5] [6] [7] [8] [9] [10] [11] [12], or compliance processes [11], agencies can contact the SCuBA team at CISA [11]. Additional training resources and support materials are available through CISA’s platforms to assist agencies in effectively implementing the directive [11]. Key policies include blocking legacy protocols in Azure AD and Entra ID that do not support multi-factor authentication (MFA) [7], enforcing phishing-resistant MFA for high-risk users [7], and securing privileged accounts [7]. Policies for Microsoft Defender emphasize enabling security policies [7], protecting sensitive information [7], and implementing logging and alerts [7]. Exchange Online policies focus on disabling SMTP AUTH [7], automatic forwarding to external domains [7], and implementing SPF and DMARC protocols [7]. Power Platform policies restrict the creation of environments to admins [7], enforce data loss prevention (DLP) policies [7], and ensure tenant isolation [7]. SharePoint Online and OneDrive policies limit external sharing and prevent custom scripts on self-service sites [7]. Teams policies restrict access for external and unmanaged users and disable email integration [7].
Conclusion
The directive by CISA represents a significant step towards strengthening the cybersecurity posture of federal cloud environments. By addressing vulnerabilities and standardizing security practices, it aims to mitigate risks associated with cloud services. The initiative not only enhances the security of federal agencies but also sets a precedent for other organizations to follow, ensuring a more secure and resilient cloud infrastructure in the future.
References
[1] https://insidecybersecurity.com/daily-news/cisa-issues-binding-operational-directive-agencies-adopting-cloud-security-guidelines
[2] https://www.techmonitor.ai/technology/cybersecurity/cisa-new-directive-federal-cloud-security
[3] https://www.cybersecuritydive.com/news/cisa-mandate-microsoft-cloud-baselines/735917/
[4] https://cybersecuritynews.com/cisa-practices-secure-microsoft-365-cloud/
[5] https://www.techradar.com/pro/security/us-government-urges-federal-agencies-to-patch-microsoft-365-now
[6] https://gbhackers.com/cisa-releases-secure-practices-for-microsoft/
[7] https://cyble.com/blog/cisa-orders-federal-agencies-to-secure-microsoft-365-environments/
[8] https://www.globalsecurity.org/security/library/news/2024/12/sec-241217-cisa01.htm
[9] https://federalnewsnetwork.com/cybersecurity/2024/12/cisa-directs-agencies-to-find-fix-cloud-security-misconfigurations/
[10] https://cyberscoop.com/cisa-scuba-baselines-cloud-security-directive/
[11] https://www.cisa.gov/news-events/directives/bod-25-01-implementation-guidance-implementing-secure-practices-cloud-services
[12] https://www.infosecurity-magazine.com/news/cloud-security-federal-agencies/
