2024-12-19
CISA Directs US Gov't. to Secure Cloud Environments
CISA has issued a Binding Operational Directive (BOD), directing federal agencies and departments to comply with new required actions toward securing cloud environments. BOD 25-01 "requires federal civilian agencies to identify specific cloud tenants, implement assessment tools, and align cloud environments to CISAÕs Secure Cloud Business Applications (SCuBA) secure configuration baselines." The directive highlights the role of improperly configured security controls in recent cyberattacks, stressing the need for regular reviews and updates of "security configuration baselines." Currently the SCuBA Secure Configuration Baselines have been finalized only for Microsoft Office 365. After interim deadlines for identifying cloud tenants and deploying assessment tools, all mandatory SCuBA policies must be implemented by June 20, 2025, with support from CISA and its resources.
Editor's Note
Secure cloud configurations have been vexing in the past - think open S3 buckets and failed MFA Ñ and while FedRAMP goes a long way to help US Government users, we all need to make sure we're hitting the mark. Whether or not you are required to follow BOD 25-01, review their secure configuration guidelines for Microsoft 365 and Google Workspace to see if there are updated settings you need to deploy. CISA has also published two SCuBA tools, ScubaGoggles for GWS and ScubaGear for MS 365, which will let you get an "as built" check on your environment.