The US Cybersecurity and Infrastructure Security Agency (CISA) issued Mandatory Operational Directive (BOD) 25-01, directing federal civilian agencies to secure their cloud environments and adhere to basic configurations of Secure Cloud Business Applications (SCuBA).
“Recent cyber security incidents highlight the significant risks associated with misconfigurations and weak security controls that attackers can use to gain unauthorized access, steal data, or disrupt services,” the agency notes. saidadding that the directive “will further reduce the attack surface of federal government networks.”
As part of the 25-01 agency also is recommended to deploy CISA-developed automated configuration assessment tools to measure against baselines, integrate with the agency’s continuous monitoring infrastructure, and address any deviations from secure configuration baselines.
While the baselines are currently limited to Microsoft 365 (Azure Active Directory / Entra ID, Microsoft Defender, Exchange Online, Power Platform, SharePoint Online, OneDrive and Microsoft Teams), the cybersecurity agency said it may release additional SCuBA baselines Secure Configuration for other cloud products.
The BOD, titled Implementing Secure Practices for Cloud Services, primarily requires all federal agencies to meet a series of deadlines next year –
- Identify all cloud tenants, including the tenant name and the agency/component that owns the system, for each tenant no later than February 21, 2025. (updated annually)
- Deploy all SCuBA assessment tools to cloud tenants no later than April 25, 2025. and either integrate the tool’s output feeds with CISA’s continuous monitoring infrastructure or report them manually on a quarterly basis
- Implement all mandatory SCuBA policies no later than June 20, 2025
- Implement all future updates to SCuBA’s mandatory policies in a timely manner
- Implement all required baseline SCuBA secure configuration settings and begin continuous monitoring of new cloud tenants prior to authorization to operate (ATO)
CISA also strongly recommends that all organizations implement this policy to reduce potential risks and increase resilience across the board.
“Maintaining secure configuration baselines is critical in a dynamic cybersecurity landscape where vendor changes, software updates, and evolving security best practices shape the threat landscape,” CISA said. “As vendors frequently release new updates and patches to address vulnerabilities, security configurations must also be adjusted.”
“By regularly updating their security configurations, organizations use the latest protections, reducing the risk of a security breach and maintaining robust defense mechanisms against cyber threats.”
CISA insists on using E2EE services
The news of the mandatory operational directive comes after CISA published new mobile best practice guidelines in response to cyber espionage campaigns orchestrated by China-linked threats such as Salt typhoon targeting US telecommunications companies.
“Persons in a particularly vulnerable position should assume that all communications between mobile devices, including government and personal devices, and Internet services are at risk of interception or manipulation,” CISA states. said.
To this end, persons holding high government or high political positions are advised to:
- Use only end-to-end encryption (E2EE) messaging apps like Signal
- Enable Phishing-Resistant Multi-Factor Authentication (MFA)
- Stop using SMS as a second authentication factor
- Use a password manager to save all your passwords
- Set a PIN for mobile phone accounts to prevent subscriber identity module (SIM) swapping attacks.
- Update your software regularly
- Switch to devices with the latest hardware to take advantage of important security features
- Don’t use a personal virtual private network (VPN) because of “questionable security and privacy policies”
- On iPhone devices, turn on Lock modedisable the option to send iMessage as a text message, secure Domain Name System (DNS) lookups, activate iCloud Private Relayand view and limit app permissions
- On Android devices, prioritize models from manufacturers with a track record of security commitments, use Rich Communication Services (RCS) only when E2EE is enabled, configure DNS to use a trusted resolver, enable Enhanced Protection for Safe Browsing in Google Chrome, make sure , that Google Play Protect is enabled, and view and limit app permissions
“While no single solution will eliminate all risks, implementing these best practices significantly increases the protection of sensitive communications from government-linked and other malicious cyber actors,” CISA said.
