The directive issued by the US Cybersecurity and Infrastructure Security Agency (CISA) requiring federal civilian agencies to secure their Microsoft cloud environments has set out specific deadlines for compliance. The directive, known as BOD 25-01, aims to enhance the security of cloud services used by government agencies.
According to the directive, federal agencies have until February 21, 2025, to identify all cloud tenants within the scope of the directive and report this information to CISA. By April 25th, 2025, agencies must deploy tools provided by CISA to automate the assessment of the state of configurations for in-scope cloud tenants. These tools compare tenant configurations to CISA’s Secure Configuration Baselines and provide reports on instances of non-compliance, which must be reported to CISA either through integration with CISA’s continuous monitoring solution or manually on a quarterly basis. Finally, by June 20th, 2025, agencies must implement secure cloud baselines as outlined in the directive and begin continuous monitoring for new cloud tenants before granting Authorization to Operate (ATO).
CISA has emphasized the importance of secure configuration baselines in reducing the risk of malicious actors targeting cloud environments. The agency has already released finalized Secure Configuration Baselines for Microsoft 365 and draft versions for Google Workspace. As new updates to mandatory policies are released, agencies are required to implement them by the specified deadlines.
The guidance offered by CISA in BOD 25-01 has broader implications beyond federal civilian agencies. CISA Director Jen Easterly highlighted the increasing threat to cloud environments from malicious actors and urged all organizations to adopt the guidance to reduce cyber risk and ensure resilience. Jason Soroko, a Senior Fellow at Sectigo, emphasized the importance of secure configuration baselines in reducing the attack surface, noting that such controls are critical for defense against cyber threats.
While the directive currently applies only to federal civilian agencies, its impact can extend to the private sector as well. Government standards and guidelines often influence industry norms, although adoption may lag due to cost and complexity. Soroko pointed out that clear government standards can gradually shift industry practices, especially when vendors selling into government contracts are required to comply with these standards.
Overall, the CISA directive BOD 25-01 represents a significant step towards enhancing the security of cloud environments used by federal civilian agencies. By implementing secure configuration baselines and adhering to the deadlines set by CISA, government agencies can better protect their cloud resources from evolving cyber threats.