CISA delivers new directive to agencies on securing cloud environments

Federal civilian agencies have a new list of cyber-related requirements to address after the Cybersecurity and Infrastructure Security Agency on Tuesday issued guidance regarding the implementation of secure practices for cloud services.

CISA’s Binding Operational Directive (BOD) 25-01 instructs agencies to identify all of its cloud instances and implement assessment tools, while also making sure that their cloud environments are aligned with the cyber agency’s Secure Cloud Business Applications (SCuBA) configuration baselines.

CISA Director Jen Easterly said in a statement that the actions laid out in the directive are “an important step” toward reducing risk across the federal civilian enterprise, though threats loom in “every sector.”

“Malicious threat actors are increasingly targeting cloud environments and evolving their tactics to gain initial cloud access,” Easterly said. “We urge all organizations to adopt this guidance. When it comes to reducing cyber risk and ensuring resilience, we all have a role to play.”

During a call with reporters Tuesday, Matt Hartman, CISA’s deputy executive assistant director for cybersecurity, said that while the directive was “not focused” on any “one specific, recent threat,” it is “responsive to recent threat activity” and part of a post-SolarWinds campaign aimed at creating “a centralized and consistent approach to securing federal cloud configurations.”

The tactics that this directive guards against, Hartman added, “are used consistently by both sophisticated, well-funded actors and common cyber criminals.”

CISA has prioritized the development of SCuBA guidelines in recent years, issuing instructions for agency use of Google Workspace a year ago and putting out standards for Microsoft 365 use in October 2022. Those moves were considered part of a response to the revelation that a Chinese hacking group stole a Microsoft signing key and used it to access emails belonging to senior U.S. officials.

Hartman reiterated during Tuesday’s call that the timing of the new directive was not tied to any specific incident but simply “recognition of the fact that the SCuBA program has matured significantly over the last couple of years. We have completed a number of pilot implementations with a wide range of federal civilian agencies.”

A CISA official said they received plenty of feedback on the directive’s feasibility and control policies from the 13 agencies that participated in those pilots. Hartman, meanwhile, said CISA pursued “a proactive and deliberate approach” in working with CIOs and CISOs ahead of the directive’s release.

As part of the Microsoft 365-specific requirements in the directive, agencies have until Feb. 21, 2025, to provide CISA with the instance name and the system-owning agency or component for each instance. That inventory must be updated yearly in the first quarter, in accordance with CISA reporting instructions.

All SCuBA assessment tools for in-scope cloud instances must be deployed by April 25, 2025, with continuous reporting on the requirements activated. All required SCuBA policies called out in the directive should be implemented by June 20, 2025. 

“As federal civilian agencies implement this mandate, CISA will monitor and support agency adherence and provide additional resources as required,” the agency said in a statement. “CISA is committed to using its cybersecurity authorities to gain greater visibility and drive timely risk reduction across federal civilian agencies.”

The post CISA delivers new directive to agencies on securing cloud environments appeared first on CyberScoop.