CISA Crackdown: What Agencies Need to Know About Federal Cybersecurity Compliance.

Due to the rising trend in breaches in cloud environments for federal agencies, the Cybersecurity and Infrastructure Security Agency (CISA) released a new directive in December 2024 regarding secure practices for cloud services and federal agencies.

CISA’s latest implementation guidance is focused on constructing a more agile response to new cyber threats to federal systems. Although cloud-based environments afford institutions the option to access systems through remote-but-secure channels, this same benefit can open avenues for threat actors to steal data or cause harm remotely.

Read on for our breakdown of BOD 25-01 and how US Cloud can support federal agencies through their compliance initiatives.

Safeguarding PII: Why Federal Cloud Security is Critical.

CISA operates as a division of the Department of Homeland security to protect the United States’ cybersecurity and infrastructure. In other words, they work to protect the country from malicious online activity that could threaten the nation, our citizens, and our federal systems.

Of particular importance lately is federal cloud security. Since more and more federal agencies and non-federal agencies alike are transitioning to cloud-based environments to make operations more efficient, seamless, and safe, more and more threats have been targeted at cloud environments.

That’s a problem because, when cloud environments for federal agencies are endangered, sensitive government information or individual personally identifiable information (PII) may be exposed to entities that plan to inflict harm with that information.

Since cyber criminals have become more and more advanced in their techniques for gaining access illicitly, CISA has been busy issuing a Binding Operational Directive in an attempt to help federal agencies keep implementing cloud innovations safely.

CISA website | Tada Images - stock.adobe.com

CISA’s Binding Operational Directive (BOD) 25-01 is all about making federal cloud ecosystems more secure against cyberattacks. When cloud platforms for federal agencies are safer, that encourages information security for all.

To combat large-scale threats against federal agencies and to protect national cybersecurity, CISA began the Secure Cloud Business Applications (SCuBA) project. This initiative developed baselines for secure configurations to provide more consistent and manageable cloud security setups and assessment tools.

In doing so, CISA improved security for the Federal Civilian Executive Branch (FCEB) assets hosted in cloud environments. Not only does the FCEB include the office of the President of the United States, but it also includes the numerous agencies and federal executive departments lead by members of the presidential advisory.

Agencies that fall under the purview of BOD 25-01 must:

• Implement SCuBA Secure Configuration Baselines for certain Software as a Service (SaaS) products
• Deploy CISA-developed assessment tools to measure automated configuration against baseline requirements
• Become integrated with CISA’s continuous monitoring infrastructure
• Fix any deviations from the secure configuration baselines

CISA is not requiring this to be done all at once, though. Compliance with this directive is broken down into three distinct steps, outlined below.

Cloud Tenant Inventory

All federal agencies must produce a comprehensive inventory of all cloud tenants and the system owning agency or component for each of those tenants. This inventory must be compiled following CISA’s reporting instructions. The inventory must also be completed via the CyberScope SCuBA Tenant Inventory Site, which became available in December 2024.

Compliance Expectation Date: February 21, 2025

CISA's ScubaGear: Open-Source Tool for M365 Security Assessment and Compliance.

Deployment of Assessment Tools

To accomplish compliance for BOD 25-01, federal agencies must begin running the ScubaGear assessment tool on all in-scope tenants in their cloud environments. The installation of ScubaGear can be completed via GitHub. Once this assessment software is installed and running, agencies can choose to report results automatically or manually to CISA.

CISA’s ScubaGear software diligently analyzes an organization’s M365 tenant configuration. It then analyzes results for actionable security change insights and recommends next steps to allow the tenant administrator to minimize or eliminate security gaps. Altogether, this system is aimed at helping agencies seamlessly develop a stronger defense within their M365 environment.

Furthermore, such automated tools are important: they can catch security concerns rapidly, making space for equally rapid solutions. Such continuous monitoring encourages visibility across cloud environments, which is especially critical for supporting the collective resilience that federal agencies need.

Compliance Expectation Date: April 25, 2025

Baseline Security Policies

By this stage, all mandatory SCuBA policies should be in place in accordance with the instructions set forth by BOD 25-01.

One big challenge some federal agencies may face is the implementation of a zero trust architecture. In the case of zero trust network access, authentication is never automatically granted, but rather continuously evaluated and authorized. Agencies can review CISA’s Zero Trust Maturity Model to confirm whether or not they are in compliance with these standards.

Zero Trust Architecture.

It should be noted that CISA suggests that baseline requirements are subject to change. Since cyber threats continue to innovate, defensive strategies must also evolve to match those malicious attacks. CISA is working on crafting a gold standard when it comes to cloud protection, and federal agencies will be the first to test it out.

Compliance Expectation Date: June 20, 2025

CISA’s SCuBA Requirements for the Future

After these first three stages of implementation are complete, CISA mandates the following requirements for all federal agencies:

• Continued implementation of all future updates to mandatory SCuBA policies as well as their deadlines for compliance
• Maintenance of all continuous monitoring protocols and result reporting to CISA
• Explanation and remediation of all reported deviations in accordance with CISA baseline security expectations

Cybersecurity breaches are happening left and right, it seems, with agencies and civilians scrambling in the wake of data exposures.

One such breach in April 2024 involved a warning from CISA that Russian spies had not only gained access to Microsoft’s email system, but had also stolen sensitive data from the U.S. government. This data included confidential email correspondences as well as authentication details.

Another system compromise near the end of 2024 affected the federal Treasury. It was reported on December 31, 2024, that Chinese state-sponsored hackers accessed Treasury workstations and unclassified documents by using a stolen API key for BeyondTrust (a remote management service that can integrate easily with Microsoft and Azure ecosystems).

Through CISA’s standardized, robust approach to federal cloud security, this agency is hoping to mitigate such compromises to the cybersecurity for the systems that protect people in the United States: federal agencies.

CISA's Binding Operational Directive Aims to Prevent Federal Cybersecurity Breaches | piter2121 - stock.adobe.com

BOD 25-01 marks a pivotal time for federal cybersecurity as agencies are called upon to take action and safeguard America’s digital infrastructure against constantly evolving threats. Compliance with these guidelines may require unwavering dedication, but the payoff in reinforced security measures is the goal.

Now that 2025 has officially begun, it’s time for federal agencies to begin moving their compliance measures into gear in order to meet CISA’s deadlines for inventory production, software implementation, and report development. Smaller agencies may even need to consider additional financial and resource implications of this CISA crackdown as they accommodate internal changes while pursuing compliance.

There are some practical steps to help agencies and contractors make progress towards CISA compliance as this year’s directive deadlines approach. These include:

• Conduct a preliminary audit of all existing cloud environments and tenants
• Partner with experienced cloud security consultants and experts, such as US Cloud
• Leverage tools and technologies that align with CISA’s vision, such as ScubaGear

Enhance Your Federal Agency's Cybersecurity with US Cloud's Microsoft & Azure Support.

Our experts at US Cloud are skilled in supporting agencies with security compliance, including with configurations such as zero trust security. Integrating our cloud security pros into an institution’s IT infrastructure allows for specialized support in how agencies can align their systems with CISA requirements.

Furthermore, as BOD 25-01 requires agencies to stay on top of future compliance requirements, having a designated support engineer (DSE) bolsters cybersecurity efforts with senior architect-level expertise. This support extends beyond break-fix incidents by providing agencies with what they need to remain compliant in 2025 and beyond:

• On-demand advisory for high-level cloud security questions or concerns
• Health and performance checks to support continuous monitoring endeavors
• System-wide assessments
• Initiative assessments
• Other in-depth engagements that may be needed to support compliance initiatives or other projects.

While CISA’s directive may present unique challenges for federal agencies, it is of critical importance to fortifying national security against cyber threats. Book a call with US Cloud today to sign up for cybersecurity support throughout your Microsoft and Azure environments.

What is CISA?

CISA, a division of the Department of Homeland Security, is responsible for safeguarding the U.S. cybersecurity and infrastructure from online threats that could harm the nation, its citizens, and federal systems.

What is CISA’s Binding Operational Directive for Implementing Secure Practices for Cloud Services?

As more agencies transition to cloud-based environments for greater efficiency and security, cloud security has become a critical concern, as these platforms are increasingly targeted by cyber threats. To address this, CISA has issued a Binding Operational Directive (BOD 25-01) to assist federal agencies in securely adopting cloud technologies amidst rising cybercrime tactics.

How can federal agencies comply with CISA’s baseline cloud security standards in BOD 25-01?

Consult CISA’s Implementation Guidance for reporting standards, deadlines, and what to stay alert for. Agencies can also consult support through expert teams, such as US Cloud, to help them attain increased visibility on how to earn and maintain CISA compliance.