CISA Releases BOD 25-01: Implementing Secure Practices For Microsoft 365 Cloud Environments

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released its first binding operational directive (BOD) for 2025, outlining mandatory rules and requirements to ensure Microsoft 365 cloud environments adhere to its cybersecurity standards.

Known as BOD 25-01, the directive applies to all Federal Civilian Executive Branch (FCEB) systems and assets. CISA also encourages private sector organizations to adopt these measures as a best practice.

The directive focuses on three key actions and requires agencies to:

🔹 Identify all cloud tenants within scope

🔹 Run Secure Cloud Business Applications (SCuBA) assessment tools

🔹 Remediate deviations from secure configuration baselines

This Directive is in response to malicious threat actors increasingly targeting cloud environments and evolving efforts to gain initial cloud access.

A Binding Operational Directive is a compulsory direction to federal, executive branch, departments and agencies for purposes of safeguarding federal information and information systems. 44 U.S.C. § 3552(b)(1). Section 3553(b)(2) of title 44, U.S. Code, authorizes the Secretary of the Department of Homeland Security (DHS) to develop and oversee the implementation of binding operational directives. Federal agencies are required to comply with these directives. 44 U.S.C. § 3554(a)(1)(B)(ii). These directives do not apply to statutorily defined “national security systems” or to certain systems operated by the Department of Defense or the Intelligence Community. 44 U.S.C. § 3553(b), (d), (e)(2), (e)(3). This directive refers to the systems to which it applies as “Federal Civilian Executive Branch” systems, and to agencies operating those systems as “Federal Civilian Executive Branch” agencies.

Background

Malicious threat actors have increasingly targeted cloud environments and evolved tactics to gain initial cloud access. In recent cybersecurity incidents, the improper configuration of security controls in cloud environments introduced substantial risk and resulted in actual compromises. To combat these threats, the Cybersecurity and Infrastructure Security Agency (CISA) initiated the Secure Cloud Business Applications (SCuBA) project. Through the SCuBA project, CISA developed Secure Configuration Baselines, providing consistent and manageable cloud security configurations and assessment tools, allowing agencies and CISA to improve security for Federal Civilian Executive Branch (FCEB) assets hosted in cloud environments. This Directive requires agencies to implement a set of SCuBA Secure Configuration Baselines for certain Software as a Service (SaaS) products widely used in the FCEB, deploy CISA developed automated configuration assessment tools to measure against the required baselines, integrate with CISA’s continuous monitoring infrastructure, and remediate deviations from the secure configuration baselines. These steps reduce risks highlighted by recent adversary activity and increase resiliency for FCEB agencies against cyber threats. 

Maintaining secure configuration baselines is critical in the dynamic cybersecurity landscape, where vendor changes, software updates, and evolving security best practices shape the threat environment. As vendors frequently release new updates and patches to address vulnerabilities, security configurations must also adjust. Outdated security configurations expose systems to exploits that can be easily mitigated by recommended and mandatory security configurations. Additionally, security configuration best practices evolve and refine over time as new threats are discovered and countermeasures developed; this evolution necessitates periodic review and adjustment of security configuration baselines. By regularly updating security configurations, organizations leverage the latest protective measures, reducing the risk of security breaches and maintaining robust defense mechanisms against cyber threats.

This Directive complements existing federal resources for cloud security, including the Federal Risk and Authorization Management Program (FedRAMP), relevant NIST guidance, and the CISA Trusted Internet Connections (TIC) 3.0 Cloud Use Case.

Scope

This Directive applies to all production or operational cloud tenants (operating in or as federal information systems) with an associated and finalized SCuBA Secure Configuration Baselines published by CISA. At the time of issuance of the Directive, CISA has published final SCuBA Secure Cloud Configuration Baselines for Microsoft Office 365. In the future, CISA may release additional SCuBA Secure Configuration Baselines for other cloud products. Upon issuance of applicable Baselines, such products will fall under the scope of this Directive. Any baselines not updated within one year will automatically fall out of scope and will be removed from the SCuBA Secure Configuration Baseline catalog, linked through the Binding Operational Directive 25-01 Required Configurations website.

The following requirements pertain only to mandatory policies referenced within the SCuBA Secure Configuration Baselines as “shall” actions. All such mandatory policies are published on the Binding Operational Directive 25-01 Required Configurations website. SCuBA Secure Configuration Baselines specify both recommended policies that are left to agency discretion to implement (identified as “should” actions within the Baselines) and mandatory SCuBA policies that must be implemented pursuant to the requirements of this Directive (identified as “shall” actions within the Baselines).

Required Actions

For all in-scope cloud tenants Agencies shall:

1.  Identify all cloud tenants within the scope of this Directive: No later than Friday, February 21st, 2025, provide the tenant name and the system owning agency/component for each tenant, following CISA reporting instructions.Update this inventory in the first quarter annually, following CISA reporting instructions.

2. Deploy all SCuBA assessment tools for in-scope cloud tenants no later than Friday, April 25th, 2025, and begin continuous reporting on the requirements of this Directive through one of the following methods: Integrate the tool results feeds with CISA’s continuous monitoring solution to enable automated reporting.ORManually report the results of the most recent SCuBA assessment tool version to CISA quarterly in a CISA approved, machine-readable format, following CISA reporting instructions.

3. Implement all mandatory SCuBA policies effective as of this Directive’s issuance, as set forth in the CISA-managed Binding Operational Directive 25-01 Required Configurations website no later than Friday, June 20th, 2025. These mandatory SCuBA policies are noted on the Required Configurations website and correspond to the mandatory policies referenced within the SCuBA Secure Configuration Baselines.

4. Implement all future updates to mandatory SCuBA policies in accordance with the timelines set forth in the CISA-managed Binding Operational Directive 25-01 Required Configurations website.

5. Implement all mandatory SCuBA Secure Configuration Baselines and begin continuous monitoring for new cloud tenants prior to granting an Authorization to Operate (ATO).

Agency Authorizing Officials (AOs), in accordance with applicable agency policy, may accept risk for deviations from the mandatory SCuBA policies to account for operational needs.

1. Agencies shall identify and explain deviations in the output of the SCuBA assessment tools when reported to CISA. For more information regarding this process, review the following and coordinate with CISA via [email protected].

CISA Actions:

1. Maintain and update a detailed list of in-scope policies at Binding Operational Directive 25-01 Required Configurations website.

2. Provide agencies with official email notification of changes to the mandatory policies on the Binding Operational Directive 25-01 Required Configurations website and in the SCuBA Secure Configuration Baselines.

3. Provide agencies with reporting instructions for Directive requirements.

4. Provide agencies with instructions on implementing and integrating the software and solutions identified within this Directive at the time of issuance. 

5. Provide troubleshooting support and assistance to the FCEB for installation and implementation of SCuBA assessment tools.

6. Provide CDM-based reporting on Directive compliance to agencies that elect to integrate with CISA’s continuous monitoring infrastructure.

7. Provide support to agencies manually reporting the results of the SCuBA assessment tool. 

8. Promptly review and resolve any deviations submitted by agency AOs.

9. Within one year of Directive issuance, assess agency progress and submit a status report to the Secretary of Homeland Security, the Director of the Office of Management and Budget (OMB), and the National Cyber Director outlining performance indicators, lingering issues, and cross-agency status in implementing the Directive.