The Cybersecurity and Infrastructure Security Agency (CISA) through BOD 25-01 issued directives in December 2024 which ordered federal civilian agencies to boost their cloud environment security before 2025 started. Agencies must activate Secure Cloud Business Applications (SCuBA) baselines as per this directive to minimize cyber risks and enhance resilience against cyberattacks.
Federal information systems in production environments require implementation of SCuBA Secure Configuration Baselines from CISA as per BOD 25-01. The current scope of SCuBA includes Office 365 configurations while the team works on extending this requirement to other cloud products through the development of new baselines.
Agencies must use CISA-supplied automated configuration assessment tools to check whether their systems meet the established baselines. Agencies need to establish a connection with CISA’s continuous monitoring platform and handle any secure configuration deviations. These steps aim to mitigate threats observed in recent attacks while making federal agencies more resilient against digital attacks.
The directive presents an execution schedule with different phases for implementation. The reporting requirement for specific cloud tenants will go into effect by February 20, 2025, and will be sent directly to CISA. The implementation of mandatory SCuBA policies must include zero trust architectures according to CISA’s Zero Trust Maturity Model by April 25 2025. Agencies need to finish deploying all security configuration tools as well as assessment features by June 20, 2025.
The baseline requirements undergo continuous updates by CISA because of continuous advancements in cyber threats. Agencies need to follow all updates to ensure they keep their security systems effective. The federal government demonstrates its dedication to enhance cloud cybersecurity in this directive as it works to protect sensitive agency information.
