U.S. government agencies are required to bring their Microsoft 365 cloud services into compliance with a recent Binding Operational Directive. Here’s how Tenable can help.
Overview
Malicious threat actors are constantly targeting cloud environments. The risk of compromise can be reduced by enforcing secure configurations of security controls. With this goal in mind, the Cybersecurity and Infrastructure Security Agency (CISA) created the Secure Cloud Business Applications (SCuBA) project. The SCuBA project currently provides secure configuration baselines for Microsoft 365 and Google Workspace.
In December 2024, as part of the SCuBA project, CISA released a Binding Operational Directive (BOD) 25-01: Implementation Guidance for Implementing Secure Practices for Cloud Services. This directive requires U.S. government agencies and departments in the federal civilian executive branch to implement secure configuration baselines for certain software as a service (SaaS) products.
Scope
The scope of the BOD 25-01 includes all production or operational cloud tenants (operating in or as a federal information system) utilizing Microsoft 365. CISA may release additional SCuBA Secure Configuration Baselines for other cloud products which would fall under the scope of this directive. The complete list of required configurations is available here.
While the CISA BOD 25-01 applies to government agencies, any organization using Microsoft 365 would reduce the risk of compromise by adhering to these baselines.
Required actions
According to BOD 25-01, there are several required actions for in-scope cloud tenant agencies that shall be completed by the following dates:
- February 21, 2025 – following CISA reporting instructions:
- submit tenant name and system owning agency/component for each tenant
- submit an updated the inventory annually in the first quarter
- April 25, 2025 – deploy SCuBA assessment tools and begin continuous reporting
- June 20, 2025 – implement all mandatory SCuBA policies identified at This article has been indexed from Security Boulevard