The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a new directive requiring federal civilian agencies to implement stricter security measures for their Microsoft cloud environments by mid-2025.
The binding operational directive (BOD 25-01) establishes three key deadlines for agencies to enhance their cloud security posture:
By February 21, 2025, agencies must compile and report a complete inventory of their cloud tenants to CISA. This inventory needs to include tenant names and system ownership details.
Following that, by April 25, 2025, agencies are required to deploy CISA's assessment tools that automatically evaluate cloud configurations. These tools will measure compliance against CISA's Secure Configuration Baselines, with results reported either through integration with CISA's monitoring systems or manual quarterly submissions.
The final deadline of June 20, 2025 requires agencies to implement secure cloud baselines and establish continuous monitoring for any new cloud tenants before granting operational approval.
The directive currently focuses on Microsoft 365 services, including Azure AD/Entra ID, Microsoft Defender, Exchange Online, Teams, SharePoint Online, and OneDrive. CISA plans to expand these requirements to other cloud platforms, with Google Workspace expected to be included in early 2025.
"Recent cybersecurity incidents demonstrate the risks posed by misconfigurations and weak security controls," said Matt Hartman, CISA's Deputy Executive Assistant Director for Cybersecurity. He noted that improper cloud configurations have led to actual security compromises.
While the directive specifically targets federal agencies, CISA Director Jen Easterly emphasized its broader relevance: "The threat to cloud environments extends to every sector. We urge all organizations to adopt this guidance."
Industry experts note that while implementing similar controls may be challenging for smaller organizations due to cost and complexity constraints, the directive could help establish new security standards across sectors, particularly for vendors working with government contracts.