The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a binding operational directive (BOD 25-01) requiring federal civilian agencies to secure their Microsoft cloud environments.

This directive, titled "Implementing Secure Practices for Cloud Services," outlines a series of deadlines that agencies must meet to ensure compliance. The directive includes requirements for identifying cloud tenants, deploying CISA-provided tools to assess configurations, and implementing secure cloud baselines for continuous monitoring. Agencies must integrate these tools or report manually to CISA to ensure their cloud environments are in line with the agency’s Secure Configuration Baselines.

By February 21, 2025, agencies must identify all cloud tenants within the directive's scope and report this information to CISA. By April 25, 2025, they must deploy available CISA tools to automate the assessment of tenant configurations, comparing them to CISA's baselines and reporting any non-compliance. Agencies must also begin continuous monitoring for new cloud tenants by June 20, 2025, and implement secure cloud baselines before granting Authorization to Operate (ATO). While the directive currently focuses on Microsoft 365, CISA has plans to release secure configuration baselines for other cloud products, such as Google Workspace, in the future.

CISA's directive, though aimed at federal agencies, offers valuable guidance for all organizations, as the threat to cloud environments extends beyond government sectors. CISA Director Jen Easterly emphasized the importance of these actions in mitigating risks and improving resilience against malicious cyber threats targeting cloud platforms. Industry experts, like Jason Soroko from Sectigo, recognize the importance of secure configuration baselines in reducing the attack surface. However, implementing such controls can be costly for mid-sized businesses, who often struggle with the resources and expertise needed to adopt these best practices. Despite challenges, government standards are slowly influencing private sector norms, particularly in cases where vendors must comply with government contracts.