CISA Issues Binding Operational Directive for Improved Cloud Security

CISA’s Binding Operational Directive 25-01 requires federal agencies to align cloud environments with SCuBA secure configuration baselines.

The US cybersecurity agency CISA on Tuesday announced a new Binding Operational Directive requiring federal agencies to follow security control baselines for their cloud environments.

The ‘Binding Operational Directive 25-01: Implementing Secure Practices for Cloud Services’ is meant to help federal agencies reduce their attack surface and improve resilience against cyberattacks.

“Recent cybersecurity incidents highlight the significant risks posed by misconfigurations and weak security controls, which attackers can use to gain unauthorized access, exfiltrate data, or disrupt services. This Directive will further reduce the attack surface of the federal government networks,” CISA notes.

Per BOD 25-01, federal agencies are required to identify cloud tenants, implement assessment tools, and bring their cloud environments in line with CISA’s Secure Cloud Business Applications (SCuBA) secure configuration baselines.

By February 21, 2025, the directive mandates ...