The Cybersecurity and Infrastructure Security Agency (CISA) has issued Binding Operational Directive (BOD) 25-01, mandating federal agencies to implement secure configurations for Microsoft 365 cloud services by June 2025. This directive is part of CISA’s Secure Cloud Business Applications (SCuBA) project, which aims to reduce cloud security risks through standardized baselines and continuous monitoring.
Key Compliance Deadlines and Requirements
Federal civilian executive branch agencies must meet three critical deadlines under BOD 25-01. By February 21, 2025, agencies must submit an inventory of all Microsoft 365 tenants through CISA’s CyberScope portal. The April 25, 2025 deadline requires deployment of ScubaGear, CISA’s open-source assessment tool for auditing M365 configurations. Full implementation of mandatory security controls is due by June 20, 2025.
The directive covers six core Microsoft 365 services: Entra ID (formerly Azure AD), Defender, Exchange Online, Power Platform, SharePoint/OneDrive, and Teams. Each service has specific configuration requirements documented in CISA’s SCuBA baselines. For example, Entra ID mandates phishing-resistant MFA for all users and blocking of legacy authentication protocols, while Exchange Online requires disabling SMTP AUTH and implementing DMARC with p=reject policies.
Technical Implementation Details
CISA provides two primary tools for compliance assessment: ScubaGear, a PowerShell-based tool available on GitHub, and the commercial AppOmni platform currently undergoing FedRAMP certification. These tools automate the verification of over 50 mandatory configurations across Microsoft 365 services.
| Control ID | Requirement |
|---|---|
| MS.AAD.1.1v1 | Block legacy authentication |
| MS.AAD.3.1v1 | Enforce phishing-resistant MFA |
| MS.AAD.7.1v1 | Limit Global Administrators (2-8 users) |
For Microsoft Defender, agencies must enable standard or strict preset security policies for all users, with sensitive accounts assigned to strict policies. Defender configurations also require enabling Microsoft Purview Audit logging for all users and implementing data loss prevention policies to block sharing of sensitive information like SSNs and credit card numbers.
Security Implications and Best Practices
While BOD 25-01 specifically targets federal agencies, the security controls address common attack vectors observed in recent cloud breaches. The December 2024 compromise of Treasury systems through a BeyondTrust API vulnerability and April 2024 Russian attacks on Microsoft email systems demonstrate the risks of misconfigured cloud environments.
Organizations implementing these controls should prioritize:
- Phishing-resistant MFA implementation for all privileged accounts
- Elimination of legacy authentication protocols
- Restriction of external sharing in SharePoint/OneDrive
- Configuration of DMARC with p=reject for all domains
Compliance Monitoring and Reporting
Agencies must begin continuous monitoring by April 25, 2025, either through automated integration with CISA systems or manual quarterly reporting. The ScubaGear tool generates compliance reports that agencies can use to track remediation progress. CISA may report non-compliance to DHS, OMB, and the National Cyber Director for agencies failing to meet deadlines.
Tenable provides additional compliance auditing capabilities through Nessus audit files that map to SCuBA baselines. These cover all six Microsoft 365 services included in BOD 25-01 and can help organizations verify their security posture against CISA requirements.
Conclusion
CISA BOD 25-01 represents a significant step in standardizing cloud security across federal systems. The specific configuration requirements and deadlines provide clear guidance for agencies to secure their Microsoft 365 environments. While compliance is mandatory for federal agencies, the SCuBA baselines offer a security framework that would benefit any organization using Microsoft 365 services.
Organizations should review CISA’s required configurations and begin assessing their environments using available tools like ScubaGear or commercial alternatives. Early adoption of these controls can reduce exposure to common cloud-based attack vectors while preparing for potential future expansion of compliance requirements.
References
- “BOD 25-01: Implementing Secure Practices for Cloud Services”, CISA, December 2024.
- “ScubaGear: M365 Configuration Assessment Tool”, CISA GitHub Repository.
- “BOD 25-01 Required Configurations”, CISA Resource Page.
- “CISA SCuBA Microsoft 365 Audit Files”, Tenable.
- “CISA BOD 25-01 Directive Aims to Secure Microsoft Cloud Environments”, Help Net Security.
