Federal agencies mandated to achieve security benchmarks within Microsoft 365 environment
In a bid to bolster the security of federal cloud environments, the Cybersecurity and Infrastructure Security Agency (CISA) has issued a directive to all federal civilian agencies, mandating them to meet configuration baselines in their Microsoft 365 environments. The directive, known as Binding Operational Directive (BOD) 25-01, is based on the Secure Cloud Business Applications (SCuBA) framework.
According to CISA, the SCuBA framework establishes mandatory guidelines for federal agencies to secure their Microsoft 365 environments and connected SaaS services. The aim is to mitigate significant risks associated with cloud adoption, particularly in the face of increasingly sophisticated cyber threats.
The SCuBA framework, in alignment with CISA’s Trusted Internet Connections (TIC) 3.0, mandates several critical security controls and baseline configurations for Microsoft 365 environments. These include preventing unauthorized external access to sensitive data, limiting over-provisioned admin roles, implementing strict controls on over-privileged external users, auditing and restricting risky third-party app connections, enforcing strong data restrictions, ensuring all security configurations comply with CISA standards, strengthening identity protection, and implementing controls such as anti-phishing, malicious link, and malicious file protections for messaging and collaboration tools.
The mandate is in response to recent cybersecurity incidents that have resulted in actual compromises due to improper configuration of security controls in cloud environments. Federal civilian agencies are required to identify all Microsoft 365 cloud tenants by February 21, 2025, and to implement CISA's SCuBA secure configuration baselines by June 20, 2025.
CISA's TIC 3.0 guidance, updated in July 2025, expands these baselines to include resource containment, DNS security, intrusion detection and response, unified communications security, and data labeling and inventory.
A Microsoft spokesperson stated that the company has been an active supporter and participant in helping CISA develop SCuBA. The spokesperson also noted that Microsoft supports CISA’s expeditious efforts and close partnership in the co-development of actionable and scalable security guidance via the directive issued.
CISA Director Jen Easterly urged all organizations to adopt this guidance, stating that the threat to cloud environments extends to every sector. She emphasized that outdated security configurations in cloud environments expose systems to exploits that can be easily mitigated by recommended and mandatory security configurations.
The directive applies only to Microsoft 365 environments, but CISA may release SCuBA secure configuration baselines for other cloud services in the future. The story has been updated to include comments provided by Microsoft.
The SCuBA framework, developed by the Cybersecurity and Infrastructure Security Agency (CISA) and supported by Microsoft, establishes mandatory guidelines for federal agencies to secure their Microsoft 365 environments and connected SaaS services, aiming to mitigate significant cyber risks, particularly in light of growing cyber threats. These guidelines encompass preventing unauthorized access, managing admin roles, auditing third-party app connections, enforcing data restrictions, strengthening identity protection, and implementing various security controls for messaging and collaboration tools.
