US Government Issues Cloud Security Requirements for Federal Agencies

Written by

US federal agencies and departments have been mandated to implement new cybersecurity practices for cloud services.

The Cybersecurity and Infrastructure Security Agency (CISA) published Binding Operational Directive 25-01: Implementing Secure Practices for Cloud Services on December 17, which sets out actions federal agencies must take to identify and secure all production or operational cloud tenants in their environments.

The Directive has been issued in response to the escalation in cloud environments being targeted by malicious actors.

CISA highlighted how the improper configuration of security controls in cloud environments has introduced substantial risk and resulted in compromises.

“Maintaining secure configuration baselines is critical in the dynamic cybersecurity landscape, where vendor changes, software updates and evolving security best practices shape the threat environment. As vendors frequently release new updates and patches to address vulnerabilities, security configurations must also adjust,” CISA said.

Read now: Microsoft Admits Security Failings Allowed China to Access US Government Emails

New Cloud Security Requirements for Federal Agencies

The measures are based on CISA’s Secure Cloud Business Applications (SCuBA) project, from which the agency developed Secure Configuration Baselines. These baselines set out consistent and manageable cloud security configurations and assessment tools.

The key actions federal agencies and departments must take under the Directive are:

  • By February 21, 2025, identify and provide the name of all cloud tenants within the scope of the Directive and the system owning agency/component for each tenant
  • By April 25, deploy all SCuBA assessment tools for in-scope cloud tenants and begin continuous reporting to CISA
  • By June 20, implement all mandatory SCuBA policies as set out in the CISA-managed Binding Operational Directive 25-01 Required Configurations website
  • Implement all future updates to mandatory SCuBA policies in accordance with the timelines set forth in the Required Configurations website
  • Implement all mandatory SCuBA Secure Configuration Baselines and begin continuous monitoring for new cloud tenants prior to granting an Authorization to Operate
  • Identify and explain deviations in the output of the SCuBA assessment tools when reported to CISA

CISA will provide support how to comply with these requirements and provide a status report on agency progress to the Secretary of Homeland Security, the Director of the Office of Management and Budget (OMB) and the National Cyber Director.

The Directive complements existing federal resources for cloud security, including the Federal Risk and Authorization Management Program (FedRAMP), relevant National Institute of Standards and Technology (NIST) guidance, and the CISA Trusted Internet Connections (TIC) 3.0 Cloud Use Case.

CISA added SCuBA Secure Configuration Baselines for other cloud products, which will automatically fall under the scope of the Directive.

What’s hot on Infosecurity Magazine?