Achieving CISA BOD 25-01 Compliance and SCuBA Alignment

Achieving CISA BOD 25-01 Compliance and SCuBA Alignment

By

and

The Cybersecurity and Infrastructure Security Agency’s (CISA) new Binding Operational Directive (BOD) 25-01 marks a critical step forward in strengthening the cybersecurity posture of federal civilian agencies. By mandating alignment with the Secure Cloud Business Applications (SCuBA) framework for Microsoft 365 environments, BOD 25-01 addresses vulnerabilities in one of the most widely used cloud platforms across the U.S. Federal government. 

Starting today, AppOmni will provide a free assessment of U.S. Federal agencies’ M365 environments for SCuBA compliance. Our team is ready to help you complete compliance checks and meet 50+ directives for Microsoft AAD (Entra ID), Sharepoint, Exchange Online, and Teams apps out-of-the-box, with support for other apps continuously being added.

While BOD 25-01 specifically applies to federal civilian agencies, CISA strongly advises all organizations to adopt these security measures to reduce their attack surfaces and mitigate breach risks.

Image of a banner posing a question: Is your Microsoft 365 security ready for SCuBA? Includes image of the U.S. Capitol Building and AppOmni logo

How to achieve SCuBA compliance: Key steps for Federal civilian agencies

Organizations need a robust SaaS security program to proactively check their security posture, identify and remediate deviations, and continuously monitor for threats to their applications. SaaS applications vary widely in the way that vendors update their software, application configurations, user permissions, and in how they log events. 

SCuBA’s secure configuration baselines are a good starting point, but continuous risk assessments and integration with existing detection and response programs for all critical SaaS apps should be implemented to improve SaaS estate security posture and maintain policy compliance.

At the time of issuance of the Directive, CISA has published the final SCuBA Secure Cloud Configuration Baselines for Microsoft 365 with baselines for other cloud products coming in the future. CISA has provided the list of required configurations for M365.

How does AppOmni help with SCuBA and BOD 25-01 compliance?

AppOmni is a leader in SaaS security and has helped customers including 25% of Fortune 100 enterprises secure their business-critical SaaS apps and prevent data breaches. 

AppOmni provides a comprehensive SaaS security platform with the foundational steps that align with modern SaaS and cloud security models and the “Identify, Protect, Detect and Respond” methodology allowing organizations to embrace and secure this attack surface. 

Our deep posture inspection capabilities extend zero trust architectures — it goes beyond securing access “to” applications by addressing security “of” applications. Unique insights, data exposures, SaaS-to-SaaS connection risks, and threats identified by AppOmni have helped customers secure their data in SaaS apps. 

Lack of funding for tools and monitoring systems and the lack of adequate SaaS security skillset can hamper many federal agencies from achieving compliance in the face of imminent deadlines set by the new directive. AppOmni is the only FedRAMP® In Process designated SaaS security platform which has been updated for several M365 SCuBA compliance checks that can immediately help customers assess their secure configuration baselines for M365 and maintain continuous, ongoing compliance. See sample controls for M365 Teams application below.

Image of the AppOmni platform where users can select a SCuBA directive to map to a Microsoft Teams security rule.
Fig. 1: Selecting a SCuBA directive to map to a Microsoft Teams security rule on the AppOmni platform.
Fig. 2: Add additional SCuBA directives, or choose ‘Add Controls’ to save the selection on the AppOmni platform.
Fig. 3: Newly added SCuBA directive saved to rule in the AppOmni platform.

How to assess your organization for SCuBA compliance

AppOmni offers Federal civilian agencies and public sector organizations a free Microsoft 365 assessment to ensure SCuBA compliance under BOD 25-01. This includes compliance checks for 50+ directives across AAD (Entra ID), SharePoint, Exchange Online, and Teams, with ongoing support for additional apps.

Here’s how you can mitigate SaaS security risks in your M365 environment:

  • Manage external, anonymous access to Microsoft Teams, prevent bypassing of security controls for organizational meetings.
  • Block sharing of sensitive files in Sharepoint and Onedrive and limit continuous access to company assets.
  • Validate authenticity of emails sent from your domain using DMARC for Exchange Online, and stop insider threats from exfiltrating emails to external recipients.
  • Safeguard who can see your organization’s most sensitive data in real-time with conditional access policies in Entra ID, and block supply-chain attacks from high-risk applications using Microsoft’s built-in signals. 

With AppOmni, you will also be able to identify the following across your entire SaaS environments:

  • Publicly-exposed data
  • Over-privileged external users
  • Risky 3rd-party app connections
  • Weak data restrictions
  • Over-provisioned admin roles
  • Non-compliant security configurations

SCuBA compliance with CISA BOD 25-01: Why it matters now

SaaS applications such as Microsoft 365 are used extensively by federal agencies, public sector, and private sector organizations. These applications store and process vast amounts of sensitive information and are an integral part of the day-to-day operations of enterprises, supporting virtually all of their employees and critical business processes. 

According to a CISA release, during the first half of 2024, SaaS misconfigurations provided the initial access point for 30% of all cloud environment attacks—up from 17% in the second half of 2023. Lack of visibility to risks, misconfigurations, and improper access controls in SaaS environments often lead to breaches that expose vast amounts of sensitive information. 

For government agencies, the stakes are even higher, as adversaries from nation state actors and ransomware attackers can exploit these weaknesses to disrupt operations and compromise national security. Traditional security measures are not designed to address these security issues and do not provide programmatic checks for recommended configuration baselines, policy deviations, potential data exposures, and threats that occur in these SaaS environments. 

The CISA has published Secure Cloud Business Applications (SCuBA) guidelines to secure agencies’ cloud business application environments and protect federal information that is created, accessed, shared, and stored in those environments. The CISA has laid out the following timeline for agencies to comply with the new directive.

  • February 21, 2025 
    • Identification of Cloud Tenants: Agencies must identify all cloud tenants within the directive’s scope.
  • April 25, 2025
    • Deployment of Assessment Tools: Agencies are required to deploy CISA’s automated configuration assessment tools and commence continuous reporting.
  • June 20, 2025 
    • Implementation of Secure Configuration Baselines (SCBs): All mandatory SCuBA policies must be implemented.
Image of the U.S. Capitol Building representing the Federal government and Public Sector

Is your Microsoft 365 security ready for CISA’s BOD 25-01?

Discover SaaS security risks in your Microsoft 365 environment with AppOmni’s complimentary SCuBA compliance assessment.

Request a Free Compliance Assessment