The Cybersecurity and Infrastructure Security Agency's (CISA) new Binding Operational Directive (BOD) 25-01 marks a critical step forward in strengthening the cybersecurity posture of federal civilian agencies. By mandating alignment with the Secure Cloud Business Applications (SCuBA) framework for Microsoft 365 environments, BOD 25-01 addresses vulnerabilities in one of the most widely used cloud platforms across the U.S. Federal government.

Starting today, AppOmni will provide a free assessment of U.S. Federal agencies' M365 environments for SCuBA compliance. Our team is ready to help you complete compliance checks and meet 50+ directives for Microsoft AAD (Entra ID), Sharepoint, Exchange Online, and Teams apps out-of-the-box, with support for other apps continuously being added.

While BOD 25-01 specifically applies to federal civilian agencies, CISA strongly advises all organizations to adopt these security measures to reduce their attack surfaces and mitigate breach risks.

Organizations need a robust SaaS security program to proactively check their security posture, identify and remediate deviations, and continuously monitor for threats to their applications. SaaS applications vary widely in the way that vendors update their software, application configurations, user permissions, and in how they log events.

SCuBA's secure configuration baselines are a good starting point, but continuous risk assessments and integration with existing detection and response programs for all critical SaaS apps should be implemented to improve SaaS estate security posture and maintain policy compliance.

At the time of issuance of the Directive, CISA has published the final SCuBA Secure Cloud Configuration Baselines for Microsoft 365 with baselines for other cloud products coming in the future. CISA has provided the list of required configurations for M365.

AppOmni is a leader in SaaS security and has helped customers including 25% of Fortune 100 enterprises secure their business-critical SaaS apps and prevent data breaches.

AppOmni provides a comprehensive SaaS security platform with the foundational steps that align with modern SaaS and cloud security models and the "Identify, Protect, Detect and Respond" methodology allowing organizations to embrace and secure this attack surface.

Our deep posture inspection capabilities extend zero trust architectures -- it goes beyond securing access "to" applications by addressing security "of" applications. Unique insights, data exposures, SaaS-to-SaaS connection risks, and threats identified by AppOmni have helped customers secure their data in SaaS apps.

Lack of funding for tools and monitoring systems and the lack of adequate SaaS security skillset can hamper many federal agencies from achieving compliance in the face of imminent deadlines set by the new directive. AppOmni is the only FedRAMP In Process designated SaaS security platform which has been updated for several M365 SCuBA compliance checks that can immediately help customers assess their secure configuration baselines for M365 and maintain continuous, ongoing compliance. See sample controls for M365 Teams application below.

AppOmni offers Federal civilian agencies and public sector organizations a free Microsoft 365 assessment to ensure SCuBA compliance under BOD 25-01. This includes compliance checks for 50+ directives across AAD (Entra ID), SharePoint, Exchange Online, and Teams, with ongoing support for additional apps.

Here's how you can mitigate SaaS security risks in your M365 environment:

With AppOmni, you will also be able to identify the following across your entire SaaS environments:

SaaS applications such as Microsoft 365 are used extensively by federal agencies, public sector, and private sector organizations. These applications store and process vast amounts of sensitive information and are an integral part of the day-to-day operations of enterprises, supporting virtually all of their employees and critical business processes.

According to a CISA release, during the first half of 2024, SaaS misconfigurations provided the initial access point for 30% of all cloud environment attacks -- up from 17% in the second half of 2023. Lack of visibility to risks, misconfigurations, and improper access controls in SaaS environments often lead to breaches that expose vast amounts of sensitive information.

For government agencies, the stakes are even higher, as adversaries from nation state actors and ransomware attackers can exploit these weaknesses to disrupt operations and compromise national security. Traditional security measures are not designed to address these security issues and do not provide programmatic checks for recommended configuration baselines, policy deviations, potential data exposures, and threats that occur in these SaaS environments.

The CISA has published Secure Cloud Business Applications (SCuBA) guidelines to secure agencies' cloud business application environments and protect federal information that is created, accessed, shared, and stored in those environments. The CISA has laid out the following timeline for agencies to comply with the new directive.