Service

BOD 25-01: Implementing Secure Practices for Cloud Services Required Configurations

Current List of Required Configurations
Related topics:
Cybersecurity Best Practices, Cyber Threats and Advisories, Securing Networks

Description

This page provides an up-to-date list of the Secure Cloud Business Applications (SCuBA) configurations which Federal Civilian Executive Branch agencies are required to follow in accordance with BOD 25-01: Implementing Secure Practices for Cloud Services.

Running the most up-to-date version of the associated SCuBA Assessment Tool will perform an automated check against the baselines and provide notice of any non-compliance in a generated report. This page details the required action associated with each baseline and links to associated step-by-step compliance instructions.

To download and run the SCuBA tool please refer to BOD 25-01: Implementing Secure Practices for Cloud Services.

Background

On December 17, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) issued Binding Operational Directive (BOD) 25-01: Implementing Secure Practices for Cloud Services. Through the Secure Cloud Business Applications (SCuBA) project, CISA has developed Secure Configuration Baselines to provide consistent, effective, and manageable cloud security configurations, as well as assessment tools that allows agencies and CISA to improve the security of Federal Civilian Executive Branch assets hosted in cloud environments. 

BOD 25-01 requires all Federal Civilian Executive Branch agencies to comply with a defined set of these Secure Cloud Baselines, deploy automated configuration assessment tools to check compliance, and to remediate deviations from these policies under BOD 25-01. 

Although BOD 25-01 only requires action by Federal Civilian Executive Branch agencies, CISA strongly recommends all stakeholders implement these policies and leverage CISA’s SCuBA assessment tool and the information on this page. Doing so will reduce significant risk and enhance collective resilience across the cybersecurity community.

Microsoft 365 (M365)

Azure Active Directory / Entra ID
Policy ID Action Date Added / Modified Due Date
MS.AAD.1.1v1 Legacy authentication SHALL be blocked. 12/17/2024 06/20/2025
MS.AAD.2.1v1 Users detected as high risk SHALL be blocked. 12/17/2024 06/20/2025
MS.AAD.2.3v1 Sign-ins detected as high risk SHALL be blocked. 12/17/2024 06/20/2025
MS.AAD.3.1v1 Phishing-resistant MFA SHALL be enforced for all users. 12/17/2024 06/20/2025
MS.AAD.3.2v1 If Phishing-resistant MFA has not been enforced yet, then an alternative MFA method SHALL be enforced for all users. 12/17/2024 06/20/2025
MS.AAD.3.3v1 If Phishing-resistant MFA has not been enforced yet and Microsoft Authenticator is enabled, it SHALL be configured to show login context information. 12/17/2024 06/20/2025
MS.AAD.3.4v1 The Authentication Methods Manage Migration feature SHALL be set to Migration Complete. 12/17/2024 06/20/2025
MS.AAD.3.6v1 Phishing-resistant MFA SHALL be required for Highly Privileged Roles. 12/17/2024 06/20/2025
MS.AAD.5.1v1 Only administrators SHALL be allowed to register applications. 12/17/2024 06/20/2025
MS.AAD.5.2v1 Only administrators SHALL be allowed to consent to applications. 12/17/2024 06/20/2025
MS.AAD.5.3v1 An admin consent workflow SHALL be configured for applications. 12/17/2024 06/20/2025
MS.AAD.5.4v1 Group owners SHALL NOT be allowed to consent to applications. 12/17/2024 06/20/2025
MS.AAD.6.1v1 User passwords SHALL NOT expire. 12/17/2024 06/20/2025
MS.AAD.7.1v1 A minimum of two users and a maximum of eight users SHALL be provisioned with the Global Administrator role. 12/17/2024 06/20/2025
MS.AAD.7.2v1 Privileged users SHALL be provisioned with finer-grained roles instead Global Administrator. 12/17/2024 06/20/2025
MS.AAD.7.3v1 Privileged users SHALL be provisioned cloud-only accounts that are separate from an on-premises directory or other federated identity providers. 12/17/2024 06/20/2025
MS.AAD.7.4v1 Permanent active role assignments SHALL NOT be allowed for highly privileged roles except for emergency and service accounts. 12/17/2024 06/20/2025
MS.AAD.7.5v1 Provisioning users to highly privileged roles SHALL NOT occur outside of a PAM system, because this bypasses critical controls the PAM system provides. 12/17/2024 06/20/2025
MS.AAD.7.6v1 Activation of the Global Administrator role SHALL require approval. 12/17/2024 06/20/2025
MS.AAD.7.7v1 Eligible and Active highly privileged role assignments SHALL trigger an alert. 12/17/2024 06/20/2025
MS.AAD.7.8v1 User activation of the Global Administrator role SHALL trigger an alert. 12/17/2024 06/20/2025
Microsoft Defender 
Policy ID Action Date Added / Modified Due Date
MS.DEFENDER.1.1v1 The standard and strict preset security policies SHALL be enabled. 12/17/2024 06/20/2025
MS.DEFENDER.1.2v1 All users SHALL be added to Exchange Online Protection in either the standard or strict preset security policy. 12/17/2024 06/20/2025
MS.DEFENDER.1.3v1 All users SHALL be added to Defender for Office 365 Protection in either the standard or strict preset security policy. 12/17/2024 06/20/2025
MS.DEFENDER.1.4v1 Sensitive accounts SHALL be added to Exchange Online Protection in the strict preset security policy. 12/17/2024 06/20/2025
MS.DEFENDER.1.5v1 Sensitive accounts SHALL be added to Defender for Office 365 Protection in the strict preset security policy. 12/17/2024 06/20/2025
MS.DEFENDER.4.1v1 A custom policy SHALL be configured to protect PII and sensitive information, as defined by the agency. At a minimum, credit card numbers, Taxpayer Identification Numbers (TIN), and Social Security numbers (SSN) SHALL be blocked. 12/17/2024 06/20/2025
MS.DEFENDER.5.1v1 At a minimum, the alerts required by the CISA M365 Security Configuration Baseline for Exchange Online SHALL be enabled. 12/17/2024 06/20/2025
MS.DEFENDER.6.1v1 Microsoft Purview Audit (Standard) logging SHALL be enabled. 12/17/2024 06/20/2025
MS.DEFENDER.6.2v1 Microsoft Purview Audit (Premium) logging SHALL be enabled for ALL users. 12/17/2024 06/20/2025
Exchange Online
Policy ID Action Date Added / Modified Due Date
MS.EXO.1.1v1 Automatic forwarding to external domains SHALL be disabled. 12/17/2024 06/20/2025
MS.EXO.2.2v2 An SPF policy SHALL be published for each domain that fails all non-approved senders. 12/17/2024 06/20/2025
MS.EXO.4.1v1 A DMARC policy SHALL be published for every second-level domain. 12/17/2024 06/20/2025
MS.EXO.4.2v1 The DMARC message rejection option SHALL be p=reject. 12/17/2024 06/20/2025
MS.EXO.4.3v1 The DMARC point of contact for aggregate reports SHALL include reports@dmarc.cyber.dhs.gov. 12/17/2024 06/20/2025
MS.EXO.5.1v1 SMTP AUTH SHALL be disabled. 12/17/2024 06/20/2025
MS.EXO.6.1v1 Contact folders SHALL NOT be shared with all domains. 12/17/2024 06/20/2025
MS.EXO.6.2v1 Calendar details SHALL NOT be shared with all domains. 12/17/2024 06/20/2025
MS.EXO.7.1v1 External sender warnings SHALL be implemented. 12/17/2024 06/20/2025
MS.EXO.13.1v1 Mailbox auditing SHALL be enabled. 12/17/2024 06/20/2025
Power Platform
Policy ID Action Date Added / Modified Due Date
MS.POWERPLATFORM.1.1v1 The ability to create production and sandbox environments SHALL be restricted to admins. 12/17/2024 06/20/2025
MS.POWERPLATFORM.1.2v1 The ability to create trial environments SHALL be restricted to admins. 12/17/2024 06/20/2025
MS.POWERPLATFORM.2.1v1 A DLP policy SHALL be created to restrict connector access in the default Power Platform environment. 12/17/2024 06/20/2025
MS.POWERPLATFORM.3.1v1 Power Platform tenant isolation SHALL be enabled. 12/17/2024 06/20/2025
SharePoint Online & OneDrive
Policy ID Action Date Added / Modified Due Date
MS.SHAREPOINT.1.1v1 External sharing for SharePoint SHALL be limited to Existing Guests or Only People in your Organization. 12/17/2024 06/20/2025
MS.SHAREPOINT.1.2v1 External sharing for OneDrive SHALL be limited to Existing Guests or Only People in your Organization. 12/17/2024 06/20/2025
MS.SHAREPOINT.2.1v1 File and folder default sharing scope SHALL be set to Specific People (only the people the user specifies). 12/17/2024 06/20/2025
MS.SHAREPOINT.2.2v1 File and folder default sharing permissions SHALL be set to View only. 12/17/2024 06/20/2025
MS.SHAREPOINT.4.2v1 Users SHALL be prevented from running custom scripts on self-service created sites. 12/17/2024 06/20/2025
Microsoft Teams
Policy ID Action Date Added / Modified Due Date   
MS.TEAMS.1.2v1 Anonymous users SHALL NOT be enabled to start meetings. 12/17/2024 06/20/2025
MS.TEAMS.2.1v1 External access for users SHALL only be enabled on a per-domain basis. 12/17/2024 06/20/2025
MS.TEAMS.2.2v1 Unmanaged users SHALL NOT be enabled to initiate contact with internal users. 12/17/2024 06/20/2025
MS.TEAMS.3.1v1 Contact with Skype users SHALL be blocked. 12/17/2024 06/20/2025
MS.TEAMS.4.1v1 Teams email integration SHALL be disabled. 12/17/2024 06/20/2025

Subscribe to SCuBA Email Updates

email image

Stay up-to-date with the latest SCuBA updates.

scuba email notifications SUBSCription

Tags

Audience: Federal Government
Topics: Cyber Threats and Advisories, Cybersecurity Best Practices, Securing Networks

Related Services