Mounting cyber intrusions against cloud systems have prompted the Cybersecurity and Infrastructure Security Agency to order federal agencies to identify and protect all of their Microsoft cloud systems in adherence to its Secure Cloud Business Applications baselines, according to The Record, a news site by cybersecurity firm Recorded Future.
Aside from completing a cloud system inventory by Feb. 21, 2025, federal agencies should also launch SCuBA evaluation tools by Apr. 25 and ensure the adoption of the entire directive by June 20, said CISA, which will be providing dedicated SCuBA baselines for Google Workspace between April to June next year. "This is the product of work that we began after the SolarWinds campaign to create a centralized and consistent approach to securing the federal cloud environment. The configurations that this [binding operational directive] require are not specific to any threat actor or incident. They are used consistently by both sophisticated, well-funded threat actors and common cybercriminals," said CISA Deputy Executive Assistant Director for Cybersecurity Matt Hartman.
