Reposted from CISA/DHS

The Cybersecurity and Infrastructure Security Agency (CISA) issued Binding Operational Directive (BOD) 25-01, Implementing Secure Practices for Cloud Services to safeguard federal information and information systems. This directive requires federal civilian agencies to identify specific cloud tenants, implement assessment tools, and remediate deviations from CISA’s Secure Cloud Business Applications secure configuration baselines. Recent cybersecurity incidents highlight the significant risks posed by misconfigurations and weak security controls, which attackers can use to gain unauthorized access, exfiltrate data, or disrupt services. As part of CISA and the broad U.S. government's effort to move the federal civilian enterprise to a more defensible posture, this Directive will further reduce the attack surface of the federal government networks. While this Directive only applies to federal civilian executive branch agencies, the threat to cloud environments extends to every sector. We are urging all organizations to adopt this guidance. When it comes to reducing cyber risk and ensuring resilience, we all have a role to play. 

See Original Post