BOD 25-01 and Misconfiguration Management
BOD 25-01 (Binding Operational Directive 25-01) is a directive from CISA that requires U.S. federal agencies to harden and monitor SaaS security settings to reduce risks from misconfigurations. It mandates continuous visibility, secure configurations, and timely remediation of security gaps in cloud environments. If it’s good for governmental and federal agencies, it’s a good standard for your organization.
Misconfigurations are a critical aspect of SSPM (SaaS Security Posture Management) and a key part of an organization’s overall security posture. While SaaS vendors secure their infrastructure, organizations are responsible for configuring their tenants. Misconfigurations, like excessive permissions or password policies, or unauthorized access, increase the attack surface and allow for lateral movements, exposing the business to data breaches, compliance failures, and reputational damage.
SCuBA: CISA’s Framework for Securing Cloud Applications
The Secure Cloud Business Applications (SCuBA) program was developed by the Cybersecurity and Infrastructure Security Agency (CISA), and provides security guidance to strengthen cloud environments, addressing the most common misconfigurations and risks.
“These security configuration baselines for Microsoft 365 (M365) and Google Workspace (GWS) provide straightforward recommendations that complement each organization’s unique requirements and risk tolerance levels as well as include automation features to assist IT professionals in rapidly assessing their M365 and GWS services. “ – source: https://www.cisa.gov/
The SCuBA framework helps prevent data creation, sharing, and storage issues that hinder effective SaaS risk management. As the threat landscape evolves, it offers timely, actionable guidance to boost SaaS governance, helping organizations to strengthen their security posture and mitigate risks tied to growing SaaS adoption.
Key Advantages of the SCuBA Framework:
- Standardized Security: Adheres to proven security practices.
- IAM Focused: Strengthens user identities and access controls.
- Compliance Alignment: Supports meeting regulatory standards.
- Proactive Risk Management: Helps identify and mitigate risks.
- Scalability: Applies to various cloud environments and organization sizes.
- Government-Endorsed: Trusted and credible framework.
Strengthening your SaaS Security Posture
While initially tailored for federal civilian executive branch agencies, CISA encourages the private sector to adopt SCuBA as a model for mitigating SaaS complexity.
Applying the ScuBA Framework to SSPM, originally developed to secure Google Workspace and Microsoft 365, Wing Security expanded it and implemented it into actionable configuration checks for additional IDPs like Okta, for example.
Wing Security’s implementation of the SCuBA framework
Wing Security’s SSPM layer tackles the complexities of identifying and managing SaaS identities, human and non-human, within an organization’s SaaS environment. Continuous compliance with SCuBA framework requirements is ensured through deep SaaS visibility that enables rapid remediation of SaaS security risks.
To support this, Wing Security delivers four distinct outcomes customers can take advantage of to accelerate their efforts.
1. Comprehensive SaaS and Shadow IT Discovery
Wing’s SSPM identifies the organization’s full SaaS ecosystem, including shadow IT and app-to-app integrations through non-intrusive methods such as API and email metadata analysis. This discovery extends to human and non-human identities, MFA statuses, and user roles.
2. Noise-Free Configuration Management
Wing’s Configuration Center prioritizes critical misconfigurations, provides SCuBA-aligned guidance, simplifies compliance with audit trails, and helps security teams track and prevent configuration drift to maintain a secure SaaS environment.
3. Automated Policy Enforcement and Remediation Guide
Wing Security enables users to remediate risks by automating and enforcing policies across their SaaS stack, minimizing manual effort, and ensuring continuous SCuBA compliance. Whether it’s fixing issues instantly, like suspending a user, revoking an OAuth token, or applying bulk actions across users or departments, Wing streamlines your security management.
4. Compliance and Audit Readiness
Addressing misconfigurations to meet regulatory requirements such as GDPR, CCPA, SOC, and ISO standards. Misconfigurations can result in compliance gaps that lead to potential penalties. Wing helps organizations ensure their SaaS applications are configured correctly and remain audit-ready.
Next steps:
- Book a demo or use SaaS Pulse to uncover your SaaS risks and attack surface.
- Receive expert-led risk assessment documentation.
- Remediate risks and create automated policies for preventive measures.
- Generate SCuBA compliance reports to meet BOD 25-01 baseline requirements.
- Continuously monitor your SaaS security posture to stay protected.
