AppOmni, a leader in SaaS security, announced new policy compliance checks to help U.S. Federal Government agencies comply with the mandate from Cybersecurity and Infrastructure Security Agency’s (CISA’s) Binding Operational Directive, or BOD 25-01, to secure cloud applications.
The directive was issued by CISA on December 17, 2024 in response to recent adversary activities and as part of the Secure Cloud Business Applications (SCuBA) project to effectively secure cloud applications, starting with Microsoft 365 (M365) environments.
AppOmni is also providing agencies and private sector enterprises with a free compliance assessment of their M365 applications against the new requirements.
According to the company, AppOmni is the first SaaS security provider with FedRAMP In Process designation to offer services specifically tied to these requirements.
The directive and SCuBA guidelines require federal civilian agencies to secure their cloud environments and abide by the SCuBA framework’s secure configuration baselines. It mandates a very tight set of deadlines over the first few months of 2025 to address vulnerabilities in one of the most widely used cloud platforms across the U.S. federal government.
“While most regulations can be onerous, this directive is both vital and reasonable—BOD 25–01 marks a critical step forward in strengthening the cybersecurity posture of federal civilian agencies,” said Brandon Conley, Chief Revenue Officer at AppOmni and a leading strategist in public sector engagements. “By mandating the adoption of the SCuBA Secure Configuration Baselines, CISA not only provides a standardized approach to securing SaaS applications, it also guides agencies toward proactive risk mitigation. This is the kind of alignment needed with broader cybersecurity initiatives such as zero trust architectures and continuous monitoring. As the voice of SaaS security for our customers and partners, we’re proud to lead the way in protecting the applications that power the government.”
The key deadlines for the security directive include:
- February 21, 2025: Agencies must identify all cloud tenants within the directive's scope
- April 25, 2025: Agencies must deploy CISA's automated configuration assessment tools and commence continuous reporting
- June 20, 2025: All mandatory SCuBA policies must be implemented.
AppOmni’s new set of services are custom-designed for the federal government. They enable agencies to complete compliance checks and meet 50-plus directives for Microsoft AAD (Entra ID), SharePoint, Exchange Online, and Teams applications out of the box, with support for other applications continuously being added.
The new capabilities will help agencies:
- Manage external, anonymous access to Microsoft Teams, and prevent bypassing of security controls for organizational meetings
- Block the sharing of sensitive files in SharePoint and OneDrive, and limit continuous access to company assets
- Validate the authenticity of emails sent from a given domain using DMARC for Exchange Online, and stop insider threats from exfiltrating emails to external recipients
- Safeguard who can see an agency’s most sensitive data in real time with conditional access policies in Entra ID, and block supply chain attacks from high-risk applications using Microsoft's built-in signals.
SaaS apps such as M365 are used extensively throughout the public and private sector, where they store and process massive volumes of sensitive information while supporting virtually all operational processes.
While BOD 25-01 specifically applies to federal civilian agencies, CISA strongly advises all organizations to adopt these security measures to reduce their attack surfaces and mitigate breach risks.
Beyond the directive requirements, the AppOmni Platform also enables public and private sector entities to identify and mitigate the following risks across their entire SaaS environments:
- Publicly exposed data
- Over-privileged external users
- Risky third-party application connections
- Weak data restrictions
- Over-provisioned administrative roles
- Non-compliant security configurations
Organizations can take AppOmni’s free SCuBA compliance assessment now to simplify policy alignment with instant visibility for actionable insights into SaaS security risks and secure baselines to protect sensitive data with aligned configurations to ensure adherence to strict federal standards.
For more information about this news, visit www.appomni.com.