AppOmni delivers first SaaS security checks for CISA Binding Operational Directive 25-01

AppOmni today announced new policy compliance checks to help US Federal Government agencies comply with the mandate from the Cybersecurity and Infrastructure Security Agency’s (CISA’s) Binding Operational Directive, or BOD 25-01. The directive was issued by CISA on December 17, 2024, in response to recent adversary activities and as part of the Secure Cloud Business Applications (SCuBA) project to effectively secure cloud applications, starting with Microsoft 365 (M365) environments. AppOmni is also providing agencies and private sector enterprises with a free compliance assessment of their M365 applications against the new requirements. AppOmni is the first SaaS security provider with a FedRAMP In Process designation to offer services specifically tied to these requirements.

The directive and SCuBA guidelines require federal civilian agencies to secure their cloud environments and abide by the SCuBA framework’s secure configuration baselines. It mandates a very tight set of deadlines over the first few months of 2025 to address vulnerabilities in one of the most widely used cloud platforms across the U.S. federal government.

“While most regulations can be onerous, this directive is both vital and reasonable—BOD 25–01 marks a critical step forward in strengthening the cybersecurity posture of federal civilian agencies,” said Brandon Conley, Chief Revenue Officer at AppOmni and a leading strategist in public sector engagements. “By mandating the adoption of the SCuBA Secure Configuration Baselines, CISA not only provides a standardized approach to securing SaaS applications, it also guides agencies toward proactive risk mitigation. This is the kind of alignment needed with broader cybersecurity initiatives such as zero trust architectures and continuous monitoring. As the voice of SaaS security for our customers and partners, we’re proud to lead the way in protecting the applications that power the government.”

While the new directive has only just arrived, the clock is already ticking. The key deadlines include:

• February 21, 2025: Agencies must identify all cloud tenants within the directive's scope.
• April 25, 2025: Agencies must deploy CISA's automated configuration assessment tools and commence continuous reporting.
• June 20, 2025: All mandatory SCuBA policies must be implemented.

AppOmni’s services are custom-designed for the federal government. They enable agencies to complete compliance checks and meet 50+ directives for Microsoft AAD (Entra ID), SharePoint, Exchange Online, and Teams applications out of the box, with support for other applications continuously being added. The new capabilities will help agencies:

• Manage external, anonymous access to Microsoft Teams, and prevent bypassing of security controls for organizational meetings.
• Block the sharing of sensitive files in SharePoint and OneDrive, and limit continuous access to company assets. 
• Validate the authenticity of emails sent from a given domain using DMARC for Exchange Online, and stop insider threats from exfiltrating emails to external recipients.
• Safeguard who can see an agency’s most sensitive data in real time with conditional access policies in Entra ID, and block supply chain attacks from high-risk applications using Microsoft's built-in signals.

These offerings are perfectly suited to an environment in which SaaS installations are simultaneously critical and inadequately protected. SaaS apps such as M365 are used extensively throughout the public and private sectors, where they store and process massive volumes of sensitive information while supporting virtually all operational processes. However, security lags far behind the rapid adoption: According to a CISA release, SaaS misconfigurations provided the initial access point for 30% of all cloud environment attacks (up from 17% in the second half of 2023).

The danger to government agencies is particularly acute—adversaries from nation-state actors and ransomware attackers can exploit these weaknesses to disrupt operations and compromise national security. At the same time, traditional security measures are not designed to address these issues or provide programmatic checks for recommended configuration baselines, policy deviations, or potential data exposures.

While BOD 25-01 specifically applies to federal civilian agencies, CISA strongly advises all organizations to adopt these security measures to reduce their attack surfaces and mitigate breach risks. The SCuBA secure configuration baselines are a good starting point, but continuous risk assessments and integration with existing detection and response programs for all critical SaaS apps should be implemented to improve SaaS estate security posture and maintain policy compliance.

Beyond the directive requirements, the AppOmni Platform also enables public and private sector entities to identify and mitigate the following risks across their entire SaaS environments:

• Publicly exposed data
• Overprivileged external users
• Risky third-party application connections
• Weak data restrictions
• Over-provisioned administrative roles
• Non-compliant security configurations

Organizations can take AppOmni’s free SCuBA compliance assessment now to simplify policy alignment with instant visibility for actionable insights into SaaS security risks, secure baselines to protect sensitive data with aligned configurations, and the only SaaS security platform with FedRAMP In-Process designation to ensure adherence to strict federal standards.