Provides free SCuBA compliance assessment to public and private sector organizations

AppOmni Delivers First SaaS Security Checks for CISA Binding Operational Directive 25-01

Media Contact:
CONTOS DUNNE COMMUNICATIONS
AppOmni@cdc.agency (e)
+1 (408) 776-1400 (o) +1 (408) 893-8750 (m)

AppOmni, the leader in SaaS security, today announced new policy compliance checks to help US Federal Government agencies comply with the mandate from Cybersecurity and Infrastructure Security Agency’s (CISA’s) Binding Operational Directive, or BOD 25-01. The directive was issued by CISA on December 17, 2024 in response to recent adversary activities and as part of the Secure Cloud Business Applications (SCuBA) project to effectively secure cloud applications, starting with Microsoft 365 (M365) environments. AppOmni is also providing agencies and private sector enterprises with a free compliance assessment of their M365 applications against the new requirements. AppOmni is the first SaaS security provider with FedRAMP® In Process designation to offer services specifically tied to these requirements.

The directive and SCuBA guidelines require federal civilian agencies to secure their cloud environments and abide by the SCuBA framework’s secure configuration baselines. It mandates a very tight set of deadlines over the first few months of 2025 to address vulnerabilities in one of the most widely used cloud platforms across the U.S. federal government.

“While most regulations can be onerous, this directive is both vital and reasonable—BOD 25–01 marks a critical step forward in strengthening the cybersecurity posture of federal civilian agencies,” said Brandon Conley, Chief Revenue Officer at AppOmni and a leading strategist in public sector engagements. “By mandating the adoption of the SCuBA Secure Configuration Baselines, CISA not only provides a standardized approach to securing SaaS applications, it also guides agencies toward proactive risk mitigation. This is the kind of alignment needed with broader cybersecurity initiatives such as zero trust architectures and continuous monitoring. As the voice of SaaS security for our customers and partners, we’re proud to lead the way in protecting the applications that power the government.”

While the new directive has only just arrived, the clock is already ticking. The key deadlines include:

• February 21, 2025: Agencies must identify all cloud tenants within the directive's scope
• April 25, 2025: Agencies must deploy CISA's automated configuration assessment tools and commence continuous reporting
• June 20, 2025: All mandatory SCuBA policies must be implemented.

As the only FedRAMP^® In Process designated SaaS security platform, AppOmni’s new set of services are custom-designed for the federal government. They enable agencies to complete compliance checks and meet 50+ directives for Microsoft AAD (Entra ID), SharePoint, Exchange Online, and Teams applications out of the box, with support for other applications continuously being added. The new capabilities will help agencies:

• Manage external, anonymous access to Microsoft Teams, and prevent bypassing of security controls for organizational meetings
• Block the sharing of sensitive files in SharePoint and OneDrive, and limit continuous access to company assets
• Validate the authenticity of emails sent from a given domain using DMARC for Exchange Online, and stop insider threats from exfiltrating emails to external recipients
• Safeguard who can see an agency’s most sensitive data in real time with conditional access policies in Entra ID, and block supply chain attacks from high-risk applications using Microsoft's built-in signals.

These offerings are perfectly suited to an environment in which SaaS installations are simultaneously critical and inadequately protected. SaaS apps such as M365 are used extensively throughout the public and private sector, where they store and process massive volumes of sensitive information while supporting virtually all operational processes. However, security lags far behind the rapid adoption: According to a CISA release, SaaS misconfigurations provided the initial access point for 30% of all cloud environment attacks (up from 17% in the second half of 2023).

The danger to government agencies is particularly acute—adversaries from nation-state actors and ransomware attackers can exploit these weaknesses to disrupt operations and compromise national security. At the same time, traditional security measures are not designed to address these issues, or provide programmatic checks for recommended configuration baselines, policy deviations, or potential data exposures.

While BOD 25-01 specifically applies to federal civilian agencies, CISA strongly advises all organizations to adopt these security measures to reduce their attack surfaces and mitigate breach risks. The SCuBA secure configuration baselines are a good starting point, but continuous risk assessments and integration with existing detection and response programs for all critical SaaS apps should be implemented to improve SaaS estate security posture and maintain policy compliance.

Beyond the directive requirements, the AppOmni Platform also enables public and private sector entities to identify and mitigate the following risks across their entire SaaS environments:

• Publicly exposed data
• Over-privileged external users
• Risky third-party application connections
• Weak data restrictions
• Over-provisioned administrative roles
• Non-compliant security configurations

Take AppOmni’s free SCuBA compliance assessment now to simplify policy alignment with instant visibility for actionable insights into SaaS security risks, secure baselines to protect sensitive data with aligned configurations, and the only SaaS security platform with FedRAMP® In-Process designation to ensure adherence to strict federal standards.

Learn more about the AppOmni SaaS Security Platform.

About AppOmni

AppOmni is the leader in SaaS Security and simplifies protection for business-critical SaaS applications. With AppOmni, security teams and SaaS application owners quickly secure their mission-critical and sensitive data from attackers and insider threats. The AppOmni SaaS Security Platform continuously scans SaaS APIs, configurations, and ingested audit logs to deliver complete data access visibility, secure identities and SaaS-to-SaaS connections, detect threats, prioritize insights, and simplify compliance reporting. Five of the Fortune 10 and global enterprises across industries trust AppOmni to secure their SaaS applications.

Visit AppOmni.com, follow @AppOmni on LinkedIn, and watch SaaS security videos on YouTube.

View source version on businesswire.com: https://www.businesswire.com/news/home/20250113130893/en/

Public and private sector organizations get first #SaaSSecurity compliance checks for #CISA BOD 25-01 from @AppOmniSecurity, along with free #SCuBA compliance assessment to protect Microsoft 365 applications