June 27, 2023
In a significant stride towards safeguarding federal information stored within cloud environments, the Cybersecurity and Infrastructure Security Agency (CISA) recently released the first series of final security guidance sources. These sources are under the agency’s SCuBA project, otherwise known as the Secure Cloud Business Applications project.
The initiative focuses on securing cloud services and bolster their security configurations. The documents provide much-needed guidance to implement best practices for public and private entities’ cloud services.
Table of Contents
CISA and Cloud Services: Ensuring Federal Networks’ Digital Security
Cloud applications have become integral to modern businesses, facilitating collaboration, data access, and storage. However, with the increasing reliance on cloud services, cybersecurity risks have also escalated, necessitating comprehensive strategies to safeguard sensitive information. The SCuBA Project acknowledges this evolving landscape and emphasizes the need for consistent, effective, modern, and manageable security configurations.
In a press release on the CISA website, CISA Executive Assistant for Cybersecurity Eric Goldstein emphasized that persistent threat actors continue to evolve their capabilities, making it crucial for organizations, including federal agencies, to utilize adaptable and timely guidance provided by the SCuBA Project.
“As evidenced by supply chain compromises and associated cyber threat campaigns, persistent threat actors continue to evolve their capabilities with the intent to compromise federal government networks and critical infrastructure, whether on on-premises or cloud-based environments,” said Goldstein. “The final eVRF and TRA provides all organizations, including federal agencies, with adaptable, flexible, and timely guidance. These resources will help organizations address cybersecurity and visibility gaps that have long hampered our collective ability to adequately understand and manage cyber risk.”
The SCuBA Project
The SCuBA, or Secure Cloud Business Applications, project was funded through the American Rescue Plan Act of 2021 and created with input from a public comment period in 2022. Moving to cloud-based platforms and services introduces new risks that persistent threat actors have exploited to compromise federal government networks. The SCuBA project aims to secure agencies’ cloud business applications and protect the information in their networks by improving cybersecurity practices and providing direction on adopting cloud technology.
At the forefront of SCuBA are two key documents, the SCuBA Technical Reference Architecture (TRA) and the Extensible Visibility Reference Framework (eVRF) Guidebook.
The TRA serves as a security guide for agencies looking to adopt cloud technologies while ensuring secure architecture and zero-trust frameworks. On the other hand, the eVRF Guidebook provides an overview of the eVRF framework for organizations to identify potential visibility gaps and gather data for threat mitigation. It consists of a guidance document, two product-specific workbook overviews, and two product-specific workbooks. Agencies can leverage this framework to improve visibility, detection, and response to cyber threats.
The SCuBA project is primarily intended for the use of federal agencies. However, CISA encourages organizations that use cloud services to review the eRVF Guidebook and TRA so they can implement the best practices within their teams whenever appropriate.
Additional CISA Guidelines on Securing Cloud Services
Aside from the SCuBA TRA and eVRF Guidebook, the following documents are available for download on the SCuBA Project website:
Microsoft 365 & Google Workspace baselines
CISA’s efforts in providing guidance on recommended cybersecurity configurations for Microsoft 365 and Google Workspace further enhance the project’s efficacy. Federal agencies were encouraged to pilot the M365 security configuration guides, providing feedback to fine-tune the security controls. The publication of Microsoft 365 and Google Workspace baselines strengthens agencies’ cybersecurity posture and fosters a proactive approach to threat detection and prevention.
Hybrid Identity Solutions Architecture
CISA’s release of the Hybrid Identity Solutions Architecture guidance document marks another milestone in ensuring identity management interoperability between on-premises and cloud-based solutions. This guidance addresses challenges and provides agencies with potential options to streamline their identity management processes.
CISA’s Role in Recommending Cybersecurity Configurations for Cloud Products
The CISA initiative to secure cloud services is part of the agency’s central role in implementing President Joe Biden’s Executive Order 14028 on “Improving the Nation’s Cybersecurity.” As the nation’s cyber defense agency, it is also tasked with modernizing its cybersecurity programs, services, and capabilities to effectively understand, manage, and reduce the risk to the digital infrastructures that the nation relies on. In June 2022, CISA, in consultation with the Office of Management and Budget (OMB) and the Federal Risk Authorization Management Program (FedRAMP), developed the Cloud Security Technical Reference Architecture to guide cloud migration and data protection for agencies. The SCuBA Project is part of CISA’s continuous effort to achieve its objectives.
With emerging cyber threats, understanding the importance of cloud security becomes a pressing priority. CISA’s SCuBA Project serves as a valuable source to secure information stored within cloud environments. Organizations using cloud services should review the TRA document and eVRF Guidebook if they want to improve their visibility, detection, and response capabilities to cyber threats.