In many ways the federal sector is still grappling with how to prevent the next SolarWinds style supply chain compromise but many insiders, including management at the Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency, are hoping a relatively new security acronym, SCuBA, can help.
The goal of ScUBA, which stands for the Secure Cloud Business Applications project, is to help reduce the confusion around how federal entities store and secure data in the cloud.
The idea is that rolling out standards and security practices that can align efforts around cloud-based business applications will help agencies get on the same page while ensuring agency information assets stored within cloud environments are kept secure.
CISA is initially focused on using SCuBA to secure Google Workspace and Microsoft Office 365 cloud environments for federal agencies. CISA will design cybersecurity architectures for both services to account for cybersecurity and visibility gaps in cloud business apps while enabling agencies to identify and detect bad actors.
The agency released two new documents this week to help fellow federal departments familiarize themselves with SCuBA if they aren't already.
The first document, the SCuBA TRA, or Technical Reference Architecture guide, is based on the the similarly titled Cloud Security TRA, published by CISA, the United States Digital Service, and the Federal Risk and Authorization Management Program (FedRAMP. It includes tips around cloud deployment and cloud migration, shared services, zero trust frameworks, cloud security posture management.
The second, the Extensible Visibility Reference Framework (eVRF) Program Guidebook breaks down the Visibility Reference Framework (eVRF) - a framework organizations can be uses to identify visibility data that can be used to mitigate threats.
A critical part of the guidance is ensuring organizations have their cloud services generate logs for applications for visibility, asset management, incident response, so that if there's cyber incident, they have the necessary data to send to CISA. The logs need to be monitored, audited, and linked to alerts so agencies can carry out threat detection as well.
As part of the guidance, from a technical standpoint, CISA is recommending organizations follow logging requirements laid out by OMB M-21-31 and NIST Special Publication 800-92.
Information sharing is also a big part of SCuBA.
The SCuBA TRA points out that the project operates on a shared responsibility model in which agencies are responsible for securely configuring their cloud business application platforms, vendors are responsible for securing their underlying SaaS platform, and that CISA is responsible for defining baseline security requirements.
That’s not to say that the three entities shouldn’t work across the aisles.
Under SCuBA, agencies should share relevant telemetry logs from cloud business apps with CISA and vendors should share any relevant vulnerability or breach information with CISA, along with information on any updates to their products. CISA of course, will share any information that can help agencies collect, process, or analyze telemetry to help them mitigate threats.
While neither of the documents are final - they're draft versions, CISA is seeking comment over the next month - they can still help inform an organization looking to incorporate appropriate security and resilience practices into their cloud services.
In fact, CISA is recommending that any organization looking to utilize cloud services review both the SCuBA TRA and eVRF Guidebook and implement its practices when appropriate.
The project, which is partially being financed through the $650 million CISA received for cybersecurity risk mitigation last March through the American Rescue Plan, helps satisfy directives laid out by the White House last year.
Executive Order 14028, issued in May, was designed to help protect critical infrastructure that the country's economy relies on by bolstering the nation's cybersecurity posture. Pushing agencies to secure cloud services factors into the overall goal to modernize and implement stronger cybersecurity standards across the federal government.
