The Cybersecurity and Infrastructure Security Agency requires agencies to evaluate and fix any security vulnerabilities in Microsoft 365 and other widely used cloud computing applications.
In new binding operational guidance issued today, CISA requires agencies to implement “secure practices for cloud services.” CISA's BODs are mandatory for federal civilian departments and agencies.
The latest guidance specifically tells agencies to adopt CISA's Secure Cloud Business Applications baselines. The SCuBA baseline details how agencies can securely configure their cloud environments. The software also runs an open source cloud security assessment tool.
The guidance's six requirements include an April 25 deadline for agencies to apply the SCUBA assessment tool to applicable cloud environments. They then have until June 20 to fix any holes in their commitment to the SCUBA Cloud Security Baseline.
CISA officials said the new guidance is not a response to any specific cybersecurity incidents. Instead, it focuses on ensuring agencies properly secure the SaaS applications that have become prevalent across the federal government in recent years.
“Although this guidance responds to recent threat activity, it is not focused on one recently identified threat,” Matt Hartman, CISA's deputy executive director for cybersecurity, told reporters on a call today. “This is the product of the work we began after the SolarWinds campaign to create a centralized, consistent approach to securing the federated cloud environment. The configurations required by this board are not specific to any one threat actor or incident. They are continually used by both sophisticated, well-funded threat actors and everyday cybercriminals .
In the guidance, CISA notes that misconfigured and outdated cloud security controls have “created significant risks and led to material compromises.” The guidance points out how vendor changes and frequent software updates can make the task of securing cloud services particularly difficult.
CISA launched the SCUBA program in 2021 to provide agencies with standard cloud security controls for widely used products, such as Microsoft's collaboration tools.
Before Tuesday's directive, scuba baselines were voluntary for agencies. However, over the past two years, CISA has worked with 13 agencies to test and improve the baselines and associated assessment tools.
“This is really an acknowledgment of the fact that the scuba diving program has matured greatly over the last couple of years,” Hartman said. “We have completed a number of pilot implementations with a wide range of federal civilian agencies, and have received significant feedback from agencies regarding implementation.”
The guidance applies to “all production or operational cloud tenants” with the final SCUBA baseline. CISA finalized the baseline for Microsoft 365 products last December. The agency is also working on setting baselines for ScuBA for the Google Workspace product suite.
CISA has also created a new website to provide agencies with a current list of required cloud security configurations.
As with many CISA programs and guidance, the goal of the SCUBA baselines is to ensure that agencies close any unnecessary gaps in their cybersecurity practices.
During a Federal News Network cloud exchange earlier this year, Chad Poland, a cybersecurity product manager at CISA, said the strength of the SCuBA guidance lies in its specificity around cloud security controls.
“They are very prescriptive,” Poland said. “So it tells the end user exactly what setting they need to change, and why they should change it through a logical statement. And then, we actually go a step further and provide mappings to MITRE ATT&CK so they know if they run the setting, what the actual TTP is that it will prevent.”
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
