“SCuBA”? It means better visibility, standards and security practices for government cloud

By Eric Goldstein, US CISA Executive Assistant Director for Cybersecurity

April 21, 2022

In recent years, the federal government has leveraged cloud-based software and platform services as a means for greater capacity and accessibility as well as for good financial stewardship. However, moving to the cloud can introduce new types of risks if not conducted with security top of mind. As evidenced by SolarWinds supply chain compromise and associated cyber campaign, persistent threat actors have demonstrated and continue to develop sophisticated capabilities with the intent to compromise federal government networks, whether on traditional or cloud-based environments.  

As the nation’s cyber defense agency, the Cybersecurity and Infrastructure Security Agency (CISA) serves a central role in implementing President Biden’s Executive Order 14028. This executive order has already driven significant improvements in securing federal government networks, including by enabling greater visibility into cybersecurity threats, driving improvements in security practices, and providing direction toward adoption of cloud technology. 

To this end, CISA recently launched the Secure Cloud Business Applications (SCuBA) project that was funded through the American Rescue Plan Act of 2021. The project was established to develop consistent, effective, modern, and manageable security configurations that will help secure agency information assets stored within cloud environments. Through ongoing dialogue and collaboration with industry and government stakeholders, CISA has developed two initial guidance documents as a part of the SCuBA project, which collectively will help agencies adopt necessary security and resilience practices when utilizing cloud services.  

1. The SCuBA Technical Reference Architecture (TRA) is a security guide that agencies can use to adopt technology for cloud deployment, adaptable solutions, secure architecture, and zero trust frameworks.   

2. The Extensible Visibility Reference Framework (eVRF) Guidebook provides an overview of the eVRF framework, which enables organizations to identify visibility data that can be used to mitigate threats, understand the extent to which specific products and services provide that visibility data, and identify potential visibility gaps.   

We are requesting public comment on these two products to ensure our guidance enables the best flexibility to keep pace with evolving technologies and capabilities and protect the federal enterprise. Our intent is to properly address cybersecurity and visibility gaps within cloud-based business applications that have long hampered our collective ability to adequately understand and manage cyber risk across the Federal and IT enterprise. In addition, CISA is working towards guidance on recommended cybersecurity configuration based for select products that is likely to be released in the coming months.  

While these documents are principally intended for use by federal agencies, CISA recommends that all organizations utilizing cloud services review the SCuBA TRA and eVRF Guidebook and implement practices therein where appropriate.  

The deadline for providing comment on the CISA SCuBA technical reference documents is May 19, 2022.