top of page

Implementing CISA's SCuBA Project in Your Cloud

As more federal civilian agencies migrate their business applications to the cloud, it's critical that they take an aggressive stance toward managing security configuration baselines proactively in order to ensure data remains secure while adhering to CISA guidance.

CISA has published two Microsoft configuration baseline documents and developed an automated assessment tool called ScubaGear to analyze GWS tenant configurations against these baselines.

Microsoft 365

Federal efforts to avoid another SolarWinds-like breach are becoming more centralized in one agency: Cybersecurity and Infrastructure Security Agency, or CISA. CISA is spearheading a national cybersecurity agenda intended to extend into private industry environments amid mounting geopolitical tension; one high-profile initiative being SCuBA.

SCuBA stands for Secure Cloud Business Applications and it is a project that seeks to assist federal agencies with protecting their business application environments and safeguarding federal information created, accessed, shared or stored within those apps. In addition, visibility gaps that impeded federal civilian executive branch (FCEB) efforts at managing cybersecurity risks for their IT enterprises as well as detect or respond to cyberthreats are addressed through SCuBA.

SCuBA will not only establish baselines for critical business applications, but will also ensure FCEBs are configured and integrated correctly into existing enterprise systems. It aims to standardise security configurations across widely used cloud business apps while mandating agencies share relevant telemetry with CISA in order to facilitate threat analysis, incident response and risk mitigation activities.

The initial release of resources under SCuBA includes two documents, the Technical Reference Architecture (TRA) document and an Extensible Visibility Reference Framework (eVRF) guidebook. The TRA document establishes a model of "shared responsibility", where agencies are accountable for configuring business applications securely while vendors must ensure the integrity of SaaS platforms underlying those applications; CISA then is accountable for outlining baseline security requirements.

The eVRF guidebook will enable organizations to identify the visibility data necessary for threat detection and response, assess their ability to collect and leverage this telemetry, as well as any gaps in their product offerings. Both documents will eventually be accompanied by an assessment tool to assess compliance of an organization's Microsoft 365 environment with new security baselines.

Google Workspace

Google Workspace is a cloud-based suite of tools that enables users to communicate, collaborate and be productive. It offers numerous security features that protect data from hackers including multi-factor authentication; even if an attacker managed to crack your password they'd need physical access to gain entry to your information.

This platform puts innovation at its core, adding new features on an ongoing basis for users' benefit. Plus, being delivered as SaaS means it updates automatically - making deployment simple while cutting infrastructure costs down significantly.

Configuration drift detection is another key feature. This function alerts administrators of any changes that could potentially compromise an agency's security posture and thus prevent threat actors from exploiting vulnerabilities in systems which have not been correctly configured.

Google has pledged its dedication to protecting their platform with strict privacy and security standards, such as contractual commitments regarding data ownership, usage rights, transparency and accountability.

Google Workspace places great emphasis on encryption for government information security. This feature is especially critical as the platform is often used to transfer large volumes of sensitive data across the Internet. Furthermore, its robust service level agreement (SLA) and redundant architecture help protect against outages. Lastly, users have options as to where their data resides at rest - helpful both from compliance standpoints as well as for organisations which need their data stored nearby.

Hybrid Identity Guidance

Cybersecurity and Infrastructure Security Agency (CISA) recently issued new identity management guidelines that address transitioning identity management capabilities to the cloud. Entitled "SCuBA Hybrid Identity Solutions Architecture," these March 12 guidelines seek to inform agencies on their options for migrating identity management functions to the SaaS model, also known as IDaaS (identity as a service).

CISA provides guidance that details various hybrid identity architectures, outlining their advantages and disadvantages in an effort to assist agencies in choosing one that best meets their unique needs and risk tolerances. Key factors considered when making their selection include time, existing infrastructure complexity and implementation cost compared to each alternative option.

Provisioning and synchronizing identity data across both on-premises Active Directory (AD) and Azure AD are crucial steps in creating hybrid identities, as it ensures all identity data in both directories remains consistent. There are various methods to do this; PIM solutions offer one such means.

Other practices recommended in this guidance are federated authentication, pass-through authentication, password hash synchronization and cloud primary authentication. Furthermore, two-factor authentication should be required when providing outbound guest access to resources within another tenant and activation duration should not exceed one hour for privileged accounts, significantly decreasing an attacker's window of opportunity.

The SCuBA project aims to assist federal civilian executive branch (FCEB) agencies secure their M365 and Google Workspace environments by offering baseline configurations that ensure federal information created, accessed, shared, or stored within these environments remains intact. Furthermore, its primary goal is to strengthen FCEB cybersecurity postures against continuously-evolved threat actors.

Technical Reference Architecture (TRA)

CISA's SCuBA Project provides federal civilian agencies with much-needed guidance for securing SaaS applications, to address visibility gaps that impede our understanding and managing of cyber risk across our entire Federal network.

The SCuBA project released two guidance documents in September 2016: Technical Reference Architecture (TRA) and Extensible Visibility Reference Framework (eVRF). Both guides outline a technical architecture and framework for protecting SaaS applications; with TRA outlining a layered, scalable approach for protecting common business applications while the latter providing advice for overseeing security in multi-cloud environments.

eVRF provides an architecture to enable identification of visibility data for specific applications and identify gaps that might exist between visibility data and actual application use. Furthermore, its flexible framework can easily accommodate changes to technologies or capabilities to enable security integration into business processes as well as managing overall security posture.

One of the more comprehensive sections of TRA is its Shared Services Layer, which details cloud service models, FedRAMP roles and responsibilities, and application authorization boundaries. Organizations should closely consider this section when planning for cloud security layered approaches.

Attendees at this workshop will hear from an expert panel from CISA, Microsoft and Mitre as they offer insight into the latest version of M365 SCBs and ScubaGear (an automated configuration assessment tool which checks an agency's compliance with CISA-recommended SCBs), as well as TRA and eVRF tools used by an agency to ensure security configurations align with recommended standards.

Extensible Visibility Reference Framework (eVRF)

CISA recently unveiled its inaugural series of security guidance resources under its SCuBA project: Technical Reference Architecture (TRA) and an Extensible Visibility Reference Framework (eVRF). CISA actively solicited input for these documents in 2022 in order to make sure our guidance allows for rapid technological evolution while continuing to protect federal enterprises.

These two documents assist agencies with creating secure implementation architectures for Microsoft 365 and Google Workspace cloud business apps, providing guidance around their deployment as well as tips and recommendations on how best to configure them to comply with Federal Risk and Authorization Management Program requirements.

Additionally, the eVRF provides agencies with capabilities they can use to identify and mitigate threats that could threaten business application environments. This enables agencies to gain visibility into their cloud services as well as detect anomalous behavior or activities that may indicate an attack attempt.

CISA will continue its leadership of various identity and visibility projects, while strengthening our cloud capabilities, such as publishing an official guidance document on recommended cybersecurity configuration baselines for selected products that should become available soon.

1 view0 comments

Recent Posts

See All


bottom of page