top of page

Implementing CISA's SCuBA Project in Your Cloud

Updated: Aug 13, 2024

As more federal civilian agencies migrate their business applications to the cloud, it's critical that they take an aggressive stance toward managing security configuration baselines proactively in order to ensure data remains secure while adhering to CISA guidance.


CISA has published two Microsoft configuration baseline documents and developed an automated assessment tool called ScubaGear to analyze GWS tenant configurations against these baselines.


Microsoft 365

Federal efforts to avoid another SolarWinds-like breach are becoming more centralized in one agency: Cybersecurity and Infrastructure Security Agency, or CISA. CISA is spearheading a national cybersecurity agenda intended to extend into private industry environments amid mounting geopolitical tension; one high-profile initiative being SCuBA.


SCuBA stands for Secure Cloud Business Applications and it is a project that seeks to assist federal agencies with protecting their business application environments and safeguarding federal information created, accessed, shared or stored within those apps. In addition, visibility gaps that impeded federal civilian executive branch (FCEB) efforts at managing cybersecurity risks for their IT enterprises as well as detect or respond to cyberthreats are addressed through SCuBA.


SCuBA will not only establish baselines for critical business applications, but will also ensure FCEBs are configured and integrated correctly into existing enterprise systems. It aims to standardise security configurations across widely used cloud business apps while mandating agencies share relevant telemetry with CISA in order to facilitate threat analysis, incident response and risk mitigation activities.


The initial release of resources under SCuBA includes two documents, the Technical Reference Architecture (TRA) document and an Extensible Visibility Reference Framework (eVRF) guidebook. The TRA document establishes a model of "shared responsibility", where agencies are accountable for configuring business applications securely while vendors must ensure the integrity of SaaS platforms underlying those applications; CISA then is accountable for outlining baseline security requirements.


The eVRF guidebook will enable organizations to identify the visibility data necessary for threat detection and response, assess their ability to collect and leverage this telemetry, as well as any gaps in their product offerings. Both documents will eventually be accompanied by an assessment tool to assess compliance of an organization's Microsoft 365 environment with new security baselines.


Google Workspace

Google Workspace is a cloud-based suite of tools that enables users to communicate, collaborate and be productive. It offers numerous security features that protect data from hackers including multi-factor authentication; even if an attacker managed to crack your password they'd need physical access to gain entry to your information.


This platform puts innovation at its core, adding new features on an ongoing basis for users' benefit. Plus, being delivered as SaaS means it updates automatically - making deployment simple while cutting infrastructure costs down significantly.


Configuration drift detection is another key feature. This function alerts administrators of any changes that could potentially compromise an agency's security posture and thus prevent threat actors from exploiting vulnerabilities in systems which have not been correctly configured.

Google has pledged its dedication to protecting their platform with strict privacy and security standards, such as contractual commitments regarding data ownership, usage rights, transparency and accountability.


Google Workspace places great emphasis on encryption for government information security. This feature is especially critical as the platform is often used to transfer large volumes of sensitive data across the Internet. Furthermore, its robust service level agreement (SLA) and redundant architecture help protect against outages. Lastly, users have options as to where their data resides at rest - helpful both from compliance standpoints as well as for organisations which need their data stored nearby.


Hybrid Identity Guidance

Cybersecurity and Infrastructure Security Agency (CISA) recently issued new identity management guidelines that address transitioning identity management capabilities to the cloud. Entitled "SCuBA Hybrid Identity Solutions Architecture," these March 12 guidelines seek to inform agencies on their options for migrating identity management functions to the SaaS model, also known as IDaaS (identity as a service).


CISA provides guidance that details various hybrid identity architectures, outlining their advantages and disadvantages in an effort to assist agencies in choosing one that best meets their unique needs and risk tolerances. Key factors considered when making their selection include time, existing infrastructure complexity and implementation cost compared to each alternative option.

Provisioning and synchronizing identity data across both on-premises Active Directory (AD) and Azure AD are crucial steps in creating hybrid identities, as it ensures all identity data in both directories remains consistent. There are various methods to do this; PIM solutions offer one such means.


Other practices recommended in this guidance are federated authentication, pass-through authentication, password hash synchronization and cloud primary authentication. Furthermore, two-factor authentication should be required when providing outbound guest access to resources within another tenant and activation duration should not exceed one hour for privileged accounts, significantly decreasing an attacker's window of opportunity.


The SCuBA project aims to assist federal civilian executive branch (FCEB) agencies secure their M365 and Google Workspace environments by offering baseline configurations that ensure federal information created, accessed, shared, or stored within these environments remains intact. Furthermore, its primary goal is to strengthen FCEB cybersecurity postures against continuously-evolved threat actors.


Technical Reference Architecture (TRA)

CISA's SCuBA Project provides federal civilian agencies with much-needed guidance for securing SaaS applications, to address visibility gaps that impede our understanding and managing of cyber risk across our entire Federal network.


The SCuBA project released two guidance documents in September 2016: Technical Reference Architecture (TRA) and Extensible Visibility Reference Framework (eVRF). Both guides outline a technical architecture and framework for protecting SaaS applications; with TRA outlining a layered, scalable approach for protecting common business applications while the latter providing advice for overseeing security in multi-cloud environments.


eVRF provides an architecture to enable identification of visibility data for specific applications and identify gaps that might exist between visibility data and actual application use. Furthermore, its flexible framework can easily accommodate changes to technologies or capabilities to enable security integration into business processes as well as managing overall security posture.


One of the more comprehensive sections of TRA is its Shared Services Layer, which details cloud service models, FedRAMP roles and responsibilities, and application authorization boundaries. Organizations should closely consider this section when planning for cloud security layered approaches.


Attendees at this workshop will hear from an expert panel from CISA, Microsoft and Mitre as they offer insight into the latest version of M365 SCBs and ScubaGear (an automated configuration assessment tool which checks an agency's compliance with CISA-recommended SCBs), as well as TRA and eVRF tools used by an agency to ensure security configurations align with recommended standards.


Extensible Visibility Reference Framework (eVRF)

CISA recently unveiled its inaugural series of security guidance resources under its SCuBA project: Technical Reference Architecture (TRA) and an Extensible Visibility Reference Framework (eVRF). CISA actively solicited input for these documents in 2022 in order to make sure our guidance allows for rapid technological evolution while continuing to protect federal enterprises.


These two documents assist agencies with creating secure implementation architectures for Microsoft 365 and Google Workspace cloud business apps, providing guidance around their deployment as well as tips and recommendations on how best to configure them to comply with Federal Risk and Authorization Management Program requirements.


Additionally, the eVRF provides agencies with capabilities they can use to identify and mitigate threats that could threaten business application environments. This enables agencies to gain visibility into their cloud services as well as detect anomalous behavior or activities that may indicate an attack attempt.


CISA will continue its leadership of various identity and visibility projects, while strengthening our cloud capabilities, such as publishing an official guidance document on recommended cybersecurity configuration baselines for selected products that should become available soon.


Understanding the SCuBA Project

The SCuBA project is a collaborative effort between CISA, the Federal Risk and Authorization Management Program (FedRAMP), and the United States Digital Service (USDS). Its primary objective is to develop a set of best practices, guidelines, and tools to help federal agencies securely adopt and manage cloud services.


The project focuses on three main areas:

  1. Secure Cloud Application Development: Providing guidance on developing secure cloud applications using modern DevSecOps practices and tools.

  2. Secure Cloud Migration: Offering best practices for migrating existing applications and data to the cloud while maintaining security and compliance.

  3. Continuous Monitoring and Incident Response: Establishing a framework for continuous monitoring, threat detection, and incident response in cloud environments.


By addressing these critical aspects of cloud security, the SCuBA project aims to empower federal agencies to leverage the benefits of cloud computing while minimizing risks and ensuring the confidentiality, integrity, and availability of their data and systems.


Implementing SCuBA Guidelines in Your Cloud Environment

To effectively implement the SCuBA project guidelines in your agency's cloud environment, follow these step-by-step instructions:


Step 1: Assess Your Current Cloud Security Posture

Begin by conducting a thorough assessment of your current cloud security posture. This involves:

  • Identifying all cloud services and applications in use

  • Evaluating the security controls and configurations of each service

  • Assessing compliance with relevant regulations and standards (e.g., FedRAMP, NIST, FISMA)

  • Identifying potential vulnerabilities and risks

Tools like cloud security posture management (CSPM) solutions can automate this process and provide a comprehensive view of your cloud environment's security status.


Step 2: Develop a Secure Cloud Strategy

Based on the assessment results, develop a comprehensive secure cloud strategy that aligns with the SCuBA project guidelines. This strategy should include:

  • Defining security policies, procedures, and standards for cloud adoption and usage

  • Establishing a cloud governance framework to ensure consistent security practices across the organization

  • Identifying roles and responsibilities for cloud security management

  • Selecting secure cloud service providers (CSPs) that meet FedRAMP requirements

  • Defining a roadmap for secure cloud migration and application development

Engage stakeholders from various departments, including IT, security, compliance, and business units, to ensure the strategy addresses the needs and concerns of the entire organization.


Step 3: Implement Secure Cloud Application Development Practices

Adopt DevSecOps practices and tools to embed security into the entire application development lifecycle. This includes:

  • Implementing secure coding practices and standards

  • Using static and dynamic application security testing (SAST and DAST) tools to identify and remediate vulnerabilities

  • Integrating security into continuous integration and continuous deployment (CI/CD) pipelines

  • Leveraging infrastructure as code (IaC) and security as code (SaC) to automate secure infrastructure provisioning

  • Implementing least privilege access controls and secure key management

Provide training and guidance to developers, ensuring they have the necessary skills and knowledge to build secure cloud applications.


Step 4: Execute Secure Cloud Migration

When migrating existing applications and data to the cloud, follow the SCuBA project's secure migration guidelines:

  • Conduct a thorough inventory and assessment of the applications and data to be migrated

  • Develop a detailed migration plan that addresses security and compliance requirements

  • Use secure data transfer methods and encryption to protect sensitive information during migration

  • Configure security controls and access policies in the target cloud environment

  • Perform thorough testing and validation to ensure the migrated applications and data are secure and functioning as expected

Collaborate with your chosen CSP to leverage their security services and expertise throughout the migration process.


Step 5: Implement Continuous Monitoring and Incident Response

Establish a robust continuous monitoring and incident response framework to proactively detect and respond to security threats in your cloud environment. This includes:

  • Deploying cloud-native security tools and services, such as cloud security information and event management (CSIEM) and cloud workload protection platforms (CWPP)

  • Configuring alerts and notifications for critical security events

  • Developing and testing incident response plans specific to cloud scenarios

  • Conducting regular security assessments, penetration testing, and compliance audits

  • Leveraging automation and orchestration to streamline incident response and remediation processes


Continuously review and update your monitoring and incident response processes to adapt to evolving threats and changes in your cloud environment.

3 views0 comments

Recent Posts

See All

Comments


bottom of page