The Cybersecurity and Infrastructure Security Agency (CISA) has led a handful of identity security initiatives over the past year, and, according to a CISA official, is closing in on finalized guidance on recommended cybersecurity configuration baselines for select cloud products – like Microsoft 365 and Google Workspace.
Grant Dasher, the architecture branch chief for the Office of the Technical Director for Cybersecurity at CISA, said today that the agency is preparing to release another guidance document that keys in on specific implementation guidelines for Microsoft 365 as part of its Secure Cloud Business Applications (SCuBA) project.
“The other thing that the SCuBA project includes, and I think probably the most valuable in my opinion, are the baselines and the tool that we developed for assessing compliance with those baselines,” Dasher said during an Aug. 15 Nextgov/FCW webinar. “These baselines are very prescriptive, very specific, and we released a version for feedback to the community last fall, and I’m happy to say we’re nearing in the next short period of time releasing an updated finalized version one of those SCuBA baselines.”
“Those baselines will essentially establish a very specific – for Microsoft 365, the Google project is coming shortly behind it – a very specific list of implementation controls,” Dasher explained. “For example, in Azure Active Directory, in other parts of Microsoft 365 that CISA believes agencies needs to deploy.”
The CISA official said that these new SCuBA guidelines are “more specific” and “tailored for Federal civilian agencies.”
CISA released the first series of final security guidance resources – the Extensible Visibility Reference Framework (eVRF) Guidebook and a Technical Reference Architecture (TRA) – under its SCuBA project in June.
The two documents are intended to help public and private entities implement necessary security and resilience best-practices for their cloud services.
The SCuBA project provides guidance and capabilities to secure agencies’ cloud business application environments and protect Federal information that is created, accessed, shared, and stored in those environments. According to CISA, SCuBA will help secure Federal civilian executive branch information assets stored within cloud environments through consistent, effective, modern, and manageable security configurations.
During the webinar, Dasher also highlighted a tool that CISA runs to generate a report that will show agencies how their actual tenant lines up against the new SCuBA baselines.
“We’ve seen really across the cybersecurity industry, both inside the government and outside of the government, a use of that tool to start assessing the posture and configuration of these environments,” Dasher said. “It’s been a helpful tool for us to work with the agencies to try and make sure that they’re implementing best practices in the cloud identity space.”
Dasher also highlighted a handful of additional identity security initiatives CISA has spearheaded this year, including the second version of its Zero Trust Maturity Model as well as expanding and improving its Continuous Diagnostics and Mitigation (CDM) program.
“Identity is becoming the quintessential security technology in many ways, if it isn’t already there, and we think that that embracing that and modernizing our approach is really an important priority,” Dasher said. “So as soon as CISA grows, I think we’ll continue to invest in this area, and continue to work very closely with our partner agencies.”
“It’s an exciting time. I think that I’ve seen a real growth over the last couple of years that I’ve been at CISA and recognition of the importance of continued investment in identity as a core security technology,” he concluded. “I expect that to continue into the future.”
