The Cybersecurity and Infrastructure Security Agency (CISA) released the first series of final security guidance resources under its Secure Cloud Business Applications (SCuBA) project today.
The Extensible Visibility Reference Framework (eVRF) Guidebook and a Technical Reference Architecture (TRA) are intended to help public and private entities implement necessary security and resilience best-practices for their cloud services, CISA said on June 27.
CISA requested public comment on the TRA and eVRF in the first phase of the SCuBA project in April 2022 to ensure the agency’s guidance enables the best flexibility to keep pace with evolving technologies and capabilities and protect the Federal enterprise.
The SCuBA TRA is a security guide that agencies can use to adopt technology for cloud deployment, adaptable solutions, secure architecture and zero trust frameworks. It is now available for download.
The eVRF Guidebook enables organizations to identify visibility data that can be used to mitigate threats, understand the extent to which specific products and services provide that visibility data, and identify potential visibility gaps. The eVRF consists of a guidance document, two product-specific workbook overviews, and two product-specific workbooks.
“As evidenced by supply chain compromises and associated cyber threat campaigns, persistent threat actors continue to evolve their capabilities with the intent to compromise federal government networks and critical infrastructure, whether on on-premises or cloud-based environments,” CISA Executive Assistant for Cybersecurity Eric Goldstein said in a statement.
“The final eVRF and TRA provides all organizations, including federal agencies, with adaptable, flexible, and timely guidance. These resources will help organizations address cybersecurity and visibility gaps that have long hampered our collective ability to adequately understand and manage cyber risk,” Goldstein said.
The SCuBA project provides guidance and capabilities to secure agencies’ cloud business application environments and protect Federal information that is created, accessed, shared and stored in those environments. According to CISA, SCuBA will help secure Federal civilian executive branch information assets stored within cloud environments through consistent, effective, modern, and manageable security configurations.
“This project accelerates CISA cybersecurity shared services offerings, strengthens its relationship with other agencies, and supports CISA’s role leading federal efforts to mitigate cybersecurity risks to the nation, its execution of security requirements, and the Department of Homeland Security (DHS) cybersecurity mission,” the agency said.
CISA’s intent is to properly address cybersecurity and visibility gaps within cloud-based business applications that have hampered the collective ability to adequately understand and manage cyber risk across the Federal and IT enterprise.
In addition, CISA is working towards guidance on recommended cybersecurity configuration baselines for select products, like Microsoft 365 and Google Workspace. The agency said those documents will likely be released in the coming months.
