Microsoft working with CISA on assessment tool for cloud security configurations

The minimum security configurations should help agencies better secure widely used business applications.

The Cybersecurity and Infrastructure Security Agency has released minimum security configurations for widely used cloud-based business applications, and Microsoft is now working with CISA on an assessment tool to help measure federal progress toward the standards.

The Cybersecurity and Infrastructure Security Agency’s Secure Cloud Business Applications (SCuBA) program published configurations covering eight services across the Microsoft 365 series, including Microsoft Teams, Exchange Online, and Azure Active Directory.

“These baselines will kick off a series of pilot efforts to advance cloud security practices across the [federal civilian executive branch] and more effectively safeguard sensitive information and government services,” Michael Duffy, CISA’s associate director, wrote in an Oct. 20 blog post.

CISA began working on the SCuBA project last year with funding from the American Rescue Plan. The goal is to set standard security configurations across widely used business applications in government, a gap that was exposed in the SolarWinds hack.

CISA is now seeking public comment on the security baseline documents through Nov. 24.

“These baselines were developed with flexibility in mind to keep pace with evolving technologies and capabilities while protecting the federal enterprise today,” Duffy wrote. “Although these documents are principally intended for use by federal agencies, CISA recommends that all organizations utilizing cloud services review the baselines and implement practices therein where appropriate.”

Steve Faehl, Microsoft Federal’s security chief technology officer, said the company is partnering with CISA to develop a “security baseline assessment tool” to help gauge agency progress with the security configurations.

“That really brings the capability to evaluate the adoption of those configurations, do so at scale and do so continuously,” Faehl said in an interview with Federal News Network. “And in these projects, one of the most essential things is enumerating and measuring progress. So that’s an area that we really think we can help, is not only in providing the guidance that helps support best practice configuration, but helping CISA to achieve that watermark at scale.”

The configurations published by CISA are a “relatively low” lift for agencies to implement, Faehl said, and circumstances will vary across agency environments and missions. But they draw an important “line in the sand,” he added, when it comes to minimum expectations.

“As there’s been a request for comment on these baselines, that’s probably where a lot of the feedback will come in around, what does that line look like? And does it take into account the edge case that my agency has to deal with?” Faehl said.

The security baselines were driven by a group under the Federal Chief Information Officers Council’s called the “Cyber Innovation Tiger Team,” according to CISA.

The tiger team members, per CISA, are:

  • Mike Witt, chief information security officer, National Aeronautics and Space Administration
  • James Saunders, CISO, Office of Personnel Management
  • Beau Houser, CISO, Census Bureau
  • Andrew Havely, CTO, U.S. Department of the Interior
  • Han Wei Lin, Sandia National Laboratories
  • Sanjay Gupta, chief information officer, Executive Office for Immigration Review, Justice Department

Faehl said the team brought diverse perspectives and backgrounds to the work of setting standard configurations across government.

“Engaging experts at that level and providing our knowledge to them is a great way to scale that knowledge throughout the entire federal civilian branch,” he said.

Meanwhile, CISA will publish similar configuration baselines for Google Workspace applications “in the coming months,” according to Duffy.

“Ultimately the publication of the GWS and M365 baselines will further CISA’s mission to secure the federal enterprise by addressing cybersecurity and visibility gaps within cloud-based business applications,” he wrote.


Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories

    Amelia Brust/Federal News Network

    CISA aims to expand cyber defense service across fed agencies, potentially further

    Read more
    Amelia Brust/Federal News Networkcybersecurity

    CISA provides agencies with long-awaited cloud security guidance

    Read more