The Cybersecurity and Infrastructure Security Agency is releasing finalized guidance for agencies today detailing how they can secure widely used cloud-based business applications and gain greater visibility into threats lurking on their networks.
CISA’s Secure Cloud Business Applications (SCuBA) project released two guidance documents that have been in draft for just over a year: the Extensible Visibility Reference Framework (eVRF) and the SCuBA Technical Reference Architecture (TRA).
The idea behind the SCuBA project is to help agencies have a common understanding of security standards and configurations across widely used software-as-a-service applications, like Microsoft 365 and Google Workspace.
“We’re trying to provide actionable guidance that helps these organizations secure their environments,” Chad Poland, manager for cyber shared services at CISA, said in an interview.
Poland said CISA received nearly 500 comments on the documents that were finalized today, with responders representing an array of agencies, private industry, state and local governments, and others.
The TRA document is the “foundational” document for the SCuBA program, Poland said, and one of the major tweaks CISA made to the finalized guidance is aligning the architecture to zero trust principles, as well as the federal zero trust strategy and CISA’s zero trust maturity model.
“We’re giving [agencies] tools and resources to make sure that those environments more clearly aligned to zero trust,” Poland said. “We’re not trying to duplicate or replace something that agencies already have or CISA’s already doing. We’re complementing it. And we’re saying, ‘Look, you continue to use what you have. And now let’s work together to shore up the security around this.’”
The TRA document provides agencies with a “vendor agnostic” approach, he said, to securing business applications across productivity, messaging, content management, collaboration and voice capabilities.
At the same time, CISA is also testing out specific baseline configurations agencies can use to secure widely used services across the Microsoft 365 catalog. Poland said the agency is piloting the automated tool developed to assess those Microsoft-specific security configurations, called “ScubaGear,” with 15 federal agencies.
“We have large agencies, we have small agencies, and we’re working with them on their implementation of those baselines, their feedback on specific control statements, and their feedback on the tool and how it’s being used,” Poland said.
So far, the ScubaGear tool has been downloaded more than 1700 times on GitHub. Meanwhile, CISA also plans to release draft secure configuration baselines for Google Workspace this summer, Poland added.
“It’s a framework that allows organizations to assess themselves,” he said. “Where they’re blind and where they have visibility gaps, how they can shore up and provide better visibility coverage to make sure that they can track all the different telemetry coming in and out of their enterprises.”
CISA plans to roll out an eVRF tool in the coming months that gives agencies the ability to develop “visibility heat maps” in an “automated fashion,” Poland said. The idea is to help agencies understand how much coverage a given vendor’s logging capability, for instance, will give them, and where they may still have gaps.
The framework document uses the analogy of a surveillance camera providing visibility into certain sections of a fenced-in yard.
“If you put a camera in one corner, you can see XYZ, and then if you double that with another camera, you increase your visibility coverage,” Poland said. “That’s a really useful analogy for organizations to understand that different types of sensors placed in different parts of the environment are going to complement you and give you better coverage.”