The Cybersecurity and Infrastructure Security Agency is requiring agencies to evaluate and fix any security gaps in their Microsoft 365 applications and other widely used cloud computing applications.
In a new binding operational directive issued today, CISA tells agencies to implement “secure practices for cloud services.” CISA’s “BODs” are mandatory for federal civilian departments and agencies.
The latest directive tells agencies specifically to adopt CISA’s Secure Cloud Business Applications baselines. The “SCuBA” baselines detail how agencies can securely configure their cloud environments. The program also manages an open-source cloud security assessment tool.
The directive’s six requirements include a deadline of April 25 for agencies to apply the SCuBA assessment tool to their applicable cloud environments. They then have until June 20 to fix any gaps in their adherence to the SCuBA cloud security baseline.
CISA officials said the new directive is not in response to any specific cybersecurity incidents. Instead, it’s focused on ensuring agencies are properly securing software-as-a-service applications that have become prevalent across the federal government in recent years.
“While this directive is responsive to recent threat activity, it is not focused on one specific recent threat,” Matt Hartman, CISA’s deputy executive assistant director for cybersecurity, told reporters on a call today. “This is the product of work that we began after the SolarWinds campaign to create a centralized and consistent approach to securing the federal cloud environment. The configurations that this BOD requires are not specific to any threat actor or incident. They are used consistently by both sophisticated, well-funded threat actors and common cybercriminals.”
In the directive, CISA notes how misconfigured and outdated cloud security controls have “introduced substantial risks and resulted in actual compromises.” The directive notes how vendor changes and frequent software updates can make the task of securing cloud services especially difficult.
CISA launched the SCuBA program in 2021 to provide agencies with standard cloud security controls for widely used products, like Microsoft’s collaboration tools.
Before Tuesday’s directive, the SCuBA baselines had been voluntary for agencies. However, over the last two years, CISA worked with 13 agencies to test and refine the baselines and associated assessment tools.
“This is really a recognition of the fact that the SCuBA program has matured significantly over the last couple of years,” Hartman said. “We have completed a number of pilot implementations with a wide range of federal civilian agencies, gained important feedback from agencies with respect to implementation.”
The directive applies to “all production or operational cloud tenants” with a finalized SCuBA baseline. CISA finalized the baseline for Microsoft 365 products last December. The agency has also been working on ScuBA baselines for the Google Workspace suite of products.
CISA has also set up a new website to provide the current list of required cloud security configurations for agencies.
As with many CISA programs and directives, the goal of the SCuBA baselines is to ensure agencies are closing any unnecessary gaps in their cybersecurity practices.
During Federal News Network’s Cloud Exchange earlier this year, Chad Poland, CISA’s cybersecurity product manager, said the strength of the SCuBA guidance is in its specificity about cloud security controls.
“They’re very prescriptive,” Poland said. “So it tells an end user exactly what setting they need to change, why they should change it via a rationale statement. And then we’ve actually gone a step further and provided mappings to MITRE ATT&CK so that they know if they turn the setting on, what actual TTP it’s going to prevent.”
Copyright
© 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
