CISA Empowers Agencies With Finalized Guidance to Secure Cloud Services

Kamso Oguejiofor-Abugu Kamso Oguejiofor-Abugu Writer

The Cybersecurity and Infrastructure Security Agency (CISA) has announced the release of finalized guidance resources aimed at helping agencies secure cloud-based business applications and enhance threat visibility within their networks.

The finalized guidance, developed under CISA’s Secure Cloud Business Applications (SCuBA) project, includes two important documents: the Extensible Visibility Reference Framework (eVRF) and the SCuBA Technical Reference Architecture (TRA).

“The Secure Cloud Business Applications (SCuBA) project provides guidance and capabilities to secure agencies’ cloud business application environments and protect federal information that is created, accessed, shared and stored in those environments,” CISA said in a blog post. “SCuBA will help secure federal civilian executive branch (FCEB) information assets stored within cloud environments through consistent, effective, modern, and manageable security configurations.”

The finalized TRA document serves as the foundation of the SCuBA program and a security guide that agencies can use to adopt technology for cloud deployment, secure architecture, adaptable solutions, and zero trust frameworks including the federal zero trust strategy, and CISA’s zero trust maturity model.

CISA is also piloting an automated tool called “ScubaGear” with 15 federal agencies to assess and implement Microsoft-specific security configurations across the Microsoft 365 catalog. The agency has already seen significant interest in the ScubaGear tool, which has been downloaded over 1,700 times from GitHub.

The eVRF document, on the other hand, offers an outline of the eVRF framework, empowering organizations to recognize visibility data for threat mitigation, assess the extent to which products and services provide such data, and identify any potential visibility gaps.

“It’s a framework that allows organizations to assess themselves,” Chad Poland, manager for cyber shared services at CISA, said in an interview. “Where they’re blind and where they have visibility gaps, how they can shore up and provide better visibility coverage to make sure that they can track all the different telemetry coming in and out of their enterprises.”

About the Author

About the Author

Kamso Oguejiofor is a former Content Writer at SafetyDetectives. He has over 2 years of experience writing and editing topics about cybersecurity, network security, fintech, and information security. He has also worked as a freelance writer for tech, health, beauty, fitness, and gaming publications, and he has experience in SEO writing, product descriptions/reviews, and news stories. When he’s not studying or writing, he likes to play basketball, work out, and binge watch anime and drama series.