The Cybersecurity and Infrastructure Security Agency (CISA) is seeking industry feedback on two reference documents, one for Secure Cloud Business Applications (SCuBA) and a framework for organization visibility data, according to an April 19 CISA blog post.
CISA released a SCuBA Technical Reference Architecture (TRA) that agencies can use to adopt technology for “cloud deployment, adaptable solutions, secure architecture, and zero trust frameworks,” and an Extensive Visibility Reference Framework (eVRF) Guidebook that seeks to give agencies more visibility into their data.
“In recent years, the Federal government has leveraged cloud-based software and platform services as a means for greater capacity and accessibility as well as for good financial stewardship,” CISA Executive Assistant Director for Cybersecurity Eric Goldstein wrote. “However, moving to the cloud can introduce new types of risks if not conducted with security top of mind.”
“We are requesting public comment on these two products to ensure our guidance enables the best flexibility to keep pace with evolving technologies and capabilities and protect the Federal enterprise,” Goldstein added. “Our intent is to properly address cybersecurity and visibility gaps within cloud-based business applications that have long hampered our collective ability to adequately understand and manage cyber risk across the Federal and IT enterprise.”
The SCuBA program was created by the American Rescue Plan and given subsequent authority under the fiscal year (FY) 2021 National Defense Authorization Act. The SCuBA TRA released is designed to make sure that all of the Federal government’s SCuBA efforts are aligned. The TRA itself focuses on all cloud business applications that are delivered through software-as-a-service and any services used to secure those applications.
The eVRF Program Guidebook is designed to show agencies how to get more visibility data and how to use that information to mitigate threats. The guidebook is also designed to help agencies “understand the extent to which specific products and services provide that visibility data, and identify potential visibility gaps.”
“In addition, CISA is working towards guidance on recommended cybersecurity configuration based for select products that is likely to be released in the coming months,” Goldstein wrote. “While these documents are principally intended for use by Federal agencies, CISA recommends that all organizations utilizing cloud services review the SCuBA TRA and eVRF Guidebook and implement practices therein where appropriate.”
The agency is seeking feedback on the documents by May 19.