The Cybersecurity and Infrastructure Security Agency (CISA) issued a binding operational directive (BOD) on Tuesday that requires Federal civilian agencies to implement secure practices for cloud services.
Specifically, the directive calls on agencies to implement a set of CISA’s Secure Cloud Business Applications (SCuBA) secure configuration baselines for certain Software as a Service (SaaS) products widely used by Federal civilian agencies.
It also directs them to deploy CISA-developed automated configuration assessment tools to measure against those required baselines and remediate deviations from the secure configuration baselines.
“While this directive only applies to Federal civilian agencies, the threat to cloud environments extends to every sector. We urge all organizations to adopt this guidance. When it comes to reducing cyber risk and ensuring resilience, we all have a role to play,” CISA Director Jen Easterly said in a statement.
CISA’s SCuBA program was created by the American Rescue Plan Act and given subsequent authority under the fiscal year 2021 National Defense Authorization Act.
While the program has been around for a few years, CISA said there has not been mandatory compliance associated with the SCuBA program until today.
Matt Hartman, the deputy executive assistant director for cybersecurity at CISA, told reporters on Tuesday afternoon that the directive comes “in response to malicious threat actors’ continued targeting of cloud environments and evolving tactics to gain initial cloud access.”
“While this directive is responsive to recent threat activity, it is not focused on one specific recent threat,” Hartman explained. “This is the product of work that we began after the SolarWinds campaign to create a centralized and consistent approach to securing Federal cloud environments.”
“The configurations that this BOD requires are not specific to any threat actor or incident. They’re used consistently by both sophisticated, well-funded threat actors and common cybercriminals,” he said.
Hartman added that today’s directive is “a recognition of the fact that the SCuBA program has matured significantly over the last couple of years.” He said CISA has completed several pilot implementations with a wide range of Federal civilian agencies, gaining important feedback.
Additionally, Hartman said CISA has taken a “proactive approach” to working with the Federal chief information officer (CIO) and chief information security officer (CISO) community to understand the feedback it has received on the SCuBA program and make any changes.
“This is the culmination of that work,” Hartman said.
