The SolarWinds breach in 2020 still resonates in the federal sector.
It’s not so much what was lost or accessed as the idea of how to protect agency networks and systems from similar attacks in the future.
Enter the Secure Cloud Business Applications project, known as SCuBA at the Department of Homeland Security. The idea is for the Cybersecurity and Infrastructure Security Agency to develop baseline cyber standards for common cloud services such as messaging and collaboration tools.
“Our primary focus is really on enabling secure cloud business applications and accelerating core shared services. We are looking, in this case, to provide architectures, security configurations, really to offer fundamental protections for cloud business applications,” said Vincent Sritapan, Section Head of Cyber Quality Service Management Office at CISA, in an exclusive interview with Federal News Network. “As federal civilian agencies, we provide them with both the security and visibility needed to identify and detect adversary activity in their cloud environments.”
CISA initially focuses SCuBA on the Microsoft Office 365 and Google Workspace applications that are most common in government.
While the SolarWinds breach affected approximately 10 federal agencies, the hack highlighted the lack of standardization among common applications used by agencies.
Sritapan said this led to agencies not enabling logging and auditing capabilities, which made it harder for CISA and the agency to know if they had been breached, and if so. , when this happened, because there were inconsistencies as to how long this type of data was retained.
The first two elements of the cyber effort to bring agencies and industry to the same minimum level are guidance documents to help agencies adopt the necessary security and resiliency practices when using cloud services. .
The SCuBA Technical Reference Architecture (TRA) is a security guide that agencies can use to adopt cloud deployment technology, adaptable solutions, secure architecture, and zero-trust frameworks.
The Extensible Visibility Framework (eVRF) Guide provides an overview of the eVRF framework, which enables organizations to identify visibility data that can be used to mitigate threats, understand the extent to which specific products and services provide these visibility data and identify potential visibility gaps.
CISA is seeking comments by May 19 on the two draft guidelines under the SCuBA initiative. CISA developed the draft guidelines with the help of Google, Microsoft and other cloud service providers, federally funded research and development centers (FFRDCs), and other experts.
Funded by the Relief Plan
Sritapan said these two documents are the first of several that will eventually offset the effort.
“The last part of the project concerns cybersecurity shared services. We are looking for what we call candidate cybersecurity shared services that we may need to develop for agencies to enable cloud security and secure cloud business applications,” he said. “They’re using it right now, whether it’s Google Workspace or M365, so is it necessary to have that capability? What do we need to do differently and is there a shared service that’s necessary or not is to be determined, but it is part of the project as a whole.
CISA is using part of the $650 million from the US Rescue Act plan to pay for the scuba diving effort.
Sritapan said the Technical Reference Architecture is not as technical as some might expect. He described it more as a menu of everything an agency can think up of how various standards, technologies and tools fit together to provide cyber cover.
“If you understand the security guidance you’re looking for – which initially provides some of it at a high level – for the various endpoints through to cloud connectivity to the various uses of messaging and collaboration tools, then you’re going to see what tools you can put in place to help you comply with safety guidelines, “he said. “Because there will be more of a logging and visibility tool, there will be more a zero-trust framework you can apply, there will be more than one adaptable security solution, and even various cloud deployments to choose from. . It’s something where, when you start to weigh your options, the Technical Reference Architecture helps you think through some of that.
The eVRF guide can be used to mitigate threats by helping agencies understand how well various products or services provide visibility data.
Sritapan said the guidance can help agencies identify and address potential visibility gaps in their cloud services.
“Our goal is to help these organizations be more effective. For us, it also lays the groundwork for what agencies should be responsible for within this visibility framework and what is the industry’s role in this as they provide various products and solutions that enable our mission. If we understand roles and how it works to help establish and identify visibility and requirements in that regard, then we can start looking at what those gaps or redundancies are, and how can we make it more efficient to have a better coverage and protection,” he said. “Eventually, if you’re going to send the data to an agency or to CISA, we want to make sure we have visibility so that if something bad happens again, we at least know about it. We ask industry and agencies to review this and give us feedback so we can either improve it or we missed something we can improve it and make sure we complete it properly.
Working with the CIO Council
Sritapan said CISA plans to test these concepts with partner agencies in the coming months. He said the goal is to understand how these concepts of technical reference architecture and visibility framework work at scale in a large organization. CISA wants to ensure that it does not disrupt or affect mission requirements or employees’ ability to use the applications.
“We are currently partnering with the Federal CIO Council’s Innovation Committee and its cyber-innovation team,” he said. “When we talk about our security configuration baselines, we talked about visibility and how that might work with an agency. So we need to involve people to better understand this in a practical sense in an operational environment. Does it hamper your operational capabilities? We want to find the right balance between what is the minimum security base. »
Additionally, CISA wants to see if it can automate some or all of the security configurations to increase the effectiveness and efficiency of the effort.
Sritapan said he strongly encourages input from agencies, industry and other experts on the guidance.
“Help make sure we’re doing it right. The security configuration visibility guidance we provide is something we mean well. So please engage early on the agency side, especially to find out if there is a need for a shared service,” he said. “In terms of the industry, please take a look at our Secure Cloud Business Application Technical Reference Architecture, Extensible Visibility Framework to see if we are missing anything or has something we could do to clarify things better, maybe address an area that we haven’t thought of. Please let us know, because with the technology landscape and the threat landscape changing so rapidly all the time , there may be things we missed in your product roadmap that would be very valuable to us.