The SolarWinds breach in 2020 still resonates across the federal sector.
It’s not so much what was lost or accessed as much as the idea of how to protect agency networks and systems from similar attacks in the future.
Enter the Secure Cloud Business Applications project, known as SCuBA at the Department of Homeland Security. The idea is for the Cybersecurity and Infrastructure Security Agency to develop baseline cyber standards for common cloud services like email and collaboration tools.
“Our key objective is really around enabling secure cloud business applications and accelerating key shared services. We look to, in this case, provide architectures, security configurations, really to offer fundamental protections for cloud business applications,” said Vincent Sritapan, the Cyber Quality Service Management Office section chief at CISA, in an exclusive interview with Federal News Network. “Within federal civilian agencies, we’re providing them with both the security and visibility necessary to identify and detect adversary activities in their cloud environments.”
CISA initially is focusing SCuBA on Microsoft Office 365 and Google Workspace applications that are most common across government.
While the SolarWinds breach impacted about 10 federal agencies, the hack highlighted the lack of standardization across common applications used by agencies.
Sritapan said this led to agencies not turning on logging and auditing capabilities, which made it harder for CISA and the agency to know if they were breached, and if so, when it occurred, because there were inconsistencies around how long to retain this type of data.
The first two pieces of the cyber effort to bring agencies and industry to the same minimum level are guidance documents to help agencies adopt necessary security and resilience practices when utilizing cloud services.
The SCuBA Technical Reference Architecture (TRA) is a security guide that agencies can use to adopt technology for cloud deployment, adaptable solutions, secure architecture and zero trust frameworks.
The Extensible Visibility Reference Framework (eVRF) guidebook provides an overview of the eVRF framework, which enables organizations to identify visibility data that can be used to mitigate threats, understand the extent to which specific products and services provide that visibility data and identify potential visibility gaps.
CISA is requesting comments by May 19 on both draft guidance as part of the SCuBA initiative. CISA developed the draft guidance with help from Google, Microsoft and other cloud service providers, federally funded research and development centers (FFRDCs) and other experts.
Funded by the Rescue plan
Sritapan said these two documents are the first of several that will eventually make up the effort.
“The last part of the project is around cybersecurity shared services. We are looking to what we call candidate cybersecurity shared services that we may need to develop for agencies to enable cloud security and secure cloud business applications,” he said. “They use it right now, whether it’s Google Workspace or M365, so is there any need for such a capability? What is it that we need to do differently and is there a shared service that’s needed or not? That’s to be determined, but that’s a part of the project overall.”
CISA is using some of the $650 million from the American Rescue Act Plan to pay for the SCuBA effort.
Sritapan said the technical reference architecture is not as technical as some might expect. He described it as more of a menu of everything possible that an agency could think of about how various standards, technologies and tools fit together to provide cyber coverage.
“If you understand what security guidance you’re looking for — which this does provide some of that initially at a high level — for the various endpoints all the way to cloud connectivity to the various usage of email and collaboration tools, then you’re going to see what tools you can put in place to help meet the security guidance,” he said. “Because there’s going to be more than one logging and visibility tool, there’s going to be more than one zero trust framework that you could apply, there’s going to be more than one adaptable security solution, and even various cloud deployments that you can choose from. This is something where, when you start weighing your options, the technical reference architecture helps you think through some of that.”
The eVRF guidebook can be used to mitigate threats by helping agencies understand the extent of which various products or services provide visibility data.
Sritapan said the guidance can help agencies identify and fill potential visibility gaps in their cloud services.
“Our goal is to help enable those organizations to be more efficient. It also, for us, lays down that foundation of what agencies should be responsible for within this visibility reference framework and what industry’s role is in this because they provide various products and solutions that enable our mission. If we understand the roles and how this works to help establish and identify visibility and the requirements toward it, then we can start to look at what are those gaps or redundancies, and how can we make it more efficient to have better coverage and protection,” he said. “Eventually, if you’re going to send the data over to an agency or over to CISA, we want to make sure that we have visibility so that if something bad happens again, we would at least know about it. We’re asking the industry and asking agencies to take a look at this and give us their feedback. So we can either make it better, or maybe we missed something, we can enhance it and ensure we round it out properly.”
Working with the CIO Council
Sritapan said CISA plans to test out these concepts with agency partners in the coming months. He said the goal is to understand how these concepts in the technical reference architecture and the visibility framework work at scale across a large organization. CISA wants to make sure it doesn’t disrupt or impact mission requirements or employees’ ability to use applications.
“We are currently in partnership with the Federal CIO Council’s innovation committee and its cyber innovation team,” he said. “When we talk about our security configuration baselines, we talked about visibility and how that could work with an agency so we need to engage folks to better understand this in a practical sense in an operational environment. Does this hinder your operational capabilities? We want to find the right balance of what is the minimum security baseline.”
Additionally, CISA wants to see whether it can automate some or all of the security configurations to increase the efficiency and effectiveness of the effort.
Sritapan said he strongly encourages agency, industry and other expert feedback on these guidances.
“Help make sure that we get this right. The security configuration visibility guidance that we’re pushing out is something we want to get right. So please engage early from the agency side, especially about whether there is a need for a shared service,” he said. “As far as the industry side, please take a look at our secure cloud business application technical reference architecture, our extensible visibility reference framework to see if we are missing something or if there is something that we could do to better make things clearer, maybe address an area that we haven’t thought about. Please do let us know because with the technology landscape and the threat landscape changing so rapidly all the time there may be things that we missed in your product roadmap that would be very valuable for us to consider.”