Press Release

CISA Releases Cloud Services Guidance and Resources


 Final guidance and resources help agencies adopt necessary security and resilience best practices for utilizing cloud services   

WASHINGTON – Today, CISA released the first series of final security guidance resources under our Secure Cloud Business Applications (SCuBA) project: the Extensible Visibility Reference Framework (eVRF) Guidebook and a Technical Reference Architecture (TRA) document. With input from public comment period in 2022, the final guidance documents help public and private entities implement necessary security and resilience best-practices for their cloud services.        

  • The eVRF Guidebook provides an overview of the eVRF framework, which enables organizations to identify visibility data, mitigate threats, and understand the extent to which specific products and services provide visibility data and identify where potential gaps exist.  
  • The TRA Document is a security guide that organizations can use to adopt technology for cloud deployment, adaptable solutions, secure architecture, and zero trust frameworks. 

"As evidenced by supply chain compromises and associated cyber threat campaigns, persistent threat actors continue to evolve their capabilities with the intent to compromise federal government networks and critical infrastructure, whether on on-premises or cloud-based environments,” said CISA Executive Assistant for Cybersecurity, Eric Goldstein. “The final eVRF and TRA provides all organizations, including federal agencies, with adaptable, flexible, and timely guidance. These resources will help organizations address cybersecurity and visibility gaps that have long hampered our collective ability to adequately understand and manage cyber risk.”     

The SCuBA project provides guidance and capabilities to secure cloud business application environments and protect information created, accessed, shared, and stored in those environments. The eVRF Guidebook and TRA document further the project’s goal of developing consistent, effective, modern, and manageable security configurations to help organizations adopt necessary cloud-focused security and resilience practices.  

To download the eVRF Guidebook and TRA document, visit Secure Cloud Business Applications (SCuBA). 


About CISA 

As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day.

Visit for more information and follow us on TwitterFacebookLinkedIn, Instagram