Secure Cloud Business Applications (SCuBA) Project
Description
The Secure Cloud Business Applications (SCuBA) project provides guidance and capabilities to secure agencies’ cloud business application environments and protect federal information that is created, accessed, shared and stored in those environments.
SCuBA will help secure Federal Civilian Executive Branch (FCEB) information assets stored within cloud environments through consistent, effective, modern, and manageable security configurations.
For information not provided, please refer to the Frequently Asked Questions, or email CyberSharedServices@cisa.dhs.gov.
Current Status
In October 2022, CISA published the Microsoft 365 secure configuration baselines and encouraged FCEB agencies to pilot and provide feedback. The comment period ended on December 16, 2022.
The SCuBA Technical Reference Architecture and extensible Visibility Reference Framework Guidebook were finalized and published June 27, 2023.
CISA released the Hybrid Identity Solutions Architecture for public comment in March 2023. The comment period ended on April 19th, 2023.
CISA eVRF & TRA
CISA requested public comment on the Technical Reference Architecture (TRA) and extensible Visibility Reference Framework (eVRF) in the first phase of the SCuBA project to ensure our guidance enables the best flexibility to keep pace with evolving technologies and capabilities and protect the federal enterprise.
CISA's intent is to properly address cybersecurity and visibility gaps within cloud-based business applications that have hampered our collective ability to adequately understand and manage cyber risk across the Federal and IT enterprise.
CISA has now finalized the TRA and eVRF documents.
TRA
The TRA is a security guide that agencies can use to adopt technology for cloud deployment, adaptable solutions, secure architecture and zero trust frameworks.
Technical Reference Architecture Download
eVRF
The eVRF Guidebook provides an overview of the eVRF framework, which enables organizations to identify visibility data that can be used to mitigate threats, understand the extent to which specific products and services provide that visibility data, and identify potential visibility gaps.
The eVRF consists of a guidance document, two product-specific workbook overviews, and two product-specific workbooks.
eVRF Google Workspace Workbook Overview
eVRF Google Workspace Workbook
eVRF Microsoft 365 Workbook Overview
Microsoft 365 & Google Workspace Secure Configuration Baselines
CISA, in partnership with the CIO Council, developed minimum security controls for Microsoft 365 and solicited agency feedback on the business impact of the controls, their implementation and any adoption blockers. The public comment period ended on December 16, 2022.
The baselines are available through GitHub or download.
Microsoft Defender for Office 365
Microsoft Azure Active Directory
Microsoft OneDrive for Business
Hybrid Identity Solutions Architecture
CISA has released the Hybrid Identity Solutions Architecture guidance document for comment. This document is designed to help agencies understand potential options for identity management interoperability between on-premises and cloud-based solutions, the challenges involved in each, and how to address those challenges. The comment period ended on May 26th, 2023.