Service

Secure Cloud Business Applications (SCuBA) Project

Secure Cloud Business Applications (SCuBA)

Description

The Secure Cloud Business Applications (SCuBA) project provides guidance and capabilities to secure agencies’ cloud business application environments and protect federal information that is created, accessed, shared and stored in those environments.

SCuBA will help secure Federal Civilian Executive Branch (FCEB) information assets stored within cloud environments through consistent, effective, modern, and manageable security configurations.

For information not provided, please refer to the Frequently Asked Questions, or email CyberSharedServices@cisa.dhs.gov.

Current Status

The Microsoft 365 Secure Configuration Baselines were finalized and published on December 21, 2023

December 2023, CISA released the Google Workspace Secure Configuration Baselines for public comment. This feedback will help refine SCuBA security configuration baselines and determine candidate cybersecurity shared service offering(s) in support of secure cloud business applications. The public comment period ended on February 2, 2024 and CISA is reviewing comments. 

In March 2023, CISA released the Hybrid Identity Solutions Architecture guidance document for comment. The public comment period ended on April 19th, 2023 and CISA is reviewing comments. 

CISA eVRF & TRA

CISA requested public comment on the Technical Reference Architecture (TRA) and extensible Visibility Reference Framework (eVRF) in the first phase of the SCuBA project to ensure our guidance enables the best flexibility to keep pace with evolving technologies and capabilities and protect the federal enterprise.

CISA's intent is to properly address cybersecurity and visibility gaps within cloud-based business applications that have hampered our collective ability to adequately understand and manage cyber risk across the Federal and IT enterprise.

CISA has now finalized the TRA and eVRF documents.

TRA

The TRA is a security guide that agencies can use to adopt technology for cloud deployment, adaptable solutions, secure architecture and zero trust frameworks.  

Technical Reference Architecture Download

eVRF

The eVRF Guidebook provides an overview of the eVRF framework, which enables organizations to identify visibility data that can be used to mitigate threats, understand the extent to which specific products and services provide that visibility data, and identify potential visibility gaps.  

The eVRF consists of a guidance document, two product-specific workbook overviews, and two product-specific workbooks.

eVRF Guidance Document

eVRF Google Workspace Workbook Overview

eVRF Google Workspace Workbook

eVRF Microsoft 365 Workbook Overview

eVRF Microsoft 365 Workbook

Microsoft 365 & Google Workspace Secure Configuration Baselines

These security configuration baselines for Microsoft 365 (M365) and Google Workspace (GWS) provide easily adoptable recommendations that complement each agency’s unique requirements and risk tolerance levels as well as include automation features to assist federal agencies in rapidly assessing their M365 and GWS services. 

The finalized M365 baselines are available through GitHub or download. Comments to help refine the baselines implementation guidance, and the assessment tool should email CyberSharedServices@cisa.dhs.gov.

Microsoft Defender for Office 365

Microsoft Azure Active Directory

Microsoft Exchange Online

Microsoft Sharepoint and OneDrive for Business

Microsoft Power BI

Microsoft Power Platform

Microsoft Teams

CISA released the Google Workspace baselines and associated assessment tool ScubaGoggles on December 12, 2023. CISA is requesting feedback on the business impact of controls, implementation and any adoption blockers. The public comment period ended on February 2, 2024 and CISA is reviewing comments. 

The GWS baselines are available through GitHub or download.  

Baselines available for download:  

Groups for Business 

Gmail 

Google Calendar 

Google Chat 

Google Common Controls 

Google Classroom 

Google Drive and Docs 

Google Meet 

Google Sites 

Hybrid Identity Solutions Architecture

CISA has released the Hybrid Identity Solutions Architecture guidance document for comment. This document is designed to help agencies understand potential options for identity management interoperability between on-premises and cloud-based solutions, the challenges involved in each, and how to address those challenges. The comment period ended on May 26th, 2023

Hybrid Identity Solutions Architecture