Secure Cloud Business Applications (SCuBA)

The Secure Cloud Business Applications (SCuBA) project provides guidance and capabilities to secure agencies’ cloud business application environments and protect federal information that is created, accessed, shared and stored in those environments. SCuBA will help secure federal civilian executive branch (FCEB) information assets stored within cloud environments through consistent, effective, modern, and manageable security configurations.

This project accelerates CISA cybersecurity shared services offerings, strengthens its relationship with other agencies, and supports CISA’s role leading federal efforts to mitigate cybersecurity risks to the nation, its execution of security requirements, and the Department of Homeland Security (DHS) cybersecurity mission.

For information not provided, please refer to the Frequently Asked Questions, or email

Current Status

In October, CISA published Microsoft 365 (M365) baselines and encourage FCEB agencies to pilot and provide feedback.  This feedback will help refine SCuBA security configuration baselines and determine candidate cybersecurity shared service offering(s) in support of secure cloud business applications. The public comment period will end on December 16, 2022. The SCuBA Technical Reference Architecture (TRA) and Extensible Visibility Reference Framework (eVRF) Guidebook were released in April and are now closed for agency comment.


CISA has developed two initial guidance documents as a part of the SCuBA project, which collectively will help agencies adopt necessary security and resilience practices when utilizing cloud services. While these documents are principally intended for use by federal agencies, CISA recommends that all organizations utilizing cloud services review the SCuBA TRA and eVRF Guidebook and implement practices therein where appropriate.  


    SCuBA Technical Reference Architecture


    The SCuBA TRA is a security guide that agencies can use to adopt technology for cloud deployment, adaptable solutions, secure architecture and zero trust frameworks.   




    extensible Visibility Reference Framework (eVRF) for SCuBA


    The eVRF Guidebook provides an overview of the eVRF framework, which enables organizations to identify visibility data that can be used to mitigate threats, understand the extent to which specific products and services provide that visibility data, and identify potential visibility gaps.   



    CISA requested public comment on the TRA and eVRF in the first phase of the SCuBA project to ensure our guidance enables the best flexibility to keep pace with evolving technologies and capabilities and protect the federal enterprise.

    CISA's intent is to properly address cybersecurity and visibility gaps within cloud-based business applications that have hampered our collective ability to adequately understand and manage cyber risk across the Federal and IT enterprise. In addition, CISA is working towards guidance on recommended cybersecurity configuration based for select products that is likely to be released in the coming months.

    The public comment period for each of these documents ended on May 19, 2022. The input received from stakeholders will be implemented into the final versions of each of these products.

    Microsoft 365 & Google Workspace Baselines

    Test secure implementation of M365 and Google Workspace

    CISA is requesting federal agencies to pilot M365 security configuration guides. CISA, in partnership with the CIO Council, has developed minimum security controls for M365 and is soliciting agency feedback on the business impact of controls, implementation and any adoption blockers. Agencies do not need to adopt every control in the baseline to participate. The public comment period will end on December 16, 2022.

    The baselines are available through GitHub or download. 

    Agencies interested in participating can contact for more information.



    Baselines available for download: 

    Please provide all comments to or through GitHub

    Contact Us

    Any agency interested in receiving additional information should contact CISA’s Cyber Quality Service Management Office (QSMO) at

    As the nation’s cyber defense agency, the Cybersecurity and Infrastructure Security Agency (CISA) serves a central role in implementing President Biden’s Executive Order 14028. This executive order has already driven significant improvements in securing federal government networks, including by enabling greater visibility into cybersecurity threats, driving improvements in security practices, and providing direction toward adoption of cloud technology. The SCuBA project was developed pursuant to Executive Order 14028, and is funded through the American Rescue Plan Act of 2021

    Was this webpage helpful?  Yes  |  Somewhat  |  No