CISA Seeks Comment on Visibility Effort Being Piloted with Cloud Service Providers

The Cybersecurity and Infrastructure Security Agency is asking for feedback over the next month on preliminary documents it’s published to help agencies implement logging and other security measures under order from Congress and the Biden administration.

Comments are due May 19 on a technical reference architecture for secure cloud business applications and a program guidebook for an extensible visibility reference framework the agency published Wednesday, noting risks associated with the use of certain cloud services.

“In recent years, the federal government has leveraged cloud-based software and platform services as a means for greater capacity and accessibility as well as for good financial stewardship,” CISA Executive Director Eric Goldstein wrote in a blog post about the new pilot program, which is being referred to as Secure Cloud Business Applications, or SCuBA. “However, moving to the cloud can introduce new types of risks if not conducted with security top of mind.”

Referencing the SolarWinds supply chain hack that compromised nine federal agencies and about a hundred other entities, at the end of 2020, Goldstein said the adversary is continuing to develop sophisticated capabilities and that the SCuBA project was launched to help improve visibility across the government with funding from the American Rescue Plan. Among other things, the plan made $690 available to CISA for “improving security monitoring and incident response activities … [and to] bolster cybersecurity across federal civilian networks, and support the piloting of new shared security and cloud computing services.”

“The project was established to develop consistent, effective, modern and manageable security configurations that will help secure agency information assets stored within cloud environments,” Goldstein said. But the reference architecture notes, agencies will be bottom line responsible for “securely configuring their cloud business applications and collecting the associated logs and telemetry to meet their security needs.”

The reference architecture lays out potential data collection points between agencies, CISA and cloud service providers but it doesn’t specify telemetry requirements for agencies. Instead, according to the program guidebook, “individual eVRF workbooks, produced on a case-by-case basis, will describe specific visibility requirements.” 

CISA said the agency will work with the cloud service providers and with federal civilian executive branch agencies “to facilitate data acquisition of cloud logs and telemetry for analysis and—when needed—facilitate incident response and threat-hunting activities.” 

The new SCuBA project will complement existing visibility and monitoring efforts, like the Continuous Diagnostics and Mitigation program, the Trusted Internet Connections 3.0 use cases and others focused on the zero-trust security concept, the agency said.