CISA orders federal agencies to secure their cloud environments

BlackJack3D/Getty Images

Featured eBooks
Health Tech
Read Now

Next-Generation Computing

Read Now

Space Tech

Read Now
Insights & Reports
Enabling AI at the Edge for the Public Sector
Presented By Carahsoft
Download Now
Make Large Language Models Work–Without the Errors
Presented By Primer
Download Now
David DiMolfetta By David DiMolfetta,
Cybersecurity Reporter, Nextgov/FCW

By David DiMolfetta

|

Federal civilian agencies are compelled by the Binding Operational Directive to adopt specific cloud standards under SCuBA, a government blueprint that helps agencies assess cloud security security guidelines.

The Cybersecurity and Infrastructure Security Agency invoked a binding directive Tuesday that requires federal agencies to retune their cloud security posture to a set of standards that can prevent hackers from gaining unauthorized access to their systems.

The order requires agencies to comply with measures set under CISA’s Secure Cloud Business Applications — or SCuBA — project, which helps guide civilian agencies on protecting their cloud environments. 

SCuBA’s creation was fueled in part by the 2020 SolarWinds Orion incident, a first-of-its-kind hack against the federal civilian agency enterprise that motivated the need for a more consistent approach to governmentwide cloud safety.

“As part of CISA and the broad U.S. government’s effort to move the federal civilian enterprise to a more defensible posture, this directive will further reduce the attack surface of the federal government networks,” the agency said in a press release.

The directive itself was not motivated by any specific incident, said CISA Deputy Executive Assistant Director for Cybersecurity Matt Hartman in a news conference, adding that the attack methods deployed against federal cloud networks are used by “both sophisticated, well funded threat actors and common cyber criminals.”

But he later added that, up until today, there was no mandatory requirement for agencies to abide by SCuBA standards. 

The required configurations page for the BOD notably only lists Microsoft cloud offerings. Both Microsoft and Google — major players in the government’s cloud services usage — offer their own SCuBA developer toolkits.

Agencies must report their cloud systems to CISA by February 21, 2025, and update this list every year, according to the directive. And by April 25, 2025, they need to set up tools to check the security of these systems and start sharing results with CISA, either automatically or through quarterly reports. 

Agencies must then follow required security policies by June 20, 2025, and ensure new cloud systems meet these standards before they are approved for use.

“While this directive only applies to federal civilian agencies, the threat to cloud environments extends to every sector. We urge all organizations to adopt this guidance,” CISA Director Jen Easterly said in a statement.

NEXT STORY: CISA issues updated draft of national cyber incident response plan