Federal civilian agencies were ordered to secure their Microsoft cloud systems after several recent cyber incidents.
The Cybersecurity and Infrastructure Security Agency (CISA) issued a binding directive on Tuesday giving federal agencies a series of deadlines to identify cloud systems, implement assessment tools and abide by the agency’s Secure Cloud Business Applications (SCuBA) secure configuration baselines.
Since April 2022, CISA has used the SCuBA project to provide guidance and capabilities to secure federal agencies’ cloud business application environments and protect federal information that is created, accessed, shared and stored in those environments.
The push to make it mandatory is new and CISA warned of recent incidents that have shown attackers can use misconfigurations and weak security controls to steal data and disrupt services.
While the agency did not go into detail, 2023 and 2024 have seen at least two major federal government breaches conducted by hackers from Russia and China through Microsoft cloud products.
When asked why the directive was being issued now or if it was related to a specific incident, Matt Hartman, deputy executive assistant director for cybersecurity at CISA, said there have been “a number of recent cybersecurity incidents” where “the improper configuration of security controls in cloud environment introduced substantial risk and has resulted in actual compromises.”
Hartman would not go into detail about the recent incidents or intrusions, only mentioning the 2020 SolarWinds compromise as an example.
“This is the product of work that we began after the SolarWinds campaign to create a centralized and consistent approach to securing the federal cloud environment,” he told reporters. “The configurations that this [binding operational directive] require are not specific to any threat actor or incident. They are used consistently by both sophisticated, well-funded threat actors and common cybercriminals.”
In a statement, CISA Director Jen Easterly echoed those remarks, writing that malicious actors are increasingly targeting cloud environments and evolving their tactics to gain initial cloud access.
The directive is an “important step in reducing risk to the federal civilian enterprise,” she said, adding that while it only applies to federal civilian agencies, every organization should adopt the guidance.
Until today, there was no mandatory compliance regime associated with SCuBA. A CISA official said they conducted a pilot program over the last year where 13 agencies adopted the framework and CISA made improvements to it based on the agency responses.
CISA has only published SCuBA baselines for Microsoft Office 365 and plans to have one for Google Workspace by the second quarter of 2025.
Federal civilian agencies have until February 21, 2025 to create an inventory of all the cloud systems under their purview and they will have to update this list in the first quarter of each year.
All SCuBA assessment tools must be deployed by April 25, 2025 and agencies have to begin continuous reporting on the requirements to CISA.
By June 20, 2025, agencies must have implemented the rest of the binding directive issued on Tuesday.
Recorded Future
Intelligence Cloud.
No previous article
No new articles
Jonathan Greig
is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.
