CISA delivers new directive to agencies on securing cloud environments | CyberScoop<\/title> <meta name=\"description\" content=\"The cyber agency\u2019s SCuBA guidelines were developed after pilots with 13 agencies and continue a post-SolarWinds cloud strategy.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/cisa-scuba-baselines-cloud-security-directive\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"CISA delivers new directive to agencies on securing cloud environments\"> <meta property=\"og:description\" content=\"The cyber agency\u2019s SCuBA guidelines were developed after pilots with 13 agencies and continue a post-SolarWinds cloud strategy.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/cisa-scuba-baselines-cloud-security-directive\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:published_time\" content=\"2024-12-17T22:04:57+00:00\"> <meta property=\"article:modified_time\" content=\"2024-12-17T22:04:59+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/cisa-delivers-new-directive-to-agencies-on-securing-cloud-environments-2.jpg\"> <meta property=\"og:image:width\" content=\"1920\"> <meta property=\"og:image:height\" content=\"1024\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"mbracken\"> <meta name=\"twitter:card\" content=\"summary_large_image\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1732206022g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1730999764g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1732010462g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=ddc036fa194c40cf406f\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/82933\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.7.1\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=82933\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fcisa-scuba-baselines-cloud-security-directive%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fcisa-scuba-baselines-cloud-security-directive%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-82933 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/cisa-scuba-baselines-cloud-security-directive\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"24.911270983213\">\n<div class=\"single-article__header-content\" readability=\"33.761194029851\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/cisa-scuba-baselines-cloud-security-directive\/\"> <span>Cybersecurity<\/span> <\/a> <\/li>\n<\/ul>\n<p> The cyber agency\u2019s SCuBA guidelines were developed after pilots with 13 agencies and continue a post-SolarWinds cloud strategy. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/82933\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"341\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/cisa-delivers-new-directive-to-agencies-on-securing-cloud-environments.jpg?resize=640%2C341&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt=\"Netskope\" decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/cisa-delivers-new-directive-to-agencies-on-securing-cloud-environments-2.jpg 1920w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/cisa-delivers-new-directive-to-agencies-on-securing-cloud-environments-2.jpg?resize=300,160 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/cisa-delivers-new-directive-to-agencies-on-securing-cloud-environments-2.jpg?resize=768,410 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/cisa-delivers-new-directive-to-agencies-on-securing-cloud-environments-2.jpg?resize=1024,546 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/cisa-delivers-new-directive-to-agencies-on-securing-cloud-environments-2.jpg?resize=1536,819 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/cisa-delivers-new-directive-to-agencies-on-securing-cloud-environments-2.jpg?resize=600,320 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/cisa-delivers-new-directive-to-agencies-on-securing-cloud-environments-2.jpg?resize=1200,640 1200w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/cisa-delivers-new-directive-to-agencies-on-securing-cloud-environments-2.jpg?resize=1500,800 1500w\" sizes=\"(max-width: 1200px) 100vw, 1200px\"><figcaption> (Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"35.901897214217\"><body readability=\"72.837837837838\"><\/p>\n<p>Federal civilian agencies have a new list of cyber-related requirements to address after the Cybersecurity and Infrastructure Security Agency on Tuesday issued guidance regarding the implementation of secure practices for cloud services.<\/p>\n<p>CISA\u2019s <a href=\"https:\/\/www.cisa.gov\/news-events\/directives\/bod-25-01-implementation-guidance-implementing-secure-practices-cloud-services\">Binding Operational Directive (BOD) 25-01<\/a> instructs agencies to identify all of its cloud instances and implement assessment tools, while also making sure that their cloud environments are aligned with the cyber agency\u2019s Secure Cloud Business Applications (SCuBA) configuration baselines.<\/p>\n<p>CISA Director Jen Easterly <a href=\"https:\/\/www.cisa.gov\/news-events\/news\/cisa-directs-federal-agencies-secure-cloud-environments\">said in a statement<\/a> that the actions laid out in the directive are \u201can important step\u201d toward reducing risk across the federal civilian enterprise, though threats loom in \u201cevery sector.\u201d<\/p>\n<p>\u201cMalicious threat actors are increasingly targeting cloud environments and evolving their tactics to gain initial cloud access,\u201d Easterly said. \u201cWe urge all organizations to adopt this guidance. When it comes to reducing cyber risk and ensuring resilience, we all have a role to play.\u201d<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>During a call with reporters Tuesday, Matt Hartman, CISA\u2019s deputy executive assistant director for cybersecurity, said that while the directive was \u201cnot focused\u201d on any \u201cone specific, recent threat,\u201d it is \u201cresponsive to recent threat activity\u201d and part of a post-<a href=\"https:\/\/cyberscoop.com\/tag\/solarwinds\/\">SolarWinds<\/a> campaign aimed at creating \u201ca centralized and consistent approach to securing federal cloud configurations.\u201d<\/p>\n<p>The tactics that this directive guards against, Hartman added, \u201care used consistently by both sophisticated, well-funded actors and common cyber criminals.\u201d<\/p>\n<p>CISA has prioritized the development of SCuBA guidelines in recent years, issuing instructions <a href=\"https:\/\/cyberscoop.com\/cisa-google-workspace-scuba-baselines-microsoft-breach-china\/\">for agency use of Google Workspace<\/a> a year ago and <a href=\"https:\/\/fedscoop.com\/cisa-releases-microsoft-365-security-configuration-baselines\/\">putting out standards for Microsoft 365<\/a> use in October 2022. Those moves were considered part of a response to the revelation that a <a href=\"https:\/\/cyberscoop.com\/china-hackers-email-us-government\/\">Chinese hacking group stole a Microsoft signing key<\/a> and used it to access emails belonging to senior U.S. officials.<\/p>\n<p>Hartman reiterated during Tuesday\u2019s call that the timing of the new directive was not tied to any specific incident but simply \u201crecognition of the fact that the SCuBA program has matured significantly over the last couple of years. We have completed a number of pilot implementations with a wide range of federal civilian agencies.\u201d<\/p>\n<p>A CISA official said they received plenty of feedback on the directive\u2019s feasibility and control policies from the 13 agencies that participated in those pilots. Hartman, meanwhile, said CISA pursued \u201ca proactive and deliberate approach\u201d in working with CIOs and CISOs ahead of the directive\u2019s release.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>As part of the Microsoft 365-specific requirements in the directive, agencies have until Feb. 21, 2025, to provide CISA with the instance name and the system-owning agency or component for each instance. That inventory must be updated yearly in the first quarter, in accordance with CISA reporting instructions.<\/p>\n<p>All SCuBA assessment tools for in-scope cloud instances must be deployed by April 25, 2025, with continuous reporting on the requirements activated. All required SCuBA policies called out in the directive should be implemented by June 20, 2025. <\/p>\n<p>\u201cAs federal civilian agencies implement this mandate, CISA will monitor and support agency adherence and provide additional resources as required,\u201d the agency said in a statement. \u201cCISA is committed to using its cybersecurity authorities to gain greater visibility and drive timely risk reduction across federal civilian agencies.\u201d<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"4.2421602787456\">\n<div class=\"author-card\" readability=\"15\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/cisa-delivers-new-directive-to-agencies-on-securing-cloud-environments-1.jpg?w=640&ssl=1\" alt=\"Matt Bracken\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Matt Bracken<\/h4>\n<p> Matt Bracken is the managing editor of FedScoop and CyberScoop, overseeing coverage of federal government technology policy and cybersecurity. Before joining Scoop News Group in 2023, Matt was a senior editor at Morning Consult, leading data-driven coverage of tech, finance, health and energy. He previously worked in various editorial roles at The Baltimore Sun and the Arizona Daily Star. You can reach him at matt.bracken@scoopnewsgroup.com. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Geopolitics<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/cisa-scuba-baselines-cloud-security-directive\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>CISA delivers new directive to agencies on securing cloud environments<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[45,78,452,3358,3359],"tags":[53,86,454,3360,3361],"class_list":["post-6659","post","type-post","status-publish","format-standard","hentry","category-cloud-security","category-cybersecurity","category-cybersecurity-and-infrastructure-security-agency-cisa","category-microsoft-365","category-scuba","tag-cloud-security","tag-cybersecurity","tag-cybersecurity-and-infrastructure-security-agency-cisa","tag-microsoft-365","tag-scuba"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cloud-security\/\" rel=\"category tag\">Cloud security<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity-and-infrastructure-security-agency-cisa\/\" rel=\"category tag\">Cybersecurity and Infrastructure Security Agency (CISA)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/microsoft-365\/\" rel=\"category tag\">Microsoft 365<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/scuba\/\" rel=\"category tag\">SCuBa<\/a>","tag_info":"SCuBa","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/6659","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=6659"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/6659\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=6659"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=6659"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=6659"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":6659,"date":"2024-12-17T16:04:57","date_gmt":"2024-12-17T22:04:57","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=82933"},"modified":"2024-12-17T16:04:57","modified_gmt":"2024-12-17T22:04:57","slug":"cisa-delivers-new-directive-to-agencies-on-securing-cloud-environments","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/12\/17\/cisa-delivers-new-directive-to-agencies-on-securing-cloud-environments\/","title":{"rendered":"CISA delivers new directive to agencies on securing cloud environments"},"content":{"rendered":"