The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a binding directive to federal civilian agencies, ordering them to secure their Microsoft cloud systems after recent cyber incidents.
The SCuBA project, which provides guidance on securing federal agencies’ cloud business application environments, was used by CISA since April 2022. However, the agency is now taking steps to make it mandatory due to concerns about attackers using misconfigurations and weak security controls to steal data and disrupt services.
CISA warns of recent incidents that have shown attackers can exploit vulnerabilities in cloud systems, resulting in actual compromises. The agency attributes these breaches to improper configuration of security controls in cloud environments.
The directive is part of an effort to create a centralized approach to securing the federal cloud environment. It requires agencies to identify all cloud systems under their purview, implement assessment tools, and abide by SCuBA’s secure configuration baselines.
Federal civilian agencies have until February 21, 2025, to create this inventory and update it annually. They must also deploy SCuBA assessment tools by April 25, 2025, and begin continuous reporting on requirements to CISA. The rest of the binding directive must be implemented by June 20, 2025.
CISA Director Jen Easterly emphasized that malicious actors are increasingly targeting cloud environments and evolving their tactics to gain initial cloud access. She urged organizations beyond federal agencies to adopt the SCuBA guidance to reduce risk.
The directive is an “important step in reducing risk to the federal civilian enterprise,” Easterly said, adding that CISA will continue to improve the SCuBA framework based on agency feedback.
Source: https://therecord.media/cisa-orders-federal-agencies-to-secure-microsoft-cloud-systems