CISA SCuBA reminds cloud service providers of the basics

Securing federal cloud environments: CISA SCuBA reminds cloud service providers of the basics

These steps are essential for maintaining strong cybersecurity hygiene and preventing many of the attacks organizations face today.

Time and time again, we see malicious threat actors targeting cloud environments — largely due to the improper configuration of security controls in these environments. We repeatedly see this issue throughout the federal government due to agencies migrating to cloud computing without fully understanding the complexity of services or the controls offered in cloud computing.

Most recently, Nemesis and ShinyHunters, sophisticated threat actor groups, stole thousands of cloud credentials related to a major cloud service provider (CSP). These French speaking threat actor groups were able to steal infrastructure credentials, proprietary source code, application databases, credentials to additional external services, as well as thousands of keys and secrets lifted from victim networks. With this information, the attackers were able to check for privileges related to this major CSP for additional services that may be susceptible.

In light of these breaches, the Cybersecurity and Infrastructure Security Agency’s Secure Cloud Business Applications (SCuBA) team released a Binding Operational Directive (BOD) 25-01 entitled “Implementing Secure Practices for Cloud Services” just before the turn of the year. According to SCuBA, this directive was released because “malicious threat actors have increasingly targeted cloud environments and evolved tactics to gain initial cloud access” and because improper configuration of security controls in cloud environments are introducing substantial risk resulting in actual compromises.

While questions remain as to where the new administration will come down on cybersecurity oversight policy, it seems clear that there will continue to be support for achieving the objectives of this SCuBA directive.

The BOD calls for six actions for all in-scope cloud tenants that federal agencies must follow. It’s important to highlight the fact that this directive is not operating in a silo as it complements existing federal resources for cloud security.

So how do organizations defend themselves against attacks targeting their cloud environments? By going back to cyber hygiene basics.

Keeping it simple – apply the same security measures across the board

SCuBA’s directive states, “through the SCuBA project, CISA developed Secure Configuration Baselines, providing consistent and manageable cloud security configurations.” Simply put: basic cybersecurity hygiene.

To protect cloud environments against cybersecurity attacks, federal agencies should implement the same security measures and principles in cloud environments as they have for on-premise infrastructure. This means having a clear understanding of the security tools at their disposal from the CSP to help secure their cloud environment, including:

1. Utilizing web application firewalls (WAFs), identity and access management (IAM) and logs in support of the cloud environment.
2. Obtaining visibility into the cloud environment and having the proper controls in place for access control.
3. Continuously monitoring the cloud environment for expected and unexpected changes, since cloud environments are dynamic and constantly changing.
4. Investing in training to ensure teams are up to speed on the latest CSP security mechanisms available to help secure the cloud environment, or acquiring the services necessary to assist in securing the cloud environment.

There are also several tier-1 cybersecurity tools available that agencies can consider to effectively secure their cloud environment. For example, there are tools such as internet intelligence platforms (IIPs) that can conduct continuous scanning and monitoring of all internet-facing assets. These solutions help uncover unknown cloud assets and proactively identify potential misconfigurations that would otherwise leave an agency vulnerable to threat actors. Gaining visibility into the cloud attack surface is essential for securing assets across diverse cloud environments.

In addition to these measures, SCuBA has provided an extensive array of resources to further support the implementation of this BOD, including reference architectures, tools and GitHub repositories. While these resources are primarily directed to helping civilian agencies improve the security of assets hosted in cloud environments, these resources are available to anyone that needs guidance on how to secure their cloud environment.

While this may seem like yet another mandate added to a cybersecurity team’s already demanding workload, these steps are essential for maintaining strong cybersecurity hygiene and preventing many of the attacks organizations face today. Returning to the basics is often the most effective starting point.

Shunta Sharod Sanders is team lead for federal solutions engineering at Censys.

Copyright
© 2025 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.