CISA Publishes Security and Resilience Guidance for Cloud Services


CISA Publishes Security and Resilience Guidance for Cloud Services - Open for Comment until May 19th


Critical Infrastructure Partners,

As the nation’s cyber defense agency, the Cybersecurity and Infrastructure Security Agency (CISA) serves a central role in implementing President Biden’s Executive Order 14028. This executive order has already driven significant improvements in securing federal government networks, including enabling greater visibility into cybersecurity threats, driving improvements in security practices, and providing direction toward adoption of cloud technology.

Today, CISA announced it published two initial guidance documents as a part of the Secure Cloud Business Applications (SCuBA) project, which collectively will help agencies adopt necessary security and resilience practices when utilizing cloud services. These documents are outcomes from our ongoing dialogue and collaboration with industry and government stakeholders.

First, the SCuBA Technical Reference Architecture (TRA) is a security guide that agencies can use to adopt technology for cloud deployment, adaptable solutions, secure architecture, and zero trust frameworks. A secure cloud-based business application (e.g., Microsoft 365 or Google Workspace) deployment requires a combination of application configuration, security services, integration with existing enterprise systems, and robust operational practices. When fully developed, the SCuBA TRA will provide threat-based guidance to create a secure implementation architecture.

Second, the Extensible Visibility Reference Framework (eVRF) Guidebook provides an overview of the eVRF framework, which enables organizations to identify visibility data that can be used to mitigate threats, understand the extent to which specific products and services provide that visibility data, and identify potential visibility gaps. Agencies may also leverage it to make threat-informed decisions on visibility and improve their ability to hunt for threats and investigate incidents across their enterprise.

While these documents are principally intended for use by federal agencies, CISA recommends that all organizations utilizing cloud services review the SCuBA TRA and eVRF Guidebook and implement practices therein where appropriate. Specifically, the concepts and workflow in eVRF can be utilized by any organization that is interested in incorporating visibility into their cybersecurity practices or identifying communicating visibility requirements and gaps.

Until May 19, these two products are open for public comment as we work to ensure our guidance enables the best flexibility to keep pace with evolving technologies and capabilities and protect the federal enterprise. Comments should be submitted to:

We look forward to receiving and reviewing your feedback on this important effort to improve federal cloud cybersecurity.


Steve Lyddon
Protective Security Advisor, Region 5, Illinois
Cybersecurity and Infrastructure Security Agency
U.S. Department of Homeland Security
Cell:  217-299-3954 |