The IT Nerd

The CISA has recently put out a Binding Operational Directive on Implementing Secure Practices for Cloud Services:

Malicious threat actors have increasingly targeted cloud environments and evolved tactics to gain initial cloud access. In recent cybersecurity incidents, the improper configuration of security controls in cloud environments introduced substantial risk and resulted in actual compromises. To combat these threats, the Cybersecurity and Infrastructure Security Agency (CISA) initiated the Secure Cloud Business Applications (SCuBA) project. Through the SCuBA project, CISA developed Secure Configuration Baselines, providing consistent and manageable cloud security configurations and assessment tools, allowing agencies and CISA to improve security for Federal Civilian Executive Branch (FCEB) assets hosted in cloud environments. This Directive requires agencies to implement a set of SCuBA Secure Configuration Baselines for certain Software as a Service (SaaS) products widely used in the FCEB, deploy CISA developed automated configuration assessment tools to measure against the required baselines, integrate with CISA’s continuous monitoring infrastructure, and remediate deviations from the secure configuration baselines. These steps reduce risks highlighted by recent adversary activity and increase resiliency for FCEB agencies against cyber threats. 

Jim Routh, Chief Trust Officer, Saviynt had this comment:

“IT Hygiene is a way of describing an enterprise’s capabilities to identify IT assets, manage the configuration of those assets, apply vulnerability management to those assets and to update those assets when necessary. The new Directive from CISA is requiring federal agencies to improve their IT Hygiene for cloud hosted services supporting their needs. The configuration management requirements in cloud computing are different from IT assets hosted in proprietary data centers. Federal agencies with legacy infrastructure (non-cloud) must apply a different way to manage the configuration of cloud hosted IT assets that includes discovery, asset inventory management, configuration management and vulnerability management.”

Paul Zolfaghari, President, Saviynt follow up with this:

“As we navigate an increasingly complex cyber landscape, the issuance of Binding Operational Directive 25-01 by the Cybersecurity and Infrastructure Security Agency (CISA) represents a pivotal advance in cloud security. This directive underscores our collective commitment to not only securing our nation’s digital infrastructure but also setting a benchmark for future cloud security measures. By mandating secure configuration baselines and integrating continuous monitoring, CISA is leading the charge in fortifying our federal networks against sophisticated cyber threats. This proactive approach is essential in ensuring the resilience and security of our cloud environments, and we are proud to support these vital initiatives.”

The CISA really has a great grasp as to what it needs to do to ensure that government does not become a target for threat actors. Private industry needs to copy what they are doing as they are really on the ball.

 UPDATE: Chris Botelho, Sr. Solutions Engineer, LimaCharlie adds this:

“The directive forces these agencies to modernize their security controls in order to better protect against malicious actors and software. Given the increase in activity of both nation-state actors and ransomware groups targeting third-parties that contract with the federal government rather than the federal government itself, it has become even more important to not only ensure federal systems are protected, but also the organizations that the federal government contracts with in order to protect data and prevent large-scale incidents. Malicious actors will always go for the weakest link in the chain, which currently are the SMBs that frequently don’t have the knowledge, time, expertise, or budget for implementing recommended security controls.

“Most of the controls being required by the directive are part of Microsoft’s own best practices and should already in place. The controls and scanner are provided for free from CISA, so they can be implemented without any licensing costs. If an organization is using an enterprise M356 license, then they will likely have all the required controls available to them. However, organizations using F3 licenses or purchasing their M365 subscriptions through a third-party provider will likely need to upgrade their licenses or purchase additional licenses to gain access to the security controls required by the directive, such as Microsoft Purview. There will also be a time cost to implement the controls and update internal policies such as password management policies to reflect the new control requirements.

“Controls required by federal agencies frequently influence the controls implemented by private businesses both directly, through direct implementation of the controls based on the agency’s requirements, but also indirectly through regulatory bodies such as HITRUST and PCI-DSS that adopt the federal agency’s requirements as part of their own requirements. Additionally, by adopting federal controls, the effort required by leadership to create their own security controls is reduced while providing a tested and vetted method for ensuring the controls are implemented and can be easily tested through readily-available tools such as CISA’s SCuBA, without additional cost.

“The biggest challenge will be changing the user and management mindset for many of the historical security controls that no longer apply or work in today’s computing environments as well as the cost that would be involved if a business’s current license(s) don’t include the controls prescribed by the mandate. This could be something such as MFA, which may not be included in a business’s current service license and historically is seen by many as an unnecessary extra step, but significantly increases the authentication security of a business. Additionally, there may be regulations in place that a business has to follow that are in conflict with the CISA directive. For example, the new controls require that passwords are set to never expire. Historically, the industry standard was to change passwords every 60-90 days. However, research has shown that this actually decreases password security, but many organizations still do this because it has been the practice for decades and regulations such as PCI-DSS still require it.”