Proposed US Guidance, Legislation Show Increasing Importance of Cloud Security
The United States is working on guidance and legislation that show the government is placing increasing importance on cloud security.
The US Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday announced that it’s seeking public comment on a couple of guidance documents created as part of a project called Secure Cloud Business Applications (SCuBA), whose goal is to help improve visibility, standards and security practices for government cloud.
“The project was established to develop consistent, effective, modern, and manageable security configurations that will help secure agency information assets stored within cloud environments,” CISA said.
One of the documents is the SCuBA Technical Reference Architecture (TRA), a security guide designed to help federal agencies adopt technology for cloud deployment, adaptable solutions, secure architecture, zero trust and agile development.
The second document, the Extensible Visibility Reference Framework (eVRF) guidebook, describes a framework that can be used by organizations to identify visibility data that can be used to mitigate threats, as well as to identify visibility gaps.
The deadline for commenting on the two documents is May 19, 2022.
“We are requesting public comment on these two products to ensure our guidance enables the best flexibility to keep pace with evolving technologies and capabilities and protect the federal enterprise. Our intent is to properly address cybersecurity and visibility gaps within cloud-based business applications that have long hampered our collective ability to adequately understand and manage cyber risk across the Federal and IT enterprise,” CISA said.
While these resources are mainly intended for government agencies, CISA advises all organizations to use the guidance to improve cloud security.
The SCuBA project was created in response to an executive order on strengthening cybersecurity defenses signed by President Joe Biden in May 2021. The executive order also led to the creation of a federal zero trust strategy and a cyber safety review board.
Nextgov reported on Monday that US lawmakers are working on bipartisan legislation that covers the cybersecurity responsibilities of private entities designated as “systemically important critical infrastructure.” These entities would be given some liability protection and access to government resources in exchange for implementing certain security controls to protect their systems and for reporting cybersecurity incidents to the government.
According to Nextgov, major cloud service providers, which until now have been considered off-limits for regulation, may be added to the list of systemically important critical infrastructure due to the big role they play in modern digital life.