At a glance.
- CISA’s SCuBA project dives into cloud services security.
- The evolution of incident reporting requirements for critical infrastructure.
- CISA on ICS security.
CISA’s SCuBA project dives into cloud services security.
The US Cybersecurity and Infrastructure Security Agency (CISA) yesterday issued two new guidance documents as part of its Secure Cloud Business Applications (SCuBA) project. The first is on Technical Reference Architecture (TRA), and the second is a guidebook covering the Extensible Visibility Reference Framework (eVRF) program, both aimed at helping agencies implement best practices for security and resilience when using cloud services. CISA states that SCuBA’s goal is to “develop consistent, effective, modern, and manageable security that will help secure agency information assets stored within cloud operation,” a worthy objective given that cloud services breaches led to several major attacks impacting federal agencies in recent months, including the infamous Solar Winds incident. The agency is requesting comment on the guidance by May 19. Vincent Sritapan, Cyber Quality Service Management Office section chief at CISA, told the Federal News Network, “We look to, in this case, provide architectures, security configurations, really to offer fundamental protections for cloud business applications. Within federal civilian agencies, we’re providing them with both the security and visibility necessary to identify and detect adversary activities in their cloud environments.” SCuBA will concentrate first on the Microsoft Office 365 and Google Workspace applications widely used across federal agencies, and project funding will come out of the $650 million allotted by the American Rescue Act Plan. Sritapan added that CISA is working in partnership with the Federal CIO Council’s innovation committee and cyber innovation team to ensure that SCuBA practices do not impede agencies’ mission requirements or employee efficiency.
The evolution of incident reporting requirements for critical infrastructure.
US lawmakers continue to grapple with determining the best methods for securing that nation’s critical infrastructure against attacks like last year’s massive Colonial Pipeline incident, and Holland & Knight offers an overview of the evolution of critical infrastructure security regulations in recent years. Currently, cyberincidents in the energy sector are to be reported to the Department of Energy, the Federal Energy Regulatory Commission, and state and local agencies. Last year, the Transportation Security Administration established mandatory cybersecurity rules for pipeline operators requiring all cybersecurity incidents be reported to CISA within twelve hours of discovery. Then in March of this year, Congress approved the Cyber Incident Reporting for Critical Infrastructure Act, which requires reporting of attacks to CISA within seventy-two hours and ransomware payments within twenty-four. Looking forward, the Act will require CISA to issue a notice of proposed rulemaking within twenty-four months of the bill’s enactment, and the energy sector is urged to begin preparing feedback on how the rules can be enforced without disrupting operations.
CISA on ICS security.
CISA emailed to let us know that, "The Cybersecurity and Infrastructure Security Agency (CISA) announced today the expansion of the Joint Cyber Defense Collaborative (JCDC) to include Industrial Control Systems (ICS) experts—security vendors, integrators, and distributors—to further increase U.S. government focus on the cybersecurity and resilience of industrial control systems and operational technology (ICS/OT). Companies initially joining the JCDC-ICS effort include Bechtel, Claroty, Dragos, GE, Honeywell, Nozomi Networks, Schneider Electric, Schweitzer Engineering Laboratories, Siemens, and Xylem, as well as several JCDC Alliance partners.
Grant Geyer, Chief Product Officer at Claroty, stated, "To protect our critical infrastructure from cyber attacks and mitigate risks to human life, we must secure and ensure the resiliency of ICS, which we depend on to run the hospitals, power grids, oil pipelines, water utilities, and many other essential services and has recently become a focal point of national security. Protecting our nation from threat actors is a team sport and we are incredibly honored to be a part of this team."