How to comply with CISA’s SCuBA (without the headaches)

Federal agencies turned to the cloud for simplicity. But in the process, they've uncovered unfamiliar vulnerabilities, reduced visibility, and an expanding attack surface. 

In dynamic cloud environments, a single oversight can lead to massive exposure. How can agencies tame the complexity? 

The Cybersecurity and Infrastructure Security Agency’s (CISA) Secure Cloud Business Applications (SCuBA) project and Binding Operational Directive (BOD) 25-01 provide a strong foundation for civilian agencies. These initiatives create uniform security configurations to put agencies on a path toward more resilient, secure clouds.

What are SCuBA and BOD 25-01?

CISA’s SCuBA framework is essentially the how-to guide for cloud security. It collects vendor-neutral best practices and identifies tools to help agencies lock down their SaaS systems. 

SCuBA’s core pillars include:

• A Technical Reference Architecture (TRA) to enable secure cloud adoption.

• An Extensible Visibility Reference Framework (eVRF) for identifying security blind spots.

• Secure configuration baselines to ensure consistent security settings.

• A Holistic Identity Security Assessment (HISA) for a comprehensive view of user access across cloud and on-premises environments.

While SCuBA offers agencies an optional cloud security roadmap, BOD 25-01 mandates that agencies apply these practices to their Microsoft 365 environments. 

The to-do list is short but difficult: agencies must identify all in-scope cloud services, install and use SCuBA security tools such as ScubaGear, and apply security baseline settings by June 20, 2025. 

And it’s not a one-time deal. Agencies must update their inventory annually and apply these rules to any new cloud services. 

The top barriers to SaaS compliance for federal agencies

Unlike traditional IT assets they replaced, SaaS applications change by design. Environments can scale up and down, create ephemeral environments, and add and subtract capabilities quickly. 

But this constant change creates high hurdles for agencies to clear to keep their environment aligned with regulations and security protocols, including: 

• Visibility issues: Many agencies lack up-to-date, precise inventories of their SaaS applications.

• Siloed operations: Security, compliance, and business teams often operate in isolation, making collaboration challenging.

• Resource constraints: Finding skilled cybersecurity professionals is an ongoing struggle.

• Data overload: Agencies are awash in tools that do specific checks for specific services, flooding teams with conflicting data to reconcile. 

Key steps to strengthen SaaS security

Securing SaaS applications starts with visibility. Agencies can’t protect what they can’t see. 

To make complying with the SCuBA framework easier, agencies should:

1. Identify access issues with a Holistic Identity Security Assessment (HISA): Conducting a HISA is one of the first steps in improving visibility. These assessments help agencies catalog all user accounts — both human and machine — and access points across their environments. Agencies can mitigate identity-related risks by analyzing authentication methods, multi-factor authentication usage, and single-sign-on usage vs. local accounts.

2. Automate application discovery: Because SaaS usage is apt to change, agencies need tools to monitor the environment continuously. Shadow IT and unknown cloud applications can be difficult to detect manually, but automated SaaS discovery solutions, like those offered by Axonius, provide IT and security teams with a comprehensive view of all applications.

3. Streamline compliance processes: Manual security and compliance tasks can be time-consuming and error-prone. Automating security checks and compliance reporting can help spot settings that may drift out of compliance before they become problematic. Axonius maps to industry standards such as SOC 2, ISO 27001, NIST 800-53, and PCI DSS to ensure strong protection of information systems and data.

4. Enhance collaboration across teams: Cybersecurity, compliance, and business teams must cooperate to secure SaaS applications without disrupting operations. Though these teams often work independently, tools like Axonius’s centralized platform simplify collaboration by offering precise, actionable data to all stakeholders.

What’s next for SCuBA and federal cloud security? 

“In the future, CISA may release additional SCuBA Secure Configuration Baselines for other cloud products,” the guidance notes. It’s a clear signal that SCuBA and BOD 25-01 are likely just the start of stricter cloud security policies.

As the CISA team develops the baseline configurations, agencies can expect additional mandates covering Google Workspace and other SaaS environments. 

The cloud will continue to evolve, and so will security requirements. By getting ahead of SCuBA and BOD 25-01 compliance, agencies can lay the groundwork for a more secure and adaptable cloud environment. A proactive approach today means fewer security gaps and surprises tomorrow.

But staying ahead requires the right tools. Axonius helps IT and security teams gain full visibility into their SaaS environments, automate compliance processes, and strengthen security.

Learn more about how Axonius can help your team.