Cybersecurity and Infrastructure Security Agency (CISA) recently released a guidance draft — Secure Cloud Business Applications (SCuBA) Technical Reference Architecture (TRA). Analysts expect this guidance might bring semi-nationalization to public cloud security in the U.S.
Founded by the American Rescue Plan Act of 2021, CISA’s SCuBA project aims to develop consistent, effective, and manageable cloud security and provide direction toward cloud technology adoption.
SCuBA TRA is one of the initial guidelines of the SCuBA project that “agencies can use to adopt technology for cloud deployment, adaptable solutions, secure architecture, and zero-trust frameworks,” Eric Goldstein, executive assistant director for cybersecurity at CISA, wrote in a blog post.
It will provide context, standard views, and terminology for all SCuBA efforts, and then offer threat-based guidance to create a secure implementation architecture after fully developed.
“The proposed changes — expected after a public comment period — will have a ripple effect across cloud vendor offerings and raise expectations among regulators in all key industries around cloud security,” noted Forrester analysts in a blog post.
Analysts expect that SCuBA TRA will drive improvements in cloud security for both private and public sectors as it will push cloud service providers toward a common set of offerings necessary for federal civilian agencies including baked-in visibility, and many enterprise users will want the same.
Additionally, the geopolitical conflict has led to more collaboration among cloud providers, the U.S. military, and security agencies. CISA will play a significant role to drive this national security agenda into the private sector partly through the SCuBA project, “as private sector entities will seek to emulate much of what will be required of federal civilian agencies,” Forrester analysts wrote.
They also pointed out that SCuBA TRA is an update to the Federal Risk and Authorization Management Program (FedRAMP) as the program is showing signs of age in third-party monitoring, data protection, and identity security.
For cloud security, SCuBA TRA will also likely exceed FedRAMP’s impact as being one of the most influential blueprints, analysts noted.