1 min read

Dive into Secure Cloud Configuration with SCuBA

Stephanie Goetz : Updated on September 20, 2024

Dive into Secure Cloud Configuration with SCuBA

Dive-into-Secure-Cloud-Configuration-with-SCuBA

CISA, the US Cybersecurity & Infrastructure Security Agency, began an initiative to help organizations manage cloud risks with the Secure Cloud Business Applications (SCuBA) project. While there are many secure cloud configuration guides, such as CIS (Center for Internet Security), SCuBA puts a new twist on them by measuring attack patterns and measuring the visibility into them. Intriguing!

Here are some takeaways compared to CIS:

  1. Simpler than CIS Benchmarks, SCuBA is minimum viable security requirements, so depending on risk tolerance and the criticality of data in O365, you can scale back to SCuBA vs CIS.

  2. Both give scripts and a step-by-step of how to configure. While both SCuBA and CIS offer scripts to implement and audit configurations, SCuBA offers GitHub downloads for easier implementation.

  3. CIS requires email and identification information to download while SCuBA has no requirements.

  4. SCuBA has additional insights into risks, attack patterns, and visibility into those with its eVRF framework. While I haven’t walked through one completely, it’s an interesting take and can provide valuable insight into monitoring, alerting, and configuration. Here’s an example from CISA’s framework document:

Picture2

  1. SCuBA was released in 2023, and was subject to a comment period in 2022. It doesn’t have as much mileage on it as the CIS Benchmarks, which started in 2000.

 

While the SCuBA has an interesting approach for a control framework, I haven’t seen an implementation of this yet. CIS has much more experience and is a suggested replacement for the Cybersecurity Assessment Tool (CAT) by the FFIEC. However, SCuBA could complement with attack patterns and visibility into cloud applications.

Here are links to the framework and information to explore:

https://www.cisa.gov/sites/default/files/2023-06/CSSO-SCUBA-eVRF%20Guidebook-guidance%20documentV2_508c.pdf

https://www.cisa.gov/resources-tools/services/secure-cloud-business-applications-scuba-project

 

 

 

How do you measure success when it comes to stopping Phishing attacks?

Chris Bedel : Aug 24, 2016

An article on CSO Online this week caught my attention and raises an excellent question. That being, "what is a good success rate in your phishing...

Uncategorized
Read More
Moving from the CAT to CSF: A More Strategic Path for Community Financial Institutions

Moving from the CAT to CSF: A More Strategic Path for Community Financial Institutions

Chris Bedel : Oct 10, 2025

Cybersecurity Assessment Tool CAT FFIEC Banking NIST-CSF CAT Replacement
Read More
Why You Need Both an Information Security Risk Assessment and a Framework Self-Assessment

Why You Need Both an Information Security Risk Assessment and a Framework Self-Assessment

Trisha Durkin : Aug 22, 2025

When it comes to managing cybersecurity risk in community financial institutions, there’s often confusion between two key activities: the Information...

Risk Assessment NIST Risk Management Self Assessment CRI
Read More