CISA Releases ScubaGoggles Tool

A big step for SBMCC's mission in advancing multi-cloud usage and interoperability in government procurement came last month. The Cybersecurity and Infrastructure Agency (CISA) released its Secure Cloud Business Applications (SCuBA) Google Workspace (GWS) Secure Configuration Baselines. The new assessment tool, ScubaGoggles, comes after the December 21, 2023 finalization of the Microsoft-specific baselines, which are intended to advance protections, better safeguard sensitive information, and secure government services against malicious threat actors.

The goal of the baselines and ScubaGoggles is to support federal agencies in securing GWS environments and utilizing the built-in security capabilities to strengthen the overall cybersecurity posture of an organization. All organizations, whether public or private, can gain value from assessing their existing practices against the SCuBA Baselines. With ScubaGoggles, CISA released draft guidelines for nine GWS services: Groups for Business, Google Calendar, Google Common Controls, Google Classroom, Google Meet, Gmail, Google Chat, Google Drive and Docs, and Google Sites. The SBMCC advocates for an interoperable IaaS foundation that supports an interoperable suite of SaaS tools as the key to successfully improving service delivery and collaboration across the federal government and with the contractor community. Expanding CISA’s SCuBA program to include Microsoft and Google is a critical step in achieving that success by increasing trust, improving resiliency, and providing staff the ability to choose the service that will provide the best results based on individual circumstances.

According to survey data from Public Opinion Strategies (commissioned by Google), 76% of all workers nationally and 82% of workers in the D.C. metro area primarily use Microsoft products and services at work. That number is even higher for government workers – nationally 84% of employees primarily use Microsoft products with the D.C. metro area registering 92%. In breaking down the results, Google pointed out that there is a real desire for choice: “59% of government employees nationally, and an identical percentage from the D.C. metro area who use Microsoft at work, want a choice to use products other than Microsoft.” Among government employees in particular, nearly half (47%) are more likely to believe Microsoft products and services are vulnerable to cyberattack. The Army recognized this back in 2022, launching GWS as a choice that operates side-by-side with Outlook.

With ScubaGoogles, CISA should be applauded for working to safeguard additional cloud services, providing the entirety of the public sector, not just the Army, with the ability to choose and use a multi-cloud approach when it comes to collaboration SaaS. Overall, this step will aid in ensuring that neither private corporations nor the government fall victim to an end-all cyberattack by either a foreign adversary or skilled hackers.

CISA is seeking public comment on the baselines before January 12, 2024. SBMCC believes this an excellent opportunity for organizations of all levels to provide feedback on the GWS baselines and ScubaGoggles tool. To download the baselines and learn more about or provide feedback on ScubaGoggles, visit CISA’s GitHub or CISA.gov/SCUBA.