The Cybersecurity Infrastructure and Security Agency (CISA), an operational component of the U.S. Department of Homeland Security, released Version 2 of its Cloud Security Technical Reference Architecture (Cloud Security TRA) in June 2022. The Cloud Security TRA is part of the federal government's "Zero Trust" security strategy and was drafted to support federal agencies' implementation of President Biden's May 2021 Executive Order No. 14028, "Improving the Nation's Cybersecurity" (EO 14028). "Zero Trust" refers to a security framework requiring all users, whether inside or outside the organization's network, to be "authenticated, authorized, and continuously validated" before being granted access to (or maintaining continued access to) an organization's applications and data.1
Among other things, EO 14028 directed federal civilian executive branch (FCEB) agencies to accelerate their movement to secure cloud computing services. DWT discussed the original version of the Cloud Security TRA, released on September 2021, and EO 14028 in prior blog posts. Because federal cloud contracts and procurement programs are likely to incorporate provisions of the Cloud Security TRA, companies that provide cloud technologies and services to the federal government should review and consider how to incorporate relevant provisions into any contract for migration, as well as employ the federal government cloud migration strategies.
CISA drafted the Cloud Security TRA in consultation with the Director of the Office of Management and Budget (OMB) and the Administrator of General Services acting through Federal Risk Authorization Management Program (FedRAMP). The U.S. Digital Service is situated under OMB and is a senior team of technologists and engineers that support the mission of departments and agencies through technology and design. FedRAMP empowers agencies to use modern cloud technologies, with an emphasis on security and protection of federal information. The Cloud Security TRA recommends various approaches to cloud migration and cybersecurity for FCEB agencies that leverage Cloud Security Posture Management (CSPM)—a cloud security framework with defined security outcomes and capabilities.
The Cloud Security TRA addresses the advantages FCEB agencies can realize by migrating to the cloud.
It addresses topics including:
- Shared Services Layer, explaining how using various cloud service models will support agencies' cloud migration by shifting certain cybersecurity responsibilities to cloud service providers. For example, if a federal agency takes advantage of a Software-as-a-Service (SaaS) offering, the cloud service provider will generally be responsible for the hardware and software associated with the SaaS offering. The federal agency would generally only need to focus on securing the application or API connection used to access the SaaS offering.
- Cloud Migration, focusing on the planning and implementation steps that federal agencies should consider before moving databases and programs to the cloud.
- Cloud Security Posture Management ("CSPM"), explaining the importance and implementation of cloud security, defined as the continuous process of monitoring a cloud environment by identifying, alerting on, and mitigating cloud vulnerabilities; reducing risk; and improving cloud security. "CSPM supports continuous improvement of an agency's cybersecurity posture and capabilities, which enable agencies to keep up with emerging threats, protect against misconfigurations, and reduce the risk of a security incident or data breach." The Cloud Security TRA discusses how CSPM can support the federal government's "Zero Trust" security model, such as by using CSPM-defined security capabilities (e.g., identity management, asset management, network security, application security, and data protections) across their IT environments.
The Cloud Security TRA, in addition to the other documents and guidance stemming from EO 14028, shows that the federal government is focused on improving cybersecurity for federal and critical infrastructure data. As a result, both public sector and private sector service providers should consider what types of data they hold and whether they should reexamine their cybersecurity posture.
Agencies should identify the relevant statutes, regulations, and binding governmentwide policies as well as any security standards that the agencies have agreed to follow. Based on these obligations, agencies should implement internal policies and capabilities for ensuring compliance for all aspects of their cloud services, including acquisition, billing and contract renewal, and terminating any provider, rather than focusing on just deployment and operations.
DWT's Information Security team will continue to follow the federal government's implementation of EO 14028, including its rollout of Zero Trust and its development of the Cloud Security TRA.
 The "Zero Trust" security model assumes there is no implicit trust of any credentialed user because any user could be an attacker. National Institute of Standards and Technology, "NIST Special Publication 800-207: Zero Trust Architecture" (2020), https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf.