CISA’s Cloud Security Technical Reference Architecture: Where it succeeds and where it falls short

President Biden’s Executive Order 14028 “Improving the Nation’s Cybersecurity” directed the Cybersecurity and Infrastructure Security Agency (CISA) to create a cloud-security technical reference architecture (RA) in coordination with the Office of Management and Budget (OMB) and the Federal Risk and Authorization Management Program (FedRAMP). The intent of the RA is to provide recommendations for cloud migration and data protection for agencies as the federal government continues its Cloud Smart pursuit.

The recently released RA is currently open for public comment. It is broken down into sections such as Purpose and Scope, Shared Services Layer, Cloud Migration, and Cloud Security Posture Management. While the RA provides much welcomed guidance and insight for federal agencies migrating to the cloud and maturing on that journey, it also highlights how far the government still has to go.

What the cloud-security technical reference architecture gets right

The RA seeks to provide guidance to agencies on how to best approach their cloud migration journeys. It does a great job of providing an overview of critical government cloud programs such as FedRAMP and the Cloud Smart initiative. The RA also details cloud service models, deployment types and the shared responsibility model.

The RA emphasizes the need to take a DevSecOps approach to designing software for the cloud and to use automation in areas such as security testing to facilitate this transition. There’s a compelling case made for why you should shift software to the cloud, including facilitating zero trust, benefits of APIs, and maximizing the inheritance of security controls to expedite system authorization through the authority to operate (ATO) process.

The RA stressed the need to have a cloud migration strategy and leverage innovative capabilities such as infrastructure as code (IaC) to ensure repeatability. A modern data governance strategy to fully maximize the value of cloud was also recommended.

Cloud migration challenges are highlighted, including funding, onboarding, infrastructure support, staffing and policy support. The negative impact these challenges could have on an agency’s cloud migration efforts should be factored into a comprehensive cloud migration strategy. The RA articulates the benefits of cloud migration from both a technical and operational perspective and these are coupled with cloud migration strategies, such as rehosting all the way to rebuilding or replacement when warranted.

The RA lays out several cloud migration scenarios that agencies frequently encounter to show how the migrations could occur and ultimately the benefits that would be derived from the migration activities.

Not only is DevSecOps mentioned but details of practices commonly associated with DevSecOps are described such as CI/CD, IaC, automation and more. There’s also an acknowledgement of how critical it is to invest in people through training, hiring and procurement. The federal government has a history of struggling to attract and retain tech talent and this is captured in the RA along with some recommendations on how to get past this hurdle, including through SME assessments and tapping into competent contractors with proven experience around digital and cloud activities.

An overarching theme of the RA is the push for zero trust, given the OMB recently released the Federal Zero Trust Strategy, and the emphasis on how cloud can help the government achieve zero trust. This can be done through SSO, segmentation, conditional access control and more that cloud provides.

Cloud security posture management (CSPM) received a significant portion of the document and included defining CSPM, outlining implementation needs and harmonizing executive order goals. Getting to the cloud is one thing; being secure in the cloud is another.

All in all, this is great insight for agencies pursuing cloud adoption and maturity and covers many common challenges agencies encounter as part of their cloud adoption activities. That said, we can’t stop there. If the government is going to achieve enterprise-wide cloud adoption success and maturity, it needs to take it further.

Going beyond the fundamentals

While the cloud-security RA provides great information, it also highlights just how far the US government still has to go in terms of its broadscale adoption, understanding and fluency around cloud computing. Of the 46-page PDF, nearly 20 pages were dedicated to fundamentals such as FedRAMP, the shared responsibility model, cloud service options, deployment models and why you should shift software to the cloud.

These items are critical when discussing cloud in the context of government, but it is problematic that so much of the RA was dedicated to these items. There’s no way to be competent in the cloud for the government without being familiar with FedRAMP, which was established in 2011 by the OMB. It provides a standardized risk assessment and authorization process for cloud service offerings for the government. Anyone leading, procuring, or leveraging cloud in the government space should be familiar with FedRAMP by now.

As pivotal as FedRAMP is, it also simply hasn’t kept pace with the government’s consumption or need for cloud service offerings. Despite being around for roughly a decade, FedRAMP currently has only 235 authorized cloud service providers (CSPs). Nowhere is this more pervasive than when looking at software-as-a-service (SaaS), which has roughly 15,000 vendors in the market. In fact, the EO itself hinted at this bottleneck, directing OMB and other agencies to assist in “identifying relevant compliance frameworks, mapping those frameworks onto requirements in the FedRAMP authorization process, and allowing those frameworks to be used as a substitute for the relevant portion of the authorization process, as appropriate.”

Much like the FedRAMP focus, the RA goes through details explaining fundamental cloud concepts and deployment models. This information is derived from NIST 800-145 “The NIST Definition of Cloud Computing,” which is also a decade old.

These items highlight the reality that despite a federal government that is increasingly reliant on cloud computing at both the federal civilian and Department of Defense (DoD) levels, much of the workforce still lacks basic fluency around fundamental cloud concepts and entities relevant to the industry.

There’s an emphasis on the need to develop a DevSecOps mentality. Unlike the DoD, which has DoD-wide DevSecOps initiatives and reference designs, the federal civilian sector lacks a collaborative comprehensive strategy and approach. Despite the emphasis on IaC, the federal government also lacks a centralized artifact repository of pre-hardened and authorized IaC that could be leveraged government wide, leading to both reduced vulnerabilities, re-use and expedited authorization activities. It also lacks a federal compliance catalog that leans into documentation-as-code initiatives such as NIST’s OSCAL, which could lead to a Federal Compliance Library concept using repeatable component catalog. 

Leaning into cloud service functionality to streamline ATO’s timelines was discussed, but the government must take it a step further and maximize the value of innovative CSP and third-party cloud native offerings that provide near real-time continuous monitoring of security controls, such as NIST’s 800-53, which both the federal government and DoD comply with. Cloud enables a new age of compliance that does away with antiquated approaches of snapshots, sampling, overwhelmingly manual assessments and more.

Much of the discussion around CSPM was in the context of IaaS and PaaS services as well. Securing these service models is critical, but while organizations often use a few IaaS providers, they provide ten to hundreds of SaaS applications. SaaS governance is often missing from agencies’ discussions around cloud security, and to their detriment.

Lack of comprehensive SaaS governance leads to shadow IT, insecure configurations, sensitive data exposure and more. Agencies are rife with unauthorized and largely unmonitored SaaS usage, largely due to the FedRAMP bottleneck mentioned above.  Agencies should work to implement a SaaS governance strategy as part of their broader CSPM efforts. 

Despite the critiques mentioned above, the CISA Cloud Security Technical Reference Architecture was a much needed document as the government continues its cloud adoption and maturity journey and compliments many other goals, such as the push for zero trust. Agencies and their staff unfamiliar with the fundamentals laid out in the RA will benefit from learning them and those further along the journey can build on the additional insights provided. The federal government’s cloud strategy revolves around being “cloud smart”, and the more of these discussions and documents evangelizing cloud security best practices are provided, the more informed the Federal industry becomes as a whole.