Multi-Cloud Security Public Working Group

Related References

Title / Topic	Description
Executive Order (EO) 14028 On Improving The Nation's Cybersecurity	Executive Order 14028, “Improving the Nation’s Cybersecurity” marks a renewed commitment and prioritization of federal cybersecurity modernization and strategy. To keep pace with modern technological advancements and evolving threats, the Federal Government continues to migrate to the cloud. In support of these efforts, the Secretary of Homeland Security acting through the Director of the Cybersecurity and Infrastructure Security Agency (CISA), in consultation with the Director of the Office of Management and Budget (OMB) and the Administrator of General Services acting through the Federal Risk Authorization Management Program (FedRAMP), have developed the Cloud Security Technical Reference Architecture to illustrate recommended approaches to cloud migration and data protection for agency data collection and reporting that leverages Cloud Security Posture Management (CSPM). This technical reference architecture also informs agencies of the advantages and inherent risks of adopting cloud-based services as agencies move closer to zero trust architecture. https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/
Federal Cloud Computing Strategy	From Cloud First to Cloud Smart - The 2019 Federal Cloud Computing Strategy — Cloud Smart — is a long-term, high-level strategy to drive cloud adoption in Federal agencies. This is the first cloud policy update in seven years, offering a path forward for agencies to migrate to a safe and secure cloud infrastructure. This new strategy will support agencies to achieve additional savings, security, and will deliver faster services. https://cloud.cio.gov/
DHS/OIG/PIA-003 Data Analytics Cloud System	The U.S. Department of Homeland Security (DHS) Office of Inspector General (OIG) is responsible for conducting and supervising independent and objective audits, inspections, and investigations of the Department of Homeland Security’s programs and operations. The Office of Inspector General’s Office of the Chief Data Officer (OCDO) established the Data Analytics Cloud System (DACS) to ingest, store, manage, and analyze information necessary for these audits, inspections, and investigations, as well as information necessary to improve Office of Inspector General’s operational effectiveness and efficiency. The Office of the Chief Data Officer acquires, integrates, and analyzes large volumes of data from Department of Homeland Security systems, other government agencies, public sources, and vendors that frequently include personally identifiable information (PII) and sensitive PII (SPII). https://www.dhs.gov/publications-library/collections/privacy-impact-assessments-%28pia%29
Meeting TIC requirements	Agencies hosting workloads on cloud.gov need to ensure compliance with the DHS CISA Trusted Internet Connections program. In September 2019, OMB released Memo M-19-26, which specified new standards for TIC 3.0, and DHS CISA is currently developing new guidance for workloads hosted in PaaS cloud environments. https://cloud.gov/docs/compliance/meeting-tic-requirements/
NIST Cloud Computing Program – NCCP Note: Links to the NIST SP500 series of cloud-related documents can be found on this page.	NIST Cloud Computing Program – NCCP The NCCP’s goal is to provide thought leadership and guidance around the cloud computing paradigm to catalyze its use within industry and government. NIST aims to shorten the adoption cycle, which will enable near-term cost savings and increased ability to quickly create and deploy enterprise applications. NIST aims to foster cloud computing systems and practices that support interoperability, portability, and security requirements that are appropriate and achievable for important usage scenarios. https://www.nist.gov/programs-projects/nist-cloud-computing-program-nccp
DevSecOps and Zero Trust Architecture (ZTA) for Multi-Cloud Environments	This website provides video recordings of the conference program feature presentations by experts on service mesh architecture and national leaders in DevSecOps and ZTA deployment, and demonstration of proof of concept use cases in multi-cloud environments. https://www.nist.gov/news-events/events/2021/01/devsecops-and-zero-trust-architecture-zta-multi-cloud-environments

Title / Topic

Description

Executive Order (EO) 14028

On Improving The Nation's Cybersecurity

Executive Order 14028, “Improving the Nation’s Cybersecurity” marks a renewed commitment and prioritization of federal cybersecurity modernization and strategy. To keep pace with modern technological advancements and evolving threats, the Federal Government continues to migrate to the cloud. In support of these efforts, the Secretary of Homeland Security acting through the Director of the Cybersecurity and Infrastructure Security Agency (CISA), in consultation with the Director of the Office of Management and Budget (OMB) and the Administrator of General Services acting through the Federal Risk Authorization Management Program (FedRAMP), have developed the Cloud Security Technical Reference Architecture to illustrate recommended approaches to cloud migration and data protection for agency data collection and reporting that leverages Cloud Security Posture Management (CSPM). This technical reference architecture also informs agencies of the advantages and inherent risks of adopting cloud-based services as agencies move closer to zero trust architecture.

https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/

Federal Cloud Computing Strategy

From Cloud First to Cloud Smart - The 2019 Federal Cloud Computing Strategy — Cloud Smart — is a long-term, high-level strategy to drive cloud adoption in Federal agencies. This is the first cloud policy update in seven years, offering a path forward for agencies to migrate to a safe and secure cloud infrastructure. This new strategy will support agencies to achieve additional savings, security, and will deliver faster services.

https://cloud.cio.gov/

DHS/OIG/PIA-003 Data Analytics Cloud System

The U.S. Department of Homeland Security (DHS) Office of Inspector General (OIG) is responsible for conducting and supervising independent and objective audits, inspections, and investigations of the Department of Homeland Security’s programs and operations. The Office of Inspector General’s Office of the Chief Data Officer (OCDO) established the Data Analytics Cloud System (DACS) to ingest, store, manage, and analyze information necessary for these audits, inspections, and investigations, as well as information necessary to improve Office of Inspector General’s operational effectiveness and efficiency. The Office of the Chief Data Officer acquires, integrates, and analyzes large volumes of data from Department of Homeland Security systems, other government agencies, public sources, and vendors that frequently include personally identifiable information (PII) and sensitive PII (SPII).

https://www.dhs.gov/publications-library/collections/privacy-impact-assessments-%28pia%29

Meeting TIC requirements

Agencies hosting workloads on cloud.gov need to ensure compliance with the DHS CISA Trusted Internet Connections program. In September 2019, OMB released Memo M-19-26, which specified new standards for TIC 3.0, and DHS CISA is currently developing new guidance for workloads hosted in PaaS cloud environments.

https://cloud.gov/docs/compliance/meeting-tic-requirements/

NIST Cloud Computing Program – NCCP

Note: Links to the NIST SP500 series of cloud-related documents can be found on this page.

NIST Cloud Computing Program – NCCP

The NCCP’s goal is to provide thought leadership and guidance around the cloud computing paradigm to catalyze its use within industry and government. NIST aims to shorten the adoption cycle, which will enable near-term cost savings and increased ability to quickly create and deploy enterprise applications. NIST aims to foster cloud computing systems and practices that support interoperability, portability, and security requirements that are appropriate and achievable for important usage scenarios.

https://www.nist.gov/programs-projects/nist-cloud-computing-program-nccp

DevSecOps and Zero Trust Architecture (ZTA) for Multi-Cloud Environments

This website provides video recordings of the conference program feature presentations by experts on service mesh architecture and national leaders in DevSecOps and ZTA deployment, and demonstration of proof of concept use cases in multi-cloud environments.

https://www.nist.gov/news-events/events/2021/01/devsecops-and-zero-trust-architecture-zta-multi-cloud-environments