CISA releases second version of secure cloud migration guidance for agencies

Next up the agency will publish finalized TIC 3.0 cloud use cases and a new version of the Zero Trust Maturity Model.

The Cybersecurity and Infrastructure Security Agency released the second version of guidance on securely migrating to the cloud for agencies Thursday.

The Cloud Security Technical Reference Architecture (CSTRA) defines and clarifies considerations for shared services, cloud migration and cloud security posture management, so agencies can make implementation plans.

CISA together with the U.S. Digital Service, Federal Risk and Authorization Management Program, and Office of Management and Budget strengthened the CSTRA based on more than 300 public comments received in September. The Cybersecurity Executive Order (EO) issued in May 2021 mandated the guidance to ensure agencies use public cloud more securely.

“There are possible opportunities for us to develop new [CSTRA] scenarios and work with agencies as they try to implement these concepts,” Sean Connelly, senior cybersecurity architect at CISA, told FedScoop on the sidelines of the Okta Gov Identity Summit. “That’s one area we see for opportunity and growth.”


Scenarios aren’t as big as use cases or playbooks but help agencies “connect the dots” when architecting services, Connelly added.

The same four agencies that developed the CSTRA plan to discuss how to advance the guidance in other ways, in alignment with the federal zero-trust architecture strategy and with the approval of the Office of the National Cyber Director.

“We want to look at more than just guidance,” Connelly said. “How can we help agencies throughout their modernization efforts writ large?”

With CSTRA Version 2 published, CISA shifts its attention to the Trusted Internet Connections 3.0 draft Cloud Use Case released June 16. The last use case outlined in OMB’s 2019 TIC 3.0 memo instructs agencies how to apply network and multi-boundary security within Infrastructure-, Platform-, Software- and Email-as-a-Service cloud environments.

The public has until July 22, 2022, to comment on the draft, after which Connelly’s TIC team will spend the better part of the summer incorporating feedback into the finalized use case.


From there it’s on to a new version of the Zero Trust Maturity Model for CISA.

“CISA and our partners will continue to provide expert, coherent and timely guidance to help agencies modernize their networks with sound cybersecurity and resilience to protect against evolving cyber adversaries,” said Eric Goldstein, executive assistant director for cybersecurity at CISA, in a statement. “While the TRA was developed for federal agencies, all organizations using or migrating to cloud environments should review this document and adopt the practices therein as applicable to most effectively manage organizational risk.”

Latest Podcasts