The Cybersecurity and Infrastructure Security Agency has published final cloud cybersecurity guidance for U.S. government agencies as part of its Secure Cloud Business Applications Project.
With the project, the federal cybersecurity agency has issued an extensible visibility reference framework guidebook and a technical reference architecture document, which it says will help public and private entities implement cloud cybersecurity best practices.
The fresh guidance comes after CISA in October issued recommended Microsoft 365 security configuration baselines for use in cloud security pilots by federal agencies and for public comment.
CISA’s Secure Cloud Business Applications project is focused on helping to protect sensitive information by providing agencies with minimum system specifications they must adhere to.
According to the agency, the technical reference architecture document is focused on helping government agencies to adopt technology for cloud deployment, adaptable solutions and zero-trust frameworks.
Commenting on the new documentation, CISA Executive Assistant for Cybersecurity Eric Goldstein said: “As evidenced by supply chain compromises and associated cyber threat campaigns, persistent threat actors continue to evolve their capabilities with the intent to compromise federal government networks and critical infrastructure, whether on on-premises or cloud-based environments.”
“The final eVRF and TRA provides all organizations, including federal agencies, with adaptable, flexible, and timely guidance. These resources will help organizations address cybersecurity and visibility gaps that have long hampered our collective ability to adequately understand and manage cyber risk,” he said.
Last month, a report issued by the Government Accountability Office found that four federal agencies were not fully implementing requirements set out in the Federal Risk and Authorization Management Program.
Despite the decade-old mandate that agencies use FedRAMP to ensure services meet federal cloud security standards, the four departments — Treasury, Labor, Homeland Security and Agriculture — inconsistently implemented the program’s requirements, according to the audit.