At a glance.
- CISA's draft cloud security guidance.
- CISA's draft zero-trust model.
- OMB's zero-trust guidelines.
- OMB on logging requirements.
CISA publishes draft cloud security TRA…
In a follow on to US President Biden’s cybersecurity Executive Order (EO), the US Cybersecurity and Infrastructure Security Agency (CISA) yesterday announced the release of its Cloud Security Technical Reference Architecture (TRA) along with a call for public comment, open through the first of next month. The TRA is intended to ease Federal agencies’ migration to the cloud and ensure lasting security as the technology advances, curbing breaches through best practices. The US Federal Risk and Authorization Management Program (FedRAMP) contributed a risk model and a synopsis of cloud offerings to the document, and the United States Digital Service (USDS) authored cloud building advice. CISA provided direction on cloud security posture management (CSPM).
…and a draft model for zero trust...
The busy bees at CISA also released their Zero Trust Maturity Model for public comment yesterday, furthering EO 14028’s push for zero trust adoption across the Federal Government. Designed to support agencies’ transition, the model is built on five “pillars”—identity, device, network/environment, application workload, and data—and three “crosscutting capabilities”: visibility and analytics, automation and orchestration, and governance. CISA defines zero trust as “a security philosophy based on the premise that everyone and everything inside a network is suspect” and describes the framework’s distinguishing feature as a “continuous cycle of credentialing, verifying, and authorizing a user’s identity.”
…to complement OMB’s zero trust directive…
OMB’s Federal Zero Trust Strategy rounds out yesterday’s Federal guidance on moving towards EO 14028 milestones. OMB expects implementing zero trust architectures to “be a multi-year journey,” and points agencies to the first and most critical steps, giving them thirty days to select a zero trust captain and sixty days to integrate OMB conditions into their zero trust plans. The document also lays out deadlines for enacting practices aligned with CISA’s five pillars, including MFA, asset inventorying, network encryption and segmentation, application testing, and logging.
…and logging memo.
FEDweek has a refresher on the US Office of Management and Budget’s (OMB’s) memo for Federal agencies on how to improve their logging and information sharing practices in keeping with EO 14028. As we’ve seen, OMB’s memo set out a sequence of goals and target dates for logging maturity and directed agencies to share information with the FBI, CISA, and other departments. The four-tier maturity model emphasizes “centralized access and visibility” and initially prioritizes “high-impact systems and high value assets.”