US Government cloud security, information-sharing, and zero-trust guidelines.

Summary

By the CyberWire staff

At a glance.

CISA's draft cloud security guidance.
CISA's draft zero-trust model.
OMB's zero-trust guidelines.
OMB on logging requirements.

CISA publishes draft cloud security TRA…

In a follow on to US President Biden’s cybersecurity Executive Order (EO), the US Cybersecurity and Infrastructure Security Agency (CISA) yesterday announced the release of its Cloud Security Technical Reference Architecture (TRA) along with a call for public comment, open through the first of next month. The TRA is intended to ease Federal agencies’ migration to the cloud and ensure lasting security as the technology advances, curbing breaches through best practices. The US Federal Risk and Authorization Management Program (FedRAMP) contributed a risk model and a synopsis of cloud offerings to the document, and the United States Digital Service (USDS) authored cloud building advice. CISA provided direction on cloud security posture management (CSPM).

…and a draft model for zero trust...

The busy bees at CISA also released their Zero Trust Maturity Model for public comment yesterday, furthering EO 14028’s push for zero trust adoption across the Federal Government. Designed to support agencies’ transition, the model is built on five “pillars”—identity, device, network/environment, application workload, and data—and three “crosscutting capabilities”: visibility and analytics, automation and orchestration, and governance. CISA defines zero trust as “a security philosophy based on the premise that everyone and everything inside a network is suspect” and describes the framework’s distinguishing feature as a “continuous cycle of credentialing, verifying, and authorizing a user’s identity.”

…to complement OMB’s zero trust directive…

OMB’s Federal Zero Trust Strategy rounds out yesterday’s Federal guidance on moving towards EO 14028 milestones. OMB expects implementing zero trust architectures to “be a multi-year journey,” and points agencies to the first and most critical steps, giving them thirty days to select a zero trust captain and sixty days to integrate OMB conditions into their zero trust plans. The document also lays out deadlines for enacting practices aligned with CISA’s five pillars, including MFA, asset inventorying, network encryption and segmentation, application testing, and logging.

…and logging memo.

FEDweek has a refresher on the US Office of Management and Budget’s (OMB’s) memo for Federal agencies on how to improve their logging and information sharing practices in keeping with EO 14028. As we’ve seen, OMB’s memo set out a sequence of goals and target dates for logging maturity and directed agencies to share information with the FBI, CISA, and other departments. The four-tier maturity model emphasizes “centralized access and visibility” and initially prioritizes “high-impact systems and high value assets.”

Selected Reading

Moving the U.S. Government Towards Zero Trust Cybersecurity Principles (CISA) Read and comment on the U.S. government's draft Federal Zero Trust Strategy. This strategy is intended to accelerate federal agencies towards a shared baseline of early zero trust maturity.

Cloud Security Technical Reference Architecture (CISA) The purpose of the Cloud Security Technical Reference Architecture (TRA) is to illustrate recommended approaches to cloud migration and data protection, as outlined in Section 3(c)(ii) of Executive Order 14028. As the Federal Government continues to transition to the cloud, the TRA will be a guide for agencies to leverage when migrating to the cloud securely. Additionally, the document explains considerations for shared services, cloud migration, and cloud security posture management.

Cloudy With a Chance of Migration: Helping Agencies Make the Move to the Cloud (CISA) By: Eric Goldstein, Executive Assistant Director, Cybersecurity and Infrastructure Security Agency

Zero Trust Maturity Model (CISA) CISA’s Zero Trust Maturity Model is one of many roadmaps for agencies to reference as they transition towards a zero trust architecture. The goal of the maturity model is to assist agencies in the development of their zero trust strategies and implementation plans and present ways in which various CISA services can support zero trust solutions across agencies.

No Trust? No Problem: Maturing Towards Zero Trust Architectures (CISA) By: Eric Goldstein, Executive Assistant Director, Cybersecurity and Infrastructure Security Agency

Coinbase Says SEC Is Investigating Its Crypto Lending Program (Wall Street Journal) Coinbase co-founder and Chief Executive Brian Armstrong accused the SEC of using “intimidation tactics behind closed doors” to stop his company from launching a lending program.

Germany Admits Police Used Controversial Pegasus Spyware (SecurityWeek) The German government admitted that its federal police service used controversial Israeli spyware known as Pegasus, made by Israeli firm NSO Group

Allan Friedman: Software Bill of Materials Should Be Part of Multifaceted Cybersecurity Agenda (Executive Gov) Allan Friedman, who just moved to the Cybersecurity and Infrastructure Security Agency (CISA) to hel

Garbarino, Bipartisan Members Introduce The CISA Leadership Act (Representative Andrew Garbarino) Congressman Andrew R. Garbarino, Ranking Member of the House Committee on Homeland Security’s Cybersecurity, Infrastructure Protection, and Innovation Subcommittee introduced the CISA Leadership Act.

UK calls for browser-level controls to tackle cookie pop-up fatigue (The Record by Recorded Future) The UK's privacy and data protection authority says that people are tired of cookie pop-ups and that the current cookie consent mechanism should be moved at the browser level.