The U.S. government is marking its growing maturity in the cloud by announcing a new strategy: it will go from "Cloud First" to "Cloud Smart."
The government implemented its "Cloud First" strategy in 2010 when cloud adoption was a newer trend, and now it wants to leverage the power of cloud technology as much of possible, since so much of the government's data has moved to the cloud.
The government published a new cloud strategy document and asked for feedback on its "Cloud Smart" goals and focus. Perhaps you will have something to say about the way it is approaching cybersecurity in the cloud.
The overview:
"To implement a risk-based approach to cloud adoption, agencies should transition to security and protections at the data layer instead of the network and physical infrastructure layers, as well as improve the governance of systems. Additionally, it is critical that agencies have comprehensive visibility of their data, both on-premises and in the cloud, and perform continuous monitoring in order to detect malicious activity. As agencies approach their modernization efforts, they should apply these capabilities to their high-risk, high-value assets first in order to take advantage of all that cloud has to offer."
The U.S. government strategy document also outlines three specific parts of its security program for operating in the cloud.
Trusted Internet Connections:
"In the current landscape, requiring all agency network traffic to flow through a limited number of Trusted Internet Connections is no longer feasible as a one-size-fits-all strategy. This design choice has hampered agencies’ ability to acquire new technologies including commercial cloud solutions, which use a distributed network model and use virtual, rather than physical, controls of data."
Continuous Data Protection and Awareness:
"An agency is the custodian of its data on behalf of the public. As such, each agency should determine its own governance model for cloud-hosted data that aligns with their identity and credential management systems. Additionally, where a cloud solution is deployed by a vendor, a Service Level Agreement (SLA) should be in place that provides the agency with continuous awareness of the confidentiality, security, and availability of its data.
Furthermore, agencies should be made aware if their data resides on third-party information systems, provided with access to log data, and notified promptly if a cyber-incident or other adverse event occurs."
FedRAMP, the Federal Risk and Authorization Management Program:
"... a government-wide program that has proven the value of a standardized approach to security assessment, authorization, and continuous monitoring for large cloud services providers. Cloud service providers have shown their ability to meet Federal security requirements through standardized baselines and common criteria. With the growing marketplace of providers, agencies have been able to rapidly adapt from old, unsecured legacy technology to mission-enabling, secure, and cost-effective cloud-based systems."
Do you have input on the federal government's new cloud strategy or its security in the cloud approach? If so, you can comment on GitHub or email a comment on the new "Cloud Smart" strategy document.
Send your content suggestions or proposed revisions to the OMB Office of the Federal Chief Information Officer via email to ofcio@omb.eop.gov.
Please note that all comments received will be posted publicly.