CISA Releases Second Version of Guidance for Secure Migration to the Cloud

The Cybersecurity and Infrastructure Security Agency (CISA) published the second version of “Cloud Security Technical Reference Architecture (TRA)” today, which strengthens guidance to fulfill a key mandate under President Biden’s Executive Order (EO) 14028 - "Improving the Nation's Cybersecurity." The Cloud Services TRA is designed to guide agencies’ secure migration to the cloud by defining and clarifying considerations for shared services, cloud migration, and cloud security posture management.

As the Federal Government, along with organizations across sectors, continues to migrate to the cloud, it is paramount that agencies implement measures to protect it. The Cloud Security TRA, co-authored by CISA, the United States Digital Service (USDS), and the Federal Risk and Authorization Management Program (FedRAMP), provides foundational guidance for organization to use public cloud more security and improve the ability of the federal government to identify, detect, protect, respond, and recover from cyber incidents.

“As the nation’s cyber defense agency, CISA works collaboratively with our interagency partners to implement improvements that make our federal civilian agencies more resilient to cyber threats,” said Eric Goldstein, Executive Assistant Director for Cybersecurity, CISA. “The updated Cloud Security TRA is a key step forward for each agency’s transition to the cloud environment. CISA and our partners will continue to provide expert, coherent, and timely guidance to help agencies modernize their networks with sound cybersecurity and resilience to protect against evolving cyber adversaries. While the TRA was developed for federal agencies, all organizations using or migrating to cloud environments should review this document and adopt the practices therein as applicable to most effectively manage organizational risk.”

In consultation with the Office of Management and Budget, the three agencies adjudicated more than 300 public comments received in September 2021. This feedback helped to further strengthen the Cloud Security TRA and fully address a host of considerations for secure cloud migration. A summary of the feedback received, as well as a Response to Comments (RTC), is available in the Response to Comments for Cloud Security Technical Reference Architecture.

ESF Members, NSA and CISA publish the fourth installment of 5G cybersecurity guidance

The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) published the fourth installment on securing integrity of 5G cloud infrastructures, Ensure Integrity of Cloud Infrastructure. As 5G networks and devices continue to increase in popularity, the importance of platform security to harden your systems against malicious cyber activity and persistence is apparent.

This guidance has been created by the Critical Infrastructure Partnership Advisory Council (CIPAC) Cross Sector Enduring Security Framework (ESF) Working Group - a public-private working group led by NSA and CISA, that provides cybersecurity guidance addressing high priority threats to the nation’s critical infrastructure.

Ensure Integrity of Cloud Infrastructure provides guidance on platform integrity, build time security, launch time integrity, and micro services infrastructure integrity. An industry trend has been to deploy stand-alone 5G core using virtualized functions of micro services on an architecture that provides rapid enablement of services. It is imperative for device and system security that the underlying 5G cloud infrastructure platform on which micro services are deployed, or orchestrated, have been designed and built securely and continue operating as intended.

"A secure 5G core requires cybersecurity mitigations that are implemented at the foundation level and carried forward," said Jorge Laurel, NSA Project Director for ESF. "A secure underlying foundation ensures the services deployed on the network are done so on a secure infrastructure, which further strengthens the security of data across the network."

“The document provides actionable advice for 5G operators, said Neal Ziring, NSA Cybersecurity Technical Director. “The fourth installment in the series covers an essential topic: integrity. Integrity is the most fundamental security property, and ensuring integrity from base hardware up through the software stack is critical for maintaining trustworthy 5G services.”

“The issues facing the cloud community, such as lateral movement to pod security and infrastructure integrity, are complex as are their solutions,” said Alaina Clark, Assistant Director of Stakeholder Engagement, CISA. “This series demonstrates the value of collaboration, spotlighting several cyber best practices that cloud providers, mobile network operators, and customers alike can implement for long-term security benefits. With our ESF government and industry associates, CISA will continue working with the Cloud and 5G communities to secure our Nation’s network infrastructure through partnership efforts like this.”