The Cloud Safe Task Force – comprised of four nonprofits: MITRE, the Cloud Security Alliance (CSA), the Advanced Technology Academic Research Center (ATARC), and the IT Acquisition Advisory Council (IT-AAC) – published a paper on Feb. 14 offering recommendations for Congress, the White House, Federal agencies, and industry to improve government cloud security.
The paper offers a recommendation roadmap that summarizes key recommendations gathered from the task force’s inaugural event in December 2023.
“Without a collaborative approach to tackling these improvements to cloud security, our nation will continue to face significant attacks, placing unnecessary risk on our national security and critical government missions,” the paper says. “The Task Force offers this recommendation roadmap to Congress, the White House, Federal agencies, and industry.”
Congressional Recommendations
In its set of recommendations for Congress, the task force recommends lawmakers introduce secure cloud adoption legislation that addresses a variety of topics, such as shared accountability, AI-enabled continuous monitoring augmented by routine security testing, improved metrics, and regulatory harmonization.
This bill, the paper says, could be a standalone bill or an update to the 2014 Federal Information Security Management Act (FISMA).
Additionally, it recommends Congress develop a Cybersecurity Scorecard, with the help of the Office of the National Cyber Director (ONCD) and the Federal chief information security officer, “that includes real-time indicators and leverages industry’s metrics for cloud security.”
White House Recommendations
As for its recommendations for the White House’s Office of Management and Budget (OMB), the task force recommends that OMB update its Cloud Smart guidance to “Cloud Safe.”
OMB issued its final Cloud Smart guidance in 2019 as an update to its 2011 Cloud First policy. The task force said the guidance is due for another update to reflect modern security practices and requirements.
For instance, the paper says that the new Cloud Safe guidance should include “implementation guidance that includes security practices consistent with the latest administration’s proposed approaches,” such as zero trust.
Additionally, the Cloud Safe guidance should require the National Institute of Standards and Technology (NIST) to develop “interoperability standards for security across multi-cloud environments,” the Cloud Safe Task Force said.
The task force also directed OMB to enhance cyber metrics “to include real-time indicators and leverage industry best practices and existing NIST guidance.”
It also called on the White House to establish a public-private partnership that will enhance information sharing – leveraging AI-enabled threat data – and serve as the “front door” for all industry cyber interactions.
Federal Agency Recommendations
Federal agencies also received their own set of recommendations from the task force. It calls on them to work with Congress, OMB, the Cybersecurity and Infrastructure Security Agency (CISA), and NIST to improve continuous monitoring, information sharing, certification programs, and workforce challenges.
They should also report Cybersecurity Scorecard metrics to Congress, OMB, and agency leadership. Additionally, the task force called on them to partner with industry to improve monitoring, testing, automation, and measurement – via the proposed public-private partnership.
Industry Recommendations
Finally, the paper recommends that industry makes sure the government receives “innovation and security” updates on pace with updates made to non-government commercial cloud offerings.
It also recommends industry works with the White House and Congress “to enhance continuous monitoring for improved threat detection through AI enablement and routine security testing, achieve greater automation in certification and incident response, implement the reporting of real-time cybersecurity metrics, improve overall security transparency, and improve the adoption of agile acquisition and management processes for cloud operations.”
The Cloud Safe Task Force said it has scheduled additional working sessions throughout 2024, and it plans to publish more details on these recommendations with specific solutions.
