The Cloud Safe Task Force—comprised of four nonprofit organizations: MITRE, the Cloud Security Alliance (CSA), the Advanced Technology Academic Research Center (ATARC), and the Information Technology Acquisition Advisory Council (IT-AAC)—published a research paper on February 14 offering recommendations to Congress, the White House, federal agencies, and industry to improve government cloud security.
The paper provides a recommendations roadmap summarizing key recommendations gathered from the Task Force’s inaugural event in December 2023.
“Without a collaborative approach to address these improvements in cloud computing security, our nation will continue to face significant attacks, putting our national security and critical government missions at unnecessary risk,” the paper says. “This task force provides a roadmap of recommendations to Congress, the White House, federal agencies, and industry.”
Congressional Recommendations
In its set of recommendations to Congress, the task force recommended that lawmakers pass legislation to promote secure cloud adoption that addresses a variety of topics, such as shared accountability, continuous AI-powered monitoring enhanced by routine security testing, improved metrics, and regulatory alignment.
The paper says the bill could be a standalone bill or an update to the Federal Information Security Management Act of 2014 (FISMA).
Additionally, the committee recommends that Congress develop a cybersecurity scorecard, with the assistance of the Office of the National Cybersecurity Director and the Federal Chief Information Security Officer, “that includes real-time indicators and leverages industry metrics for cloud security.”
White House Recommendations
As for its recommendations to the White House Office of Management and Budget, the task force recommends that OMB update its guidance on intelligent cloud computing to “Cloud Safe.”
OMB released its final guidance on Cloud Smart in 2019 as an update to its Cloud First policy adopted in 2011. The task force said the guidance is due for another update to reflect modern security practices and requirements.
For example, the paper says that the new Cloud Safe guidelines should include “implementation guidance that includes security practices consistent with the latest approaches proposed by the administration,” such as zero trust.
Additionally, the Cloud Safe guidelines should require the National Institute of Standards and Technology (NIST) to develop “interoperability standards for security across multiple cloud environments,” the Cloud Safe Task Force said.
The task force also directed the Office of Management and Budget to enhance cyber metrics “to include real-time indicators and leverage industry best practices and existing NIST guidance.”
She also called on the White House to create a public-private partnership that would enhance information sharing — leveraging AI-powered threat data — and serve as the “front door” for all cyber interactions in the industry.
Federal Agency Recommendations
Federal agencies also received their own set of recommendations from the task force. These recommendations call on agencies to work with Congress, the Office of Management and Budget, the Cybersecurity and Infrastructure Security Agency, and the National Institute of Standards and Technology to improve ongoing monitoring, information sharing, certification programs, and workforce challenges.
They are also required to report cybersecurity scorecard metrics to Congress, the Office of Management and Budget, and agency leadership. In addition, the task force called on them to partner with industry to improve monitoring, testing, automation, and measurement—through a proposed public-private partnership.
Industry Recommendations
Finally, the paper recommends that industry ensure that government receives “innovation and security” updates in line with updates provided to non-government commercial cloud offerings.
The industry also recommends working with the White House and Congress to “enhance continuous monitoring to improve threat detection by enabling AI and routine security testing, achieving greater automation in certification and incident response, implementing real-time cybersecurity metrics reporting, improving overall security transparency, and improving adoption of acquisitions and agile cloud management.”
The Cloud Safe Task Force said it has scheduled additional work sessions throughout 2024, and plans to release more details on these recommendations with specific solutions.
