The Secure Cloud Task Force — made up of four nonprofit organizations: MITRE, the Cloud Security Alliance (CSA), the Advanced Technology Academic Research Center (ATARC), and the Information Technology Acquisition Advisory Council (IT-AAC) — published a research paper on February 14. Provide recommendations to Congress, the White House, federal agencies, and industry to improve government cloud security.
The paper presents a recommendation roadmap summarizing the key recommendations gathered from the Task Force's inaugural event in December 2023.
“Without a collaborative approach to address these improvements in cloud security, our nation will continue to face significant attacks, placing unnecessary risks on our national security and critical government missions,” the document says. “The Task Force is submitting this recommendation roadmap to Congress, the White House, federal agencies, and industry.”
Congressional recommendations
In its set of recommendations for Congress, the task force recommends that lawmakers introduce secure cloud adoption legislation that addresses a variety of topics, such as shared accountability, AI-powered continuous monitoring augmented by routine security testing, improved metrics, and regulatory alignment.
The newspaper says this bill could be a standalone bill or an update to the Federal Information Security Management Act (FISMA) of 2014.
Additionally, Congress recommends developing, with the assistance of the Office of the National Cyber Director (ONCD) and the Federal Chief Information Security Officer, a cybersecurity scorecard “that includes real-time indicators and leverages industry metrics for cloud security.”
White House recommendations
As for its recommendations to the White House Office of Management and Budget (OMB), the task force recommends that OMB update its guidance for intelligent cloud to “secure cloud.”
The Office of Management and Budget issued its final guidance on Cloud Smart in 2019 as an update to its 2011 Cloud First policy. The guidance is scheduled to be updated again to reflect modern security practices and requirements, the task force said.
For example, the paper says the new Cloud Safe guidelines should include “implementation guidance that includes security practices consistent with the latest proposed approaches to governance,” such as zero trust.
Additionally, the Cloud Safe guidelines should require the National Institute of Standards and Technology (NIST) to develop “standards for security interoperability across multiple cloud environments,” the Cloud Safe Task Force said.
The task force also directed the Office of Management and Budget to enhance cyber metrics “to include real-time indicators and leverage industry best practices and existing NIST guidance.”
She also called on the White House to create a public-private partnership that would enhance information sharing — leveraging AI-powered threat data — and serve as the “front door” to all industry cyber interactions.
Federal agency recommendations
Federal agencies also received their own set of recommendations from the task force. It calls on them to work with Congress, the Office of Management and Budget, the Cybersecurity and Infrastructure Security Agency (CISA), and NIST to improve ongoing surveillance, information sharing, certification programs, and workforce challenges.
They must also report cybersecurity scorecard metrics to Congress, the Office of Management and Budget, and agency leadership. In addition, the task force called on them to partner with industry to improve monitoring, testing, automation and measurement – through a proposed public-private partnership.
Industry recommendations
Finally, the paper recommends that industry ensure that government receives “innovation and security” updates in line with updates to non-government commercial cloud offerings.
It also recommends that the industry work with the White House and Congress “to enhance continuous monitoring to improve threat detection by enabling artificial intelligence and routine security testing, achieve greater automation in certification and incident response, implement real-time cybersecurity metrics reporting, and improve overall security.” Transparency, improved adoption of acquisitions and agile management of cloud operations.
The Secure Cloud Task Force said it has scheduled additional working sessions throughout 2024, and plans to publish more details on these recommendations with specific solutions.
