Cloudy With a Chance of Migration: Helping Agencies Make the Move to the Cloud


By: Eric Goldstein, Executive Assistant Director, Cybersecurity and Infrastructure Security Agency

The forecast has long called for agencies’ transition to cloud services, and a new guidance document just allowed for a smooth and secure migration process. Today, the Cybersecurity and Infrastructure Security Agency (CISA) released the Cloud Security Technical Reference Architecture (TRA) for public comment, in accordance with Section 3(c)(ii) of Executive Order 14028. CISA hopes that feedback from agencies, industry, and academia will help us include all considerations for secure cloud migration.

The Approach

To tackle such a complex subject as cloud security, CISA teamed up with the United States Digital Service (USDS) and the Federal Risk and Authorization Management Program (FedRAMP) to co-author the guidance. Each organization brought a unique perspective to different aspects of the cloud migration process, which is reflected in the layout of the document:


  • FedRAMP provided an overview of different cloud services, the shared risk model for cloud service adoption, and how FedRAMP resources can help agencies select and operate cloud services.
  • USDS gave a rundown of all things cloud migration: benefits, challenges, strategies, and scenarios. So once agencies understand FedRAMP cloud considerations, they can reference the USDS recommendations as they build and maintain different cloud environments.
  • CISA explained the importance of robust cloud security posture management, or CSPM, in the implementation and monitoring phases of cloud migration. So once agencies build their cloud environments using USDS recommendations, they can act on the CSPM capabilities and outcomes to integrate zero trust principles and maintain a strong cloud security posture into the future.

The Result

The Cloud Security TRA can help agencies at all points in the cloud migration process; agencies still using on-premises systems will be better prepared to migrate securely and effectively to the cloud, while agencies currently migrating to the cloud can reference the TRA to ensure they’re on the right course. Designed using an iterative approach, agencies can continue to reference the TRA into the future as cloud security technologies and practices continue to evolve. Most importantly, the TRA can help decrease cyber breaches across the federal network. The use of modern security tools, appropriate cloud configurations, and cloud security best practices will strengthen the government’s defenses and reduce the amount of resources spent on incident response and recovery.

The Ask

The TRA public comment period will run from Tuesday, September 7th until Friday, October 1st. We encourage readers to provide any comments, feedback, or questions they may have. Reviewers can submit their feedback to Following the comment period, CISA will collaborate with USDS and FedRAMP to produce a subsequent version of the guidance. We look forward to working with agencies and the public as we weather this move to the cloud.