Cloud Security Technical Reference Architecture

The purpose of the Cloud Security Technical Reference Architecture (TRA) is to illustrate recommended approaches to cloud migration and data protection, as outlined in Section 3(c)(ii) of Executive Order 14028. As the Federal Government continues to transition to the cloud, the TRA will be a guide for agencies to leverage when migrating to the cloud securely. Additionally, the document explains considerations for shared services, cloud migration, and cloud security posture management.

The Cloud Security TRA was developed through a collaborative, multi-agency effort with contributions from the Cybersecurity and Infrastructure Security Agency (CISA), United States Digital Service (USDS), and the Federal Risk and Authorization Management Program (FedRAMP). The Cloud Security TRA provides agencies with guidance on the shared risk model for cloud service adoption (authored by FedRAMP), how to build a cloud environment (authored by USDS), and how to monitor such an environment through robust cloud security posture management (authored by CISA).

Public Comment Period - NOW OPEN!

CISA is releasing the Cloud Security TRA for public comment to collect critical feedback from agencies, industry, and academia to ensure the guidance fully addresses considerations for secure cloud migration. The public comment period begins Tuesday, September 7, 2021 and concludes on Friday, October 1, 2021. CISA is interested in gathering feedback focused on the following key questions:

  • Overall
    • The document strikes a balance between governance, operations, and security. Are there critical areas that should be expanded?
  • Section 3: Shared Services
    • Does the updated Authorization Boundary definition meet your organization’s needs?
  • Section 4: Cloud Migration
    • What additional scenarios could be incorporated?
  • Section 5: Cloud Security Posture Management
    • Does the definition of Cloud Security Posture Management in Section 5.1 align with and support your needs?
    • Section 5.2 outlines seven outcomes. Are there other outcomes to be considered?
    • Are there other capabilities of CSPM that should be highlighted in Section 5.3?

Reviewers can submit their feedback to Following the public comment period, CISA will work with OMB, USDS, and FedRAMP to produce an updated version of the guidance.

Taxonomy Topics
Attachment Media