Cloud Security Technical Reference Architecture

The purpose of the Cloud Security Technical Reference Architecture (TRA) is to illustrate recommended approaches to cloud migration and data protection, as outlined in Section 3(c)(ii) of Executive Order 14028. As the Federal Government continues to transition to the cloud, the TRA will be a guide for agencies to leverage when migrating to the cloud securely. Additionally, the document explains considerations for shared services, cloud migration, and cloud security posture management.

The Cloud Security TRA was developed through a collaborative, multi-agency effort with contributions from the Cybersecurity and Infrastructure Security Agency (CISA), United States Digital Service (USDS), and the Federal Risk and Authorization Management Program (FedRAMP). The Cloud Security TRA provides agencies with guidance on the shared risk model for cloud service adoption (authored by FedRAMP), how to build a cloud environment (authored by USDS), and how to monitor such an environment through robust cloud security posture management (authored by CISA).

Public Comment Period - CLOSED

CISA released the Cloud Security TRA for public comment to collect critical feedback from agencies, industry, and academia to ensure the guidance fully addresses considerations for secure cloud migration. The public comment period began Tuesday, September 7, 2021 and concluded on Friday, October 1, 2021. CISA is working with OMB, USDS, and FedRAMP to adjudicate the comments and produce an updated version of the guidance.