Executive Order on Improving the Nation's Cybersecurity

Section 3(c)(ii): Cloud Security Technical Reference Architecture

CISA, in collaboration with the United States Digital Service (USDS) and FedRAMP, developed the Cloud Security Technical Reference Architecture (TRA) in accordance with Section 3(c)(ii) of the Executive Order 14028. As the Federal Government continues to transition to the cloud, this TRA will be a guide for agencies to leverage when migrating to the cloud securely. The document explains considerations for shared services, cloud migration, and cloud security posture management.

Zero Trust Maturity Model

Executive Order (EO) 14028, "Improving the Nation's Cybersecurity" pushes agencies to adopt zero trust cybersecurity principles and adjust their network architectures accordingly. To help this effort, the Cybersecurity and Infrastructure Security Agency (CISA) developed a Zero Trust Maturity Model to assist agencies as they implement zero trust architectures. The maturity model complements the Office of Management and Budget's (OMB) Zero Trust Strategy, designed to provide agencies with a roadmap and resources to achieve an optimal zero trust environment.

CISA's Zero Trust Maturity Model is one of many roadmaps for agencies to reference as they transition towards a zero trust architecture. The maturity model, which include five pillars and three cross-cutting capabilities, is based on the foundations of zero trust. The maturity model assists agencies in the development of their zero trust strategies and implementation plans and presents ways in which various CISA services can support zero trust solutions across agencies.

Applying Zero Trust Principals to Enterprise Mobility

Among several measures, President Biden's Executive Order on Improving the Nation's Cybersecurity (EO 14028) requires federal civilian agencies to establish plans to drive adoption of Zero Trust Architecture. The Office of Management and Budget (OMB) issued a zero trust (ZT) strategy document in response to the Cybersecurity EO that requires Federal agencies to achieve certain specific ZT goals by the end of Fiscal Year 2024.

To support federal agencies and other organizations on their journey toward zero trust, CISA has published Applying Zero Trust Principles to Enterprise Mobility. This new publication highlights the need for special consideration for mobile devices and associated enterprise security management capabilities due to their technological evolution and ubiquitous use.

Section 6: Standardizing the Federal Government's Playbook for Responding to Cybersecurity Vulnerabilities and Incidents

Working together across all federal government organizations has proven to be an effective model for addressing vulnerabilities and incidents. To this end and pursuant to Section 6 of E.O. 14028, CISA has developed two playbooks: one for incident response and one for vulnerability response. These playbooks provide federal enterprise with a standard set of procedures to identify, coordinate, remediate, recover, and track successful mitigations from incidents and vulnerabilities affecting the Federal Civilian Executive Branch (FCEB) systems, data, and networks. Building on lessons learned from previous incidents and incorporating industry best practices, these playbooks evolve the federal government's practices for cybersecurity response by standardizing shared practices that bring together the best people and processes to drive coordinated actions. Although select processes contained in the playbooks only apply to federal agencies, the broader incident and vulnerability response practices described are useful to all organizations in both the public and private sectors.

The standardized processes and procedures described in these playbooks:

• Facilitate better coordination and effective response among affected organizations;
• Enable tracking of cross-organizational successful actions;
• Allow for cataloging of incidents to better manage future events; and
• Guide analysis and discovery.

Agencies should use these playbooks to help shape overall defensive cyber operations to ensure consistent and effective response and coordinated communication of response activities. These playbooks enable FCEB entities to focus on criteria for response and thresholds for coordination and reporting. A standardized response process ensures that agencies, including CISA, can understand the impact of confirmed malicious cyber activity as well as critical and dangerous vulnerabilities across the federal government.

• The Incident Response Playbook:
  • Provides a standardized response process for cybersecurity incidents and describes the process and completion through the incident response phases as defined in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-61 Rev. 2.
  • Describes the process FCEB agencies should follow for confirmed malicious cyber activity for which a major incident has been declared or not yet been reasonably ruled out.
  • Standardizes the high-level process agencies should follow when responding to urgent and high priority vulnerabilities, but it should not be considered a replacement for existing vulnerability management programs.
  • Addresses vulnerabilities that could be observed by the impacted agency, CISA, industry partners, or others in the related mission space
  The referenced media source is missing and needs to be re-embedded.

  Additional Resources

  • M-21-31 Operational Guidance
  • Executive Order on Improving the Nation's Cybersecurity
  • Statement from CISA Acting Director Wales on Executive Order to Improve the Nation's Cybersecurity and Protect Federal Networks
  • FACT SHEET: President Signs Executive Order Charting New Course to Improve the Nation's Cybersecurity and Protect Federal Government Networks
  • No Trust? No Problem: Maturing Towards Zero Trust Architectures
  • Cloudy With a Chance of Migration: Helping Agencies Make the Move to the Cloud
  • CISA Releases the Cloud Security Technical Reference Architecture and Zero Trust Maturity Model for Public Comment