Cloud Security Technical Reference Architecture

Coauthored by:
Cybersecurity and Infrastructure Security Agency,
United States Digital Service, and
Federal Risk and Authorization Management Program

The purpose of the Cloud Security Technical Reference Architecture is to guide agencies in a coordinated
and deliberate way as they continue to adopt cloud technology. This approach will allow the Federal
Government to identify, detect, protect, respond, and recover from cyber incidents, while improving
cybersecurity across the .gov enterprise. As outlined in Executive Order 14028, this document seeks to
inform agencies of the advantages and inherent risks of adopting cloud-based services as they begin to
implement zero trust architectures5
. The Cloud Security Technical Reference Architecture also illustrates
recommended approaches to cloud migration and data protection for agency data collection and reporting.
This technical reference architecture is intended to provide guidance to agencies adopting cloud services
in the following ways:
• Cloud Deployment: provides guidance for agencies to securely transition to, deploy, integrate,
maintain, and operate cloud services.
• Adaptable Solutions: provides a flexible and broadly applicable architecture that identifies cloud
capabilities and vendor agnostic solutions.
• Secure Architectures: supports the establishment of cloud environments and secure
infrastructures, platforms, and services for agency operations.
• Development, Security, and Operations (DevSecOps): supports a secure and dynamic
development and engineering cycle that prioritizes the design, development, and delivery of
capabilities by building, learning, and iterating solutions as agencies transition and evolve.
• Zero Trust: supports agencies as they plan to adopt zero trust architectures.

This technical reference architecture is divided into three major sections:
• Shared Services: This section covers standardized baselines to evaluate the security of cloud
• Cloud Migration: This section outlines the strategies and considerations of cloud migration,
including explanations of common migration scenarios.
• Cloud Security Posture Management: This section defines Cloud Security Posture Management (CSPM) and enumerates related security tools for monitoring, development, integration, risk assessment, and incident response in cloud environments.
While each major section covers unique aspects of cloud security, they share common synergies that
support the overall goal of modernizing cloud security. Understanding the features of shared services and
the delineation of responsibilities for managing and securing such services is critical to agencies’ cloud
migration and security posture management. Migrating to the cloud can help agencies keep pace with the evolving technology landscape by improving both their operations and their security. Lastly, CSPM
capabilities will allow agencies to dynamically protect their cloud resources both at scale and across their

Leave a Reply

Your email address will not be published.