The Cybersecurity and Infrastructure Security Agency (CISA) released the Cloud Security Technical Reference Architecture (TRA) and Zero Trust Maturity Model for public comment. As the federal government continues to expand past the traditional network perimeter, it is paramount that agencies implement data protection measures around cloud security and zero trust.

The TRA is designed to guide agencies’ secure migration to the cloud by explaining considerations for shared services, cloud migration, and cloud security posture management. CISA’s Zero Trust Maturity Model assists agencies in developing their zero trust strategies and implementation plans and presents ways in which various CISA services can support zero trust solutions across agencies.

Per Executive Order 14028, “Improving the Nation’s Cybersecurity,” CISA developed the Cloud Security TRA in partnership with the United States Digital Service (USDS) and the Federal Risk and Authorization Management Program (FedRAMP). CISA is releasing the document for public comment to collect critical feedback from agencies, industry, and academia to expand this collaboration to ensure the guidance fully addresses considerations for secure cloud migration.

CISA drafted the Zero Trust Maturity Model in June to assist agencies in complying with the Executive Order. While the distribution was initially limited to agencies, CISA is excited to release the maturity model for public comment, the agency says.

“President Biden’s Cyber Executive Order outlined crucial steps needed to secure the federal government’s networks and CISA is focused on completing the required tasks and more,” said Eric Goldstein, Executive Assistant Director of Cybersecurity, CISA. “To meet agencies’ needs, we drafted the Zero Trust Maturity Model and Cloud Security TRA in coordination with USDS and FedRAMP. We are now requesting public comment to ensure our recommended cloud technology modernization and zero trust efforts, respectively, enable the best visibility, flexibility, and security.”

CISA will work with stakeholders to assess the valuable feedback and produce a new version of each guidance document following the comment period.

A public comment period begins today and is scheduled to conclude on Friday, October 1, 2021. During the comment period, members of the public can provide comments and feedback via email. Reviewers can submit their comments and feedback to

For more details about the guidance documents and their impact, read EAD Goldstein’s blogs about the Cloud Security TRA here and the Zero Trust Maturity Model here.