"Removing barriers to cloud" worries me. Many government agencies have banned USB storage devices due to the policy complication and security headaches it invariably creates; I don't see this going any better than them announcing that they're "removing barriers to USB".
Being a compromise between convenience and safety is a core aspect of security, however when there's an administrative policy umbrella which covers a few ways "cloud" may be used safely, when it may be used unsafely... it seems like they need to create their own exclusive cloud or rethink this (yes, I understand this is a very non-specific, high-level-view document, and that the implementation details aren't outlined).
Hearing 'this involves a lot of risk, let's do this right' is one thing, seeing an administrative guidance from the US Government saying they will be implementing it is another thing entirely, and learning that this pertains to "cloud-in-general" use during the year 2019... I mean, to be clear, the document suggests that if they go through their own encryption funnel as specified by policy, they can touch 3rd party storage and applications. No matter how clandestinely you fill the safe, no matter how securely you hide the location in which it's buried, you're still using this big corporation's consumer grade junk. There's the saying "don't implement a technical solution to solve an administrative problem" (and vice versa)... this is implementing an administrative policy to acknowledge the technical problem, however what it will "solve" before they jump to the next thing will have to be seen. I'm willing to bet this will be scratched wholesale or change dramatically far before 85% implementation.
Trusted Internet Connection (TIC) guidance for US government agencies will allow for network traffic to flow seperate from self-hosted physical TIC infrastructure, opening the door for cloud-based solutions.
Being a compromise between convenience and safety is a core aspect of security, however when there's an administrative policy umbrella which covers a few ways "cloud" may be used safely, when it may be used unsafely... it seems like they need to create their own exclusive cloud or rethink this (yes, I understand this is a very non-specific, high-level-view document, and that the implementation details aren't outlined).
Hearing 'this involves a lot of risk, let's do this right' is one thing, seeing an administrative guidance from the US Government saying they will be implementing it is another thing entirely, and learning that this pertains to "cloud-in-general" use during the year 2019... I mean, to be clear, the document suggests that if they go through their own encryption funnel as specified by policy, they can touch 3rd party storage and applications. No matter how clandestinely you fill the safe, no matter how securely you hide the location in which it's buried, you're still using this big corporation's consumer grade junk. There's the saying "don't implement a technical solution to solve an administrative problem" (and vice versa)... this is implementing an administrative policy to acknowledge the technical problem, however what it will "solve" before they jump to the next thing will have to be seen. I'm willing to bet this will be scratched wholesale or change dramatically far before 85% implementation.