The CSRB’s recommendations cover many areas, starting with implementing modern control mechanisms and baseline practices across digital identity and credential systems. The report also stresses the importance of establishing a minimum standard for default audit logging in cloud services.

“CSPs should maintain sufficient forensics to detect exfiltration of those data, including logging all access to those systems and any private keys stored within them,” the report states. It recommends that log retention periods cover the entire lifespan of a key and extend at least two years beyond its expiration, with longer 10-year retention potentially necessary for high-value logs.

To further bolster security, the CSRB advises cloud service providers to embrace emerging digital identity standards. The report calls upon relevant standards bodies to refine, update, and incorporate these standards into their frameworks, ensuring they adequately address the risks commonly exploited in the modern threat landscape.

Transparency is another key focus of the CSRB’s recommendations. The report urges cloud service providers to adopt incident and vulnerability disclosure practices that maximize transparency among their customers, stakeholders, and the United States government. Additionally, developing more effective victim notification and support mechanisms was deemed essential.

The report also highlights the need for updates to the Federal Risk Authorization Management Program (FedRAMP) and its supporting frameworks. The CSRB recommends that the United States government establish a process for conducting discretionary special reviews of the program’s authorized Cloud Service Offerings, particularly in the aftermath of high-impact situations.

Furthermore, the National Institute of Standards and Technology (NIST) is encouraged to incorporate feedback about observed threats and incidents related to cloud provider security into its guidelines and standards.