Published Documents

Cloud Executive Steering Group Deliverables

The U.S Department of Treasury established the Cloud Executive Steering Group (CESG) in May 2023 at the direction of the Financial Stability Oversight Council (FSOC), to help close the gaps identified in Treasury's report on the Financial Services Sector’s Adoption of Cloud Services.  The documents published here are authored by FSSCC and intended to arm financial institutions of all sizes with effective practices for secure cloud adoption and operations, and to establish a continuing effort and partnership to begin to address the gaps identified in Treasury’s report.

• The Financial Sector Cloud Outsourcing Issues and Considerations document seeks to address challenges raised in the Treasury Cloud Report related to transparency, resource gaps, exposure to operational incidents originating at CSPs, and contract negotiation dynamics. The document, authored collectively by the FSSCC Cloud Outsourcing Issues and Considerations Workstream and the American Bankers Association (ABA) with support from the Securities Industry and Financial Markets Association (SIFMA), identifies a non-exhaustive list of key considerations for developing contractual provisions between financial institutions and CSPs to address risks, regulatory and supervisory compliance expectations when using cloud services. These key considerations should be used as a voluntary reference tool by financial institutions during the contract negotiation phase of onboarding a CSP to appropriately address cybersecurity, resilience, and third party-due diligence expectations, and to enable compliance with growing financial services regulatory requirements and supervisory expectations. The document is hosted on the ABA webpage, located here.

• The Cloud Profile 2.0, authored collectively by the FSSCC Cloud Profile Workstream and the Cyber Risk Institute (CRI), is intended to serve as a cloud security implementation plan for financial institutions of all sizes and functions. The Cloud Profile 2.0 is an extension of the Cybersecurity Profile created by CRI, which is a tool based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework.  It provides expectations for both financial institutions and CSPs and will serve as a common tool developed for effective practices in secure cloud implementation, while allowing the document to evolve as standards change over time. The document is located on the CRI webpage, located here. 

• The Transparency and Monitoring for Better “Secure-by-Design” document, authored collectively by the FSSCC Transparency and Monitoring Secure-by-Design Workstream and the Financial Services Information Sharing and Analysis Center (FS-ISAC), is comprised of two outputs for financial institutions with workloads running in CSP environments. The first is a service inter-dependency and resilience model that is a combination of service transparency, architecture best practices, and more detailed information about how a CSP manages the resiliency of its own major services. The second proposes baseline security outcomes expected in financial institutions’ deployment of workloads running in CSP environments ("security by design" and "one-click" security) that make it easy for financial institutions to quickly turn on secure infrastructure with minimal engineering. These are resources that financial institutions of all sizes can use today to enhance their resiliency and provides CSPs clear outcomes that would help financial institutions meet their industry and regulatory expectations. The document is hosted on the FS-ISAC webpage, located here.

For more information on the overall cloud effort and the Cloud Lexicon deliverable, please go to: https://home.treasury.gov/about/offices/domestic-finance/financial-institutions/cloud-executive-steering-group