The Cloud Executive Steering Group (CESG), is a public-private partnership, consisting of agency heads and sector CEOs from the Financial and Banking Information Infrastructure Committee (FBIIC) and the Financial Services Sector Coordinating Council (FSSCC) dedicated to bolstering regulatory and private sector cooperation. First launched in May 2023, following the publication of Treasury’s Financial Services Sector’s Adoption of Cloud Services report, the group has published a series of documents that are intended to arm financial institutions with effective practices for secure cloud adoption.
This first round of resources represents an important step forward in the public-private partnership model for critical infrastructure protection and showcases the remarkable collaboration between Treasury, the FBIIC, the FSSCC, and Cloud Service Providers (CSPs).
FBIIC-Led Deliverables
The following are the first round of FBIIC-led deliverables.
- Cloud Lexicon
- Establishes a shared lexicon for terms used by cloud service providers and financial sector consumers for a single repository and reference point. This document will enable CSPs and financial services sector institutions of all sizes to speak in standardized language when negotiating contract terms, establishing security schema, and adhering to regulatory standards.
- Information Sharing and Coordination of Examinations Initiative
- Enhances information sharing and potential coordination that may support examinations related to cloud service providers under the respective agency’s legal authorities. The documented process will support enhanced coordination between designated agencies to address the risks to both the financial sector and consumers that can arise from financial institutions’ engagement with CSPs.
FSSCC-Led Deliverables
The following FSSCC-led deliverables are available on the FSSCC website.
- Cloud Profile Refinement and Adoption
- The Cyber Risk Institute’s (CRI) has refined the CRI Cloud Profile based on stakeholder and user feedback. The CRI Cloud Profile 2.0 is an extension of the Cybersecurity Profile created by CRI, which is based on the National Institute of Standards and Technology’s (NIST) “Framework for Improving Critical Infrastructure Cybersecurity”. The tool provides a framework to assist financial institutions in ensuring secure cloud implementation, while remaining flexible as standards evolve over time.
- Cloud Outsourcing Issues and Consideration
- Documents best practices for managing transparency-related issues, resource gaps, and exposure to operational incidents originating at CSPs, and contract negotiation dynamics. The document identifies a non-exhaustive list of key considerations for developing contractual provisions between financial institutions and CSPs to address cybersecurity, resilience, and third-party expectations.
- Improving Transparency and Monitoring of Cloud Services for Better “Security by Design/Default”
- Provides two resources for financial institutions operating in CSP environments. The first is a service inter-dependency and resilience model that outlines service transparency and architecture best practices. The second proposes packaged cloud configurations that provide baseline security outcomes, enabling financial institutions to simplify the secure deployment of cloud infrastructure.
Under Treasury’s leadership, the CESG plans to publish additional items related to cloud-related cyber incident response coordination and cloud concentration risk as they are completed throughout the year.
Over the coming months, the CESG will reconvene with the private sector, federal departments, and agencies, federal and state financial sector regulators, and international partners on key initiatives to address challenges surrounding the use of artificial intelligence (AI) in the financial sector. For additional information, read Treasury’s AI report here.