A proposed rule by the U.S. Defense Department, Federal Acquisition Regulation: Standardizing Cybersecurity Requirements for Unclassified Federal Information Systems, would amend the Federal Acquisition Regulation (FAR) to require cloud computing services at FedRAMP High to physically store all government data within the United States or its outlying areas or on government premises.
The Proposed Rule would advocate for data localization to the detriment of the U.S. Government’s mission, overall cybersecurity, and impact innovation. There are several misconceptions around data localization as a cybersecurity measure that fail to appreciate the larger economic and cybersecurity policy implications.
The primary misconception is that security of data in the cloud is tied to physical location. Leading cloud service providers implement significant physical security controls at each of their data centers. These, combined with even more important logical security controls, can protect data from numerous threat vectors. Additionally, recent breaches of U.S. government entities reiterate that the physical location of data is not a meaningful factor in the compromise of sensitive data. In fact, physical access to data storage equipment is very rarely a threat vector leveraged by malicious actors. Furthermore, when a Zero Trust model is implemented, it mitigates concerns that foreign governments could compel locally based cloud service providers to enable access to systems as all data would be appropriately encrypted.
Some data localization considerations include:
- Data localization goes against implementing a Zero Trust Architecture - As OMB notes in their Zero Trust Strategy, “the Federal Government can no longer depend on conventional perimeter-based defenses to protect critical systems and data.” Instead, OMB is driving agencies to implement Zero Trust capabilities, a concept based around logical controls, whereby information is protected at the data level from unauthorized access.
- Data localization reduces the advantages of commercial solutions - Data localization creates substantial costs and market inefficiencies for both providers and consumers of cloud services. For example, data localization catalyzing a movement to a “Gov Cloud” stymies the adoption of innovative commercial cloud innovations. Additionally, it may lead to solutions with limited redundancies, fewer features, and the potential for additional compliance friction.
- Global adoption of data localization - Governments around the world look to the U.S. for leadership on cybersecurity policy. The adoption of the proposed FAR rule on data localization would mistakenly promote it as a best practice and global norm. This would exacerbate the harms listed above, de-emphasize the objectively more secure Zero Trust approach, and contribute to the global fragmentation of the internet.
- Resilience - Data localization could harm security by limiting resilience and increasing risks related to data availability. As recent natural disasters and geopolitical conflicts have illustrated, the ability for data to be dispersed beyond a country’s borders is an invaluable method of achieving resilience and continuity in the face of real-world threats to national security. It also complicates the ability of global cloud providers to apply global analytics and patches at scale.
Data localization policies should be abandoned in favor of prioritizing the adoption of more effective Zero Trust principles. Policymakers should rethink the proposed FAR rule and embrace an approach enabling innovation and competitiveness. This aligns with the Biden Administration’s move to a zero trust security architecture as illustrated in Executive Order 14028, Improving the Nation’s Cybersecurity, and the Federal Zero Trust Strategy as published in OMB Memorandum M-22-09.
Industry Coalitions Push for NIST’s Secure Software Development Framework as Basis of CISA’s Secure-by-Design Initiative
The Cybersecurity Coalition and the Coalition to Reduce Cyber Risk submitted comments to the CISA on its whitepaper on security by design.
Cybersecurity Coalition, ADI Submit Comments on Updated Acquisition Regulations
The Cybersecurity Coalition, in partnership with the Alliance for Digital Innovation, submitted comments to U.S. government agencies regarding the proposed updates to the Federal Acquisition Regulations.
Hacking Policy Council Comments on NIST's responsibilities from AI EO
The Hacking Policy Council summited comments in response to the Request for Information (RFI) related to NIST’s responsibilities under the Artificial Intelligence Executive Order 14110.