Updates to NIST Cybersecurity Guidance Show Continued Focus on Cloud Services

Recent draft cybersecurity guidance from the National Institute of Standards and Technology (NIST) provides an opportunity for government contractors who provide IT services to federal agencies to weigh in on implementation of security configurations for cloud services. This new guidance is the latest in a series of recommendations from multiple federal agencies focusing on the allocation of roles and responsibilities between cloud service providers and their federal and commercial enterprise customers. 

NIST Seeks Comments on Protecting Tokens in Federal Cloud Environments

As we noted in June 2025, the Executive Order titled “Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity” updated a January 16, 2025 Executive Order and retained provisions focused on cloud providers, including updates to the FedRAMP program, and a directive to NIST to “develop guidelines for the secure management of access tokens and cryptographic keys used by cloud service providers.”

NIST has now released the initial public draft of its publication fulfilling that directive: NIST IR 8587, Protecting Tokens and Assertions from Forgery, Theft, and Misuse: Implementation Recommendations for Agencies and Cloud Service Providers. The draft is open for public comment until January 30, 2026.

NIST developed the draft in cooperation with the Joint Cybersecurity Defense Collaborative (JCDC) hosted by the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). The JCDC hosted a “technical exchange” in June 2025 that informed the development of the draft.

NIST’s Guidance Underscores the Importance of Clearly Allocating and Understanding Security Responsibilities

Draft NISTIR 8587 is voluntary technical guidance focused on “federal environments” that addresses controls for identity and access management systems that use digital tokens and “signed assertions,” such as Single Sign-on and API access. NIST posits that four principles are necessary for cloud providers to have secure relationships with customers: secure development and design, transparency, configurability, and interoperability. Similarly, customer federal agencies should adopt three principles: risk assessment and control selection, tailoring, and secure integration and configuration. In addition to the technical guidance, the draft publication notably discusses how to manage responsibilities between cloud services providers and customers.

For example, NIST suggests that the providers are responsible for, among other things:

• Securing underlying infrastructure;
• Managing token issuance; and
• Providing “configurable security controls and tools necessary for consumers to build secure applications and services.”

Customers, on the other hand, are responsible for:

• Securely configuring their identity and access management policies;
• Managing application-level credentials;
• Enforcing authorization and access controls; and
• Responding to incidents.

NIST points out the importance of both parties clearly understanding their respective responsibilities.

Federal Guidance Has Emphasized the Need for Clarity in Cloud Services Partnerships

NIST’s focus on the allocation of responsibilities between cloud providers and customers is consistent with ongoing focus and guidance from CISA. CISA’s “Secure Cloud Business Applications (SCuBA)” project, first kicked off in 2022, developed cloud solutions guidance and “secure configuration baselines” for major cloud provider applications, while CISA’s “Secure by Design” initiative emphasized the “shared responsibility model” between customers and technology suppliers. In 2025, CISA made the ScuBA baselines mandatory for federal information systems through a Binding Operational Directive. This focus is consistent with the threat landscape, as industry and intelligence reports continue to identify misconfigurations as points of access for threat actors into cloud environments.

Beyond Federal IT Contracts

Many commercial contracts contain language for parties to use reasonable security measures consistent with industry standards. To determine reasonableness and industry standards, parties often look to NIST and other similar authorities. Consistent with that practice, once finalized, this guidance could become relevant in commercial settings.

Federal IT Contractors Should Consider Reviewing and Commenting on the Draft NIST Guidance

While the new draft NIST guidance remains voluntary until implemented for federal agencies through Office of Management and Budget guidance, agencies can implement this guidance through contract or grant requirements. Therefore, federal contractors who provide cloud security or implementation services to federal agencies may want to review and comment on the proposed guidance, as such companies are likely to be responsible for implementing the guidance, once finalized, on federal networks. Companies that rely heavily on cloud services may also wish to review NIST’s discussion of the appropriate allocation of security tasks and responsibilities. Comments to NIST are due January 30, 2026.

*********

Wiley’s cross-disciplinary Government Contracts, National Security, and Privacy, Cyber & Data Governance teams have significant experience advising clients on compliance with federal cybersecurity regulatory and contractual requirements and will continue to monitor these developments.