Recent draft cybersecurity guidance from the National Institute of Standards and Technology (NIST) provides an opportunity for government contractors who provide IT services to federal agencies to weigh in on implementation of security configurations for cloud services. This new guidance is the latest in a series of recommendations from multiple federal agencies focusing on the allocation of roles and responsibilities between cloud service providers and their federal and commercial enterprise customers. 

NIST Seeks Comments on Protecting Tokens in Federal Cloud Environments

As we noted in June 2025, the Executive Order titled “Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity” updated a January 16, 2025 Executive Order and retained provisions focused on cloud providers, including updates to the FedRAMP program, and a directive to NIST to “develop guidelines for the secure management of access tokens and cryptographic keys used by cloud service providers.”

NIST has now released the initial public draft of its publication fulfilling that directive: NIST IR 8587, Protecting Tokens and Assertions from Forgery, Theft, and Misuse: Implementation Recommendations for Agencies and Cloud Service Providers. The draft is open for public comment until January 30, 2026.

NIST developed the draft in cooperation with the Joint Cybersecurity Defense Collaborative (JCDC) hosted by the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). The JCDC hosted a “technical exchange” in June 2025 that informed the development of the draft.