The Trusted Internet Connections program aims to release its cloud use case in the next couple of months to round out the TIC 3.0 architecture for agencies, Program Manager Sean Connelly told FedScoop.
The TIC program hasn’t released a finalized use case since October — when it issued its remote user use case, defining how network and multi-boundary security should be applied when agencies permit remote users — but the cloud use case will meet the last of the requirements for the Cybersecurity and Infrastructure Security Agency laid out in the September 2019 TIC 3.0 memo.
“The other use cases were more on the client side: branch office, remote user,” Connelly said. “This is more on the application side, the service side.”
A zero trust reference architecture may follow, as there had been talk of one when the TIC 3.0 effort began, but Connelly is working with the Office of Management and Budget to determine how the two best align. The Department of Defense has a “great” zero trust reference architecture already, and the General Services Administration has playbook efforts around the strategy underway, Connelly said.
Such a reference architecture might not be necessary after agencies submit their required zero-trust architecture implementation plans as required by OMB.
“We’re going to look at those implementation plans, adjudicate them and then build off that and come out with another version of the maturity model to reflect where we’ve heard the agencies are and the vendor community,” Connelly said, during the Zero Trust Summit presented by CyberScoop on Wednesday.
The Zero Trust Maturity Model has the same set of authors as the Cloud Security Technical Reference Architecture (TRA), CISA’s immediate focus along with the TIC 3.0 cloud use case. Required by the Cyber Executive Order, the finalized TRA is expected out in another month or so as a guide for agencies on secure cloud migration and data protection in keeping with zero trust.
CISA, the U.S. Digital Service and the Federal Risk and Authorization Management Program coauthored the document, the final version of which will emphasize phishing-resistent multi-factor authentication, OMB logging requirements and additional microservices and service mesh, as well as warm standby scenarios.
“I think it really helps move the ball forward,” Connelly said.