The Trusted Internet Connections program released a draft Cloud Use Case to round out its TIC 3.0 architecture for agencies Thursday.
Agencies are instructed how to apply network and multi-boundary security within Infrastructure-, Platform-, Software- and Email-as-a-Service cloud environments in the guidance.
TIC 3.0 is a Cybersecurity and Infrastructure Security Agency initiative to secure federal data, networks and boundaries while monitoring agency traffic, and cloud is the final, initial use case required by the September 2019 TIC 3.0 memo.
“Building upon the Cloud Security Technical Reference Architecture required by President Biden’s Cybersecurity Executive Order, this use case provides architectural guidance on different aspects of cloud services,” wrote Eric Goldstein, executive assistant director for cybersecurity, in a blog coinciding with the use case’s release. “With the appetite for cloud guidance growing, this new CISA resource will help federal agencies effectively leverage applicable aspects of the Cloud Security TRA and work to achieve a mandate in the EO for secure cloud services.”
The Cloud Use Case outlines relevant security patterns, capabilities and telemetry requirements like the ones before it, but it incorporates the shared services model and cloud security posture management principles contained in the Cloud Security TRA. Authors wrote the use case from the perspective of cloud-hosted services, not clients accessing them.
TIC Program Manager Sean Connelly told FedScoop in April the Cloud Use Case would feature a “large tone” of zero-trust security in keeping with the Cyber EO. The program was working with the Office of Management and Budget to determine if a zero trust reference architecture should follow, though there’s no word on one as of yet.
Agencies, industry, academia and other interested parties have until July 22, 2022, to provide comments on the draft use case.