The Cybersecurity and Infrastructure Security Agency (CISA) released cloud use case guidance for its Trusted Internet Connections (TIC) 3.0 program, the agency announced on June 16.
The use case guidance will help agencies that operate in cloud environments by providing network and multi-boundary security. The use case also gives considerations for deploying infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS), software-as-a-service (SaaS), or email-as-a-service (EaaS) products.
“This use case provides architectural guidance on different aspects of cloud services,” Eric Goldstein, CISA executive director for cybersecurity, said in the announcement. “With the appetite for cloud guidance growing, this new CISA resource will help federal agencies effectively leverage applicable aspects of the Cloud Security TRA and work to achieve a mandate in the EO (executive order) for secure cloud services.”
Similar to prior use cases, the guidance includes security patterns, applicable security capabilities, and telemetry requirements, as well as specific cloud considerations included in the cloud security technical reference architecture included in President Biden’s cybersecurity EO.
The development of the cloud use case and its inclusion of Iaas, PaaS, Saas, and EaaS considerations was announced by CISA TIC Program Manager Sean Connelly throughout 2021. Connelly originally expected the use case to come out by the end of 2021. The cloud use case comes after CISA released the final TIC 3.0 considerations for IPv6 in January.
The use case represents the fulfillment of the third phase of TIC 3.0 use cases CISA is responsible for. Connelly has previously said that Phase Four use cases will include a zero trust use case.
CISA is seeking feedback on the use case and asking for public comment until July 22. Members of the public who wish to comment are asked to email feedback to email@example.com.