CISA finalizes trio of TIC 3.0 documents

The Cybersecurity and Infrastructure Security Agency introduced finalized Trusted Internet Connections 3.0 security architecture concepts supporting the latest technologies and various agencies adopting the guidance in three documents released Friday.

CISA also increased the number of TIC 3.0 security capabilities in response to agencies’ expedited adoption of cloud services, which introduce new cybersecurity vulnerabilities, during the coronavirus pandemic.

The agency published final, updated draft versions of the Program Guidebook, Reference Architecture and renamed Security Capabilities Catalog released in December based on nearly 500 federal, industry and public comments received through January.

“CISA anticipates the final core TIC 3.0 guidance will better address stakeholder needs and concerns,” reads the agency’s response to the comments. “The guidance is expected to evolve to reflect technological advancements, changes in threats, and the lessons learned from TIC pilots to help ensure its usefulness to federal agencies.”

Five themes emerged within the comments that CISA clarified:

• How TIC aligns with other CISA and federal programs like the National Cybersecurity Protection System and its Cloud Interface Reference Architecture;
• Plans for templates, working groups, webinars and roadshows explaining TIC guidance, in addition to its webpage;
• Terms and diagrams in the Program Guidebook and Reference Architecture;
• Where to find current use cases;
• Plans for consideration of proposed use cases with the Office of Management and Budget, General Services Administration, and Federal Chief Information Security Officer Council.

CISA has concluded its comment adjudication period and plans to release the remaining finalized TIC 3.0 documents — the Use Case Handbook, renamed Overlay Handbook, Traditional TIC Use Case, and Branch Office Use Case — later this summer.