CISA releases draft TIC 3.0 guidance approving more use cases
The Cybersecurity and Infrastructure Security Agency released new Trusted Internet Connections 3.0 draft guidance that adjusts to federal agencies narrowing their cyberdefenses.
CISA, an agency within the Department of Homeland Security, provided the draft security guidance to assist agencies moving from wide network perimeters to micro-perimeters around individual or small groups of assets.
“It’s the holiday season, and reminders that life is about connections are all around us,” wrote Matt Hartman, director of network resilience at CISA, in the agency’s Dec. 20 announcement. “But as those who have clicked the ‘unsubscribe’ button or unfriended an old roommate know, some connections have to change over time.”
An inventory conducted in the early 2000s revealed agencies had more than 4,000 connections to the internet, prompting network consolidation down to about 50 TIC “access points” among large agencies.
The Office of Management and Budget unveiled TIC 2.0 in 2007 in response to technology advances, and developments in cloud computing, encryption and mobility necessitated a third update in September.
TIC 3.0 — which approved cloud, agency branch office and remote user use cases — also directed DHS to lead ongoing approval of additional connections and elimination of dated ones.
CISA’s new TIC guidance spans five volumes meant to be read in order.
The Program Guidebook outlines the modern TIC program with historical context, while the Reference Architecture defines program concepts. The Security Capabilities Handbook indexes TIC-relevant security capabilities, and the Use Case Handbook introduces tradition and branch office use cases — the latter covering remote connections.
Lastly, the Security Provider Overlay Handbook maps the security functions of service providers to TIC capabilities.
CISA began fielding comments, feedback and questions on the draft guidance Dec. 23 and will continue to do so until Jan. 31 via the TIC GitHub repository or tic@cisa.dhs.gov. The agency also plans to hold informative webinars for civilian agencies during that period.
