The Trusted Internet Connections program is in the “final stage” of its work with the Office of Management and Budget and other stakeholders to release remaining initial TIC 3.0 guidance, said Director Sean Connelly on Thursday.
The U.S. Digital Service, Federal CISO Council and General Services Administration are coordinating with the program on releasing finalized Traditional TIC and Branch Office use case documents within the next two months, although the November election could delay things. TIC policy covers the security of external connections to federal networks.
The program released core TIC 3.0 guidance in July, and the remaining initial documents will round out the government’s effort to support multiple architectures for securing agency networks, as they increasingly move their data to the cloud and their users off premise during the coronavirus pandemic. Such use cases were first outlined in an OMB memo finalized in September 2019.
“Even when those are released, we know we’re still on the hook for a number of other use cases,” Connelly said, during the TIC 3.0 SNG Live event by Scoop News Group. “The OMB memo also has in place a remote user use case, infrastructure as a service, software as a service, [platform as a service], email.”
First out of the gate will be the Remote User Use Case, which the program is looking to have a draft of by year’s end that will replace the TIC 3.0 Interim Telework Guidance released in April, Connelly said.
The interim guidance was issued in response vendor requests for anything tangible they could use to help agencies with the March-April surge in telework when the pandemic hit, Connelly said. The Department of Housing and Urban Development, State Department and GSA were among the agencies that had more than 90% of their workforce teleworking.
“There was that massive, immediate shift, so I think that’s important in terms of looking at how not only to secure those environments: secure the client side, secure the remote user,” Connelly said. “Then also how is this represented on the service side with agency users going to the cloud provider? They’ re going to infrastructure as a service; they’ re going to a SaaS or PaaS environment.”
The program will likely be positioned for a TIC 3.0 Zero Trust Use Case pretty soon, Connelly added. That could come next year along with a Partner, Research and Development Use Case.
A Program Guidebook, Reference Architecture and Security Capabilities Catalog were included in the program’s first release of finalized guidance. The first two documents will be fairly static, but the latter will be a living document that adds new capabilities and controls into use cases as they’re announced.
The forthcoming Traditional TIC Use Case details the “castle-and-moat” security strategy that’s existed at most major agencies for about a decade, Connelly said. And the Branch Office Use Case will allow agencies to network directly to the cloud or an external trust zone, rather than going through the headache of directing traffic through their TIC access point or headquarters first.
There was no word on when the Overlay Handbook might be released, but ongoing TIC pilots will feed into the IaaS, SaaS, PaaS Use Case.
From early pilots, the program learned to engage stakeholders like an agency’s security team or risk officer sooner than later to get on the same page about what’s being piloted and what it means for the agency, its authority to operate and its general support system, Connelly said.
Agencies conducting pilots also need to think of the technical acumen required when, say, a shift to a zero-trust architecture impacts its security operations center, he said.
Lastly, while some pilots last six months, others run longer, and agency or contractor personnel may see turnover during that time. Agencies must ensure some personnel can support the pilot the entire time, Connelly said.