A finalized Trusted Internet Connections 3.0 use case, defining how network and multi-boundary security should be applied when agencies permit remote users, was released by the Cybersecurity and Infrastructure Security Agency on Thursday.
The document provides guidance on how agencies can configure data flows and apply TIC capabilities across three network security patterns: secure remote user access to a campus, agency-sanctioned cloud service providers, or the internet.
Originally released as Interim Telework Guidance responding to vendor requests for help aiding agencies during the pandemic in April 2020, the finalized use case aims to prevent against cyberthreats resulting from users’ ability to access resources from outside network boundaries.
“The Remote User Use Case helps agencies preserve security while they gain application performance (e.g., latency, throughput, jitter, etc.); reduce costs through reduction of private links; and improve user experience by facilitating remote user connections to agency-sanctioned cloud services and internal agency services as well as supporting additional options for agency deployment,” reads the document. “This use case is also intended to support policy enforcement parity for devices and connectivity options.”
More than 70 agencies, companies and trade organizations weighed in on the document.
Agencies may implement a subset of the three network security patterns or additional ones from a different use case. The other two available are the Traditional TIC and Branch Office use cases.
The document is intended to be used alongside the updated Security Capabilities Catalog and TIC overlays applicable to service providers. The Pilot Process Handbook was also finalized.
Zero trust and partner research and development use cases might also come in 2021, with infrastructure-as-a-service (IaaS), software-as-a-service (SaaS), platform-as-a-service (PaaS) and email use cases already planned.
CISA is also working to finalize IPv6 Considerations for TIC 3.0 guidance, given the expanded cyberthreat landscape it presents. The draft version remains open for public comment through Friday.