The Jan. 31 public comment date is fast approaching for the Cybersecurity and Infrastructure Security Agency’s (CISA) draft guidance documents for version 3.0 of its Trusted Internet Connections (TIC) initiative.
The guidance documents include five volumes that provide a deep dive into changes coming with TIC 3.0, and the rationale for those changes. The content is not particularly light reading – separate volumes cover reference architecture, security capabilities, use cases, and service provider overlays – but it is vital to understanding the next iteration of security in Federal networks.
With that in mind, we asked Sean Connelly, TIC Program Manager at CISA, to tell us more about TIC 3.0 and how Federal agencies can approach the guidance documents. Here’s what he had to say…
MeriTalk: Explain how cloud will be handled between TIC and NCPS under this new guidance?
Connelly: CISA continues to provide security capabilities to Federal civilian executive branch departments and agencies to help them secure their networks and information systems, including NCPS (EINSTEIN) and the TIC initiative. While these programs have evolved, and the relationship between them has changed in TIC 3.0, they will continue to support and complement each other.
MeriTalk: What is the benefit of a multi-boundary approach?
Connelly: As the Federal network expands into the cloud, traditional perimeter security supported in legacy TIC is increasingly unfeasible. The perimeter is now everywhere, and an enterprise needs its security to be dynamically created, policy-based, and on the services’ edge.
TIC 3.0 supports a multi-boundary approach to securing agencies’ distributed network through the creation of trust zones. These zones create additional network boundaries and require the placement of security capabilities throughout the environment, rather than having the security perimeter being entombed in a box at the TIC access points. By creating multiple boundaries and dispersing security capabilities throughout the architecture, agencies will have greater visibility into their network, leading to operational and fiscal efficiencies.
MeriTalk: How can agencies approach that multi-boundary guidance?
Connelly: The TIC 3.0 guidance is intentionally high-level to provide agencies with flexibility to interpret. Agencies are encouraged to adapt the TIC use cases to suit the needs of their enterprise. Agencies are expected to incorporate the TIC 3.0 guidance into their risk management strategy. Agencies should determine if protections are commensurate with the level of risk pertaining to their enterprise IT.
MeriTalk: Help us understand how these security capabilities should be applied…
Connelly: Agencies can apply two types of security capabilities, Universal and Policy Enforcement Point, under the new guidance. Universal capabilities are enterprise-level and apply across the use cases. Policy Enforcement Point Capabilities are network and data level and apply to specific use cases.
The guidance provides agencies with the flexibility to determine the placement and level of rigor required for each security capability. However, agencies are expected to consider the trust criteria presented in the Reference Architecture, Federal guidelines, and their risk tolerance to determine the rigor required for the security capabilities. Agencies can select to position capabilities in the communication path, at endpoints, at trust zone boundaries, and through service providers.
MeriTalk: How does the new TIC guidance support the increased discussion around zero-trust at agencies?
Connelly: The enterprise perimeter is no longer a single location. As services move towards the edge and away from a central hub, wide area network (WAN) services will begin to offer more security services. The Office of Management and Budget, National Institute of Standards and Technology (NIST), General Services Administration, and CISA have been meeting with agencies and vendors over the last year to discuss this issue and support the development of the NIST Zero Trust Architecture (ZTA). TIC 3.0 aligns with the NIST ZTA goals and objectives and supports the formalization of NIST ZTA as a complete enterprise solution.