As Federal agencies look to modernize their cyber defenses and move to zero trust architecture, Trusted Internet Connection (TIC) 3.0 guidance will help push them along the path, with help from a zero trust use case that is in the pipeline, the TIC program manager said on April 29.
Two new TIC 3.0 use cases were recently finalized, and Sean Connelly, TIC program manager at the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA), said more use cases are coming first as the program moves into Phase Three.
“We’re not done yet,” Connelly said at an ACT-IAC virtual event April 29. “You have to recognize there’s a number of other use cases [that] CISA’s responsible to produce. … Moving to phase four. This is what we’d like to offer work on. Everyone talks about zero trust. We’d love to be doing work on a zero trust use case.”
The tradition perimeter network defense, or “castle-moat” strategy as Connelly terms it, left agency resources exposed if adversaries were able to get inside. While CISA is working on releasing four other use cases as part of its third phase, Connelly said a zero trust use case is further off.
The release of TIC 3.0, as well as the telework and remote access use cases, helped facilitate agencies’ moves to telework environments during the pandemic. With the goal of TIC 3.0 to enhance flexibility for agencies, CISA is looking to continue building out use cases that allow for a smoother transition to zero trust architecture and more secure environments.
“Understand that shift from TIC 1.0 and TIC 2.0, from securing a single network boundary, to where we are TIC 3.0, allowing for distributed secure architecture, but with new security strategy, new flexibility, and new visibility, is the most fundamental change in the guidance,” Connelly said.
The Phase Three use cases CISA is working on were specified in the Office of Management and Budget’s M-19-26, and include use case guidance for infrastructure-as-a-service, software-as-a-service, platform-as-a-service, and email-as-a-service. CISA is also currently drafting support guidance for Internet Protocol version 6 (IPv6) considerations for TIC. The IPv6 guidance is currently being worked on with agencies.
Connelly gave no expected release date for these use cases, but CISA expects to move into Phase Four, which includes the zero trust use case guidance, by the fourth quarter of 2021.