Homeland Security Releases TIC 3.0 Use Cases with Additional Guidance

The structure of the internet has changed significantly over the last two decades, and now agencies are getting guidance to ensure the infrastructure they use is secure no matter how or where employees connect to the network.

Among the many policy updates coordinated by the Office of Management and Budget this year was an update to the government’s Trusted Internet Connection policy. Past versions of the TIC policy have been a proscriptive set of rules for how and where federal employees should be allowed to connect to the internet.

The most recent version—TIC 2—was released in 2008, before the government began to embrace the trends toward cloud and mobile computing.

OMB released a framework in September for the third iteration of TIC, which included a call for the Homeland Security Department to develop a set of use cases agencies could consider when making their own network infrastructure decisions. The administration hopes the use case format will give agencies enough flexibility to make sound security decisions for any kind of network, including those just over the horizon.

Ahead of the holidays, Homeland Security’s Cybersecurity and Infrastructure Security Agency released a draft of the use cases as one part of a five-volume set of TIC 3.0 guidance.

“TIC began with the goal of creating the first federal perimeter security baseline. The initiative focused on large federal agencies reducing the enterprise footprint to approximately 50 connections, or ‘TIC access points,’” Matt Hartman, CISA’s director of network resilience, wrote in a blog post-Friday. “The world marches forward, and cloud computing, strong encryption and mobile devices are now the norm. It’s time again to increment the TIC model.”

The result is a draft five-volume set of instructions on secure network connections.

• Program Guidebook (Volume 1): Outlines the modernized TIC program and includes historical context.
• Reference Architecture (Volume 2): Defines the concepts of the program to guide and constrain the diverse implementations of the security capabilities.
• Security Capabilities Handbook (Volume 3): Indexes security capabilities relevant to TIC.
• Use Case Handbook (Volume 4): Introduces use cases for traditional agency office settings, as well as branch offices in remote areas. Describes the architecture and security capabilities required.
• Service Provider Overlay Handbook (Volume 5): Introduces overlays, which map the security functions of a service provider to the TIC capabilities.

CISA, in conjunction with the Federal Chief Information Security Officers Council, is working on additional use cases for zero trust and partner networks, among others. Even then, that volume is not meant to be a strict guideline.

“The TIC Use Cases posted to this site are not an exhaustive representation of all the scenarios agencies may wish to consider when securing their environments,” CISA officials wrote on the TIC 3.0 page. “Agencies are encouraged to combine uses cases, as appropriate, to suit their needs.”

CISA opened the draft to public comments Monday. The comment period will extend to Jan. 31.