CISA updates internet connection policies

Many of the changes to the core Trusted Internet Connection policies were in response to public feedback seeking new tech and additional architectural and security concepts.

network monitoring (nmedia/

The Cybersecurity and Infrastructure Security Agency has published finalized versions of core guidance for the Trusted Internet Connection Program.

The TIC 3.0 Program Guidebook, Reference Architecture and Security Capabilities Catalog were all updated to reflect feedback gleaned from nearly 500 comments and questions submitted by the public earlier this year.

According to the agency, much of the feedback it received fell into five categories: proposing additional use cases for the program, questions about how TIC interacted with other agency programs like EINSTEIN and Continuous Diagnostics and Mitigation, questions around how much support CISA plans to provide agencies, requests for additional detail in the Program Guidebook and Reference Architecture documents and requests for more information around the development, schedule and authority of use cases.

Commenters were also seeking additional capabilities at the operating system and application levels, encrypting data at rest and in transit, logging, allow lists and whether any capabilities from TIC 2.0 were still applicable.

In response, the updated documents have been tweaked to support newer technologies employed by agencies and include new architectural and security concepts “to reflect the growing number of cybersecurity threats and adoption of cloud-based services.” It offers more clarity on the relationship between TIC 3.0, zero trust networking, and trust zones established by the program. It has also provided CISA with new insight into how to develop use cases to apply to a broader set of agencies and better leverage service provider capabilities.

Another set of documents -- including the Use Case Handbook, Overlay Handbook, Traditional TIC Use Cases and Branch Office Use Cases – will be refreshed later this summer.

The moves put CISA one-step closer to completing an overhaul of a program that started out as an effort to cut down on the number of trusted internet access points used by federal agencies but has since transformed into a set of network security standards designed to account for a more distributed architecture, accounting for the widespread adoption of cloud computing and an increasingly remote workforce in government.

These days, “an agency’s assets, data, and components are commonly located in areas beyond their network boundary – on remote devices, at cloud data centers, with external partners” and not strictly on-premise at federal facilities, the new security catalogue notes.

Those trends were already happening before the novel coronavirus hit U.S shores this year, and the resulting move to telework for most federal employees in the wake of the pandemic has placed an added sense of urgency on federal IT and security managers. In April, CISA released emergency interim TIC guidance to help federal managers deal with the sudden shift, but it was more an effort to triage the problem in the short-term and expires at the end of this year.