What Agencies Need to Know About TIC 3.0 and Enabling Technology


The third version of the Trusted Internet Connection policy brings government IT closer to the capabilities available to the private sector. 

In late July, the Cybersecurity and Infrastructure Security Agency released final top-level guidance for the third iteration of the federal government’s Trusted Internet Connection, or TIC, initiative. 

The recommendations included a reference architecture for agency implementation as well as the Security Capabilities Catalog. Even with the current guidance, agencies will need to remain cautious in how they implement TIC 3.0 relative to their unique environments so that they can securely leverage emerging and evolving technology, including SD-WAN and as-a-service cloud platforms.

But first, let’s take a step back and look at how the process has evolved over the last 13 years.

How did we get here?

In 2007, federal officials initiated the TIC to better secure federal internet access. At the time, access was being routed through thousands of disparate, undocumented connections with varying levels of security. That first draft was essentially risk management.

Now entering its third iteration, the draft version of TIC 3.0 was released last September to introduce more flexibility for agencies and continue to evolve the TIC framework from a stabilizing measure to one that focuses on promoting IT modernization. 

With TIC 3.0, agencies can utilize technology based on changing enterprise IT needs such as cloud access and secure remote telework. This marks a major step in the evolution of federal connectivity, bringing government IT closer to the capabilities available to the private sector. 

But the path to implementation is not yet fully defined, leaving federal agencies to navigate some uncharted territory. As a result, they face the risk of failing to implement technologies that would help them better serve taxpayers.

What technologies will be boosted by TIC 3.0?

TIC 3.0 will be a huge enabler for federal use of cloud technology because it moves the paradigm beyond simple virtualization of a physical TIC. In fact, new guidance allows for a direct connection from the user to the cloud.

TIC 3.0 will allow users and providers to take better advantage of cloud technology—infrastructure-as-a-service, software-as-a-service, email-as-a-service and platform-as-a-service—by enabling cloud providers to seamlessly and transparently patch applications for TIC 3.0 users.

SD-WAN will also play a major role in both evolving and securing federal networks under the new guidance. The technology will enable agencies to advance their networking from a hub-and-spoke architecture—where most local traffic is sent to a central location for security inspection before delivery to its final destination—to a software-defined networking architecture that allows for real-time customization based on changing mission and user requirements.

A good SD-WAN solution will deliver major benefits for agencies, including:

  • More robust security, because the secure SD-WAN solution integrates tightly with advanced threat protection solutions such as sandboxing.
  • Less time spent on the management of networking and threat response because the agency has a single-pane-of-glass view into the operation of both functions.
  • Reduced costs, because consolidation of security and networking means that the agency has fewer devices to buy and maintain.

Take, for example, the agency branch office use case that CISA presents in its TIC 3.0 guidance. The CISA use case assumes the existence of a branch office that currently utilizes the agency’s headquarters for the majority of its IT services and web access. By employing TIC 3.0 guidance, agencies can directly connect approved traffic via SD-WAN, pushing the security out to the edge and giving users in the field faster, more secure and more reliable IT functions.

Where do we go from here?

These are just a couple of examples of how TIC 3.0 marks a significant step in bringing the federal government closer to the innovation of the private sector. TIC 3.0 will be a key tool for agencies in improving digital efficiency, increasing their resilience, managing risk, and bolstering security.. 

The TIC 3.0 guidelines and use cases give agencies the flexibility they need to create solutions tailored to their unique needs. There is no lift-and-replace, one-size-fits all option, but in the end that will be a boon for agencies—even if it means more work on the front end to decide the best path forward.

The road ahead is still uncertain and CISA will be mapping out more defined strategies in the coming months. But for agencies to truly take advantage of TIC 3.0, they’ll still need to understand how it can underpin crucial technologies like cloud, SD-WAN and as-a-service platforms—saving money and improving operational efficiency and security.

Jim Richberg is a field chief information security officer at Fortinet.