CISA Releases Final TIC 3 Guidance

The Cybersecurity and Infrastructure Security Agency released the finalized top-level documents for the third iteration of the government’s Trusted Internet Connection policy, or TIC 3.

The TIC policy governs how federal agencies set up their networks to ensure traffic and data are secure.

The new policy guidance looks to update TIC 2—released in 2012—to account for the latest technological advances in government, namely cloud and mobile computing, which have dramatically changed the way federal employees connect to agency networks. These changes—and the associated challenges—have become overt as the COVID-19 pandemic forces agencies to embrace mass telework, giving up some control over how employees connect to federal networks.

CISA released the draft guidance documents, reference architecture and the first two use cases in December to solicit public comments.

The first round of finalized documents, released Friday, include a TIC 3 Guidebook; the reference architecture explaining how the concepts should be applied to agency enterprises; and the Security Capabilities Catalog, formerly the Security Capability Handbook.

CISA officials said the first two draft use cases—covering agency headquarters and branch offices, respectively—are expected to be finalized later this summer.

“We have the guidebook and the reference architecture documents—we consider those more of the strategic documents, the ones agencies use to build out their understanding of TIC 3 in general,” TIC Program Manager Sean Connelly told Nextgov in a March interview. “And then what we call the operational, the more technical documents: the use cases, the security capabilities and the overlays. We think those are the ones that will be used more by agencies as they build out and secure their environments.”

The finalized documents take into account several issues brought up during the public comment period. The TIC program office divided the issues into broad themes:

• Working with other federal programs, such as the Federal Risk and Authorization Management Program, or FedRAMP, and CISA’s own EINSTEIN and Continuous Diagnostics and Mitigation, or CDM, program.
• How CISA plans to support agency adoption, including templates and virtual and live events.
• More details around how the use case pilots were managed—including under what authorities they were administered—and proposed additional use cases that were not included in the original OMB memo.
• Better defines new and key terms and concepts.

This last set of changes is perhaps the most important, as confusion over the new idea of “trust zones”—particularly how it conforms with zero trust frameworks—was a major point of contention for commenters on the draft.

The new draft looks to clarify how trust zones should be used and provide additional graphics and other visual tools to help implementers better understand the concept.

The finalized documents also rename the Security Capabilities Handbook to the Security Capabilities Catalog, which looks to better explain which parts of the TIC 3 framework are mandatory, as well as the parts of TIC 2 agencies should continue to implement.

RELATED PODCAST