Nextgov offers a deep dive into TIC 3 and the purported conflict between CISA’s trust zones and zero-trust security.
Federal agencies focused on IT and security are working on a framework and set of use cases identifying the best security practices for federal employees connecting to the internet across a variety of circumstances, a policy known as Trusted Internet Connection 3.
The Cybersecurity and Infrastructure Security Agency is taking the lead and issued draft documents for the reference architecture and first two use cases in December. As current and former federal IT professionals looked through the draft documents, it became clear that one notion was going to be a sticking point: CISA’s creation of a concept called “trust zones.”
After an initial read, several former members of the U.S. Digital Service commented on the drafts, urging CISA to reconsider trust zones and arguing that the framework is anathema to the leading best practice in information security: zero trust. However, members of the TIC program management office and agency cybersecurity officials said these arguments were misguided and showed the commenters didn’t understand the program’s true goals.
To sort through the confusion, Nextgov spoke with TIC program manager Sean Connelly, Education Department Chief Information Security Officer Steven Hernandez and FDIC Security Architecture Section Chief Sara Mosley about the intent of the new policy, as well as former USDS engineer Marianne Bellotti for perspective on how it is being interpreted.
The episode also includes breakdowns of how Hernandez and Mosley are applying the ideas behind TIC 3 and zero trust at their agencies and what federal IT security leaders should do to make sure they are in line with the new policy.