What Federal Agencies Need to Know About TIC 3.0

Since 2007, the Trusted Internet Connections program has helped define cybersecurity efforts for federal civilian agencies.

With the release of TIC 3.0 earlier this year, the Cybersecurity and Infrastructure Security Agency has made the new version even more flexible than its predecessor, outlining new strategies for agencies whose networks flow through the cloud, external devices and encrypted applications, as well as traditional paths.

With TIC 3.0, agencies have the opportunity to deploy security tools closer to the data in support of their zero-trust ambitions.

Click the banner to get the expertise you need to secure your data and applications.

What Is TIC 3.0?

In today’s cyber environment, “vigilance can only be maintained by having organized and automated security policies managed through integrated tools,” according to a statement on the Advanced Technology Academic Research Center’s TIC Demonstration Center.

“TIC 3.0 does exactly [that] by removing cloud barriers, consolidating the number of external internet connections and accelerating federal cloud transformation,” the statement continues.

CISA brings this to life with TIC 3.0 core guidance elements, including a program guidebook, a reference architecture and a secure capabilities catalog that provides a list of deployable security controls, security capabilities and best practices.

In the latest TIC update, “we recognize today's environment is much more distributed, more diverse, more dynamic and more encrypted,” says Sean Connelly, TIC program manager in CISA’s Office of the Technical Director (OTD).

DIVE DEEPER: Look for solutions to threat management challenges.

How Is TIC 3.0 Different from Earlier Versions?

With this in mind, CISA has aimed to give agencies greater flexibility as they look to respond to an ever-changing cybersecurity threat. The previous iteration of TIC was much more prescriptive.

“TIC 2.0 prescribed one way to secure network traffic going to and from the internet,” Connelly says. “Now, with TIC 3.0, we have a number of use cases, including the traditional TIC, branch office, remote user and cloud use cases. These offer different ways for agencies to be able to protect their environments.”

In addition, TIC 3.0 bring protections closer to the data and to end users. “The TIC 2.0 model was more perimeter-focused,” Connelly says. “Now, as the perimeter becomes more amorphous and porous, it's necessary to have more choices available than we did in the old model.”

How Might TIC 3.0 Change the Tools Agencies Use?

As agencies look beyond outmoded perimeter defense strategies, TIC 3.0 encourages them to adopt a range of new cyber tools.

“We're really talking about capabilities that we can employ to support a flexible boundary to protect our IT environments, not only on-premises in government data centers but also in the cloud,” says John Simms, a security architect in CISA’s OTD.

Agencies might, for example, leverage secure access service edge, an emerging model that delivers security through technologies such as secure web gateways, cloud access security brokers and Firewall as a Service.

“It is a new type of technology that is not just a typical firewall or VPN-focused technology but rather provides more cybersecurity capabilities and visibility to support modern architectures,” Simms says. “The technology provides more effective boundary security capabilities to support TIC and zero-trust use cases in cloud and on-prem environments.”

Other tools also come into play as agencies look to deepen their cyberdefenses under TIC 3.0.

“We now have a new focus on endpoint detection response. You're seeing momentum toward deploying EDR tools across the fleet of federal devices,” Connelly says. “This shifts security closer to the application, closer to the data.”

With the shift to a remote workforce, “being able to have different tools like EDR, like secure access service edge, like the cloud — these all present new opportunities,” he says.

How Can Agencies Implement TIC 3.0?

A number of strategies can help agencies move forward on TIC 3.0. “The first is managing a diverse partner ecosystem,” Connelly says.

Agencies will need to work in close collaboration with their technology providers to devise effective cyber protections under the new TIC guidance. “No agency really is operating by themselves anymore. It's a partnership, both with the vendor community, with other agencies and other stakeholders,” he says.

TIC implementation may also require new budgetary efforts. Connelly pointed to the use of funding mechanisms such as the Technology Modernization Fund as a possible way to drive new cyber programs forward.

He also stressed the need for agencies to consider their multicloud footprint as they move to implement new controls. “Agencies are probably connecting to a few different Infrastructure as a Service solutions and a number of Software as a Service platforms, and they need to balance how they secure those different platforms,” he says.

Overall, TIC implementation should be organized according to the actual cyber perils facing a given agency, Simms suggested.

TIC efforts “can evolve based on risk management priorities,” he says. “They have the flexibility to leverage cloud-native and existing capabilities to meet TIC 3.0 security capabilities to the extent that’s practical, and identify gaps that may exist that other technologies can fill. It creates a more holistic approach to cybersecurity based on risk management versus compliance.”

What Is TIC 3.0’s Relationship to Zero Trust?

By looking beyond conventional perimeter defense strategies, TIC 3.0 supports the federal push toward zero-trust security architectures. “We're all in concert across the federal community between where we're going with TIC 3.0 and what we've done with zero trust,” Connelly says.

Says Simms: “We knew that the traditional TIC architecture, which is generally a stack of firewalls and proxies and some other technologies, just wasn't really adequate to support what we're trying to achieve with cloud modernization or with zero trust.”

“When the Office of Management and Budget released M-19-26, the Update to the Trusted Internet Connections Initiative memorandum in September 2019, it gave us the ability to look beyond the enterprise perimeter to protect against current attack vectors,” he adds. “Within the policy, there was a strong emphasis on flexibility. We used this to lay the groundwork for zero trust by updating the reference architecture, security capabilities and associated use cases.”

Both TIC and zero trust “are about shifting the focus from the perimeter to the application, data and users,” Simms says.

GET MORE INFO: What are the pillars of a zero-trust strategy?

How Is TIC Different from Other Federal Cybersecurity Programs?

Federal agencies must comply with a number of cyber guidelines these days. There’s FedRAMP, the General Services Administration program that empowers agencies to use modern cloud technologies. CISA operates the Continuous Diagnostics and Mitigation Program, and the Defense Department has its own Cybersecurity Maturity Model Certification (CMMC) program.

CDM effectively supports the new TIC guidance. “We recognize that more and more, there is a degree of overlap with each of these program capabilities, and in some cases, we have the ability to re-enforce concepts and capabilities with each to clarify the alignment for agencies,” Simms says.

TIC likewise works hand in hand with FedRAMP. “FedRAMP focuses more on how the vendors offer their services,” Connelly says. “The TIC program partners with FedRAMP to help the agencies understand, now that the vendor says they can support the service, how can that service be used to meet the intent of the TIC capability? How can we protect those assets based on what the FedRAMP program can offer?”

CMMC meanwhile applies to military systems, while TIC is geared toward federal civilian executive branch agencies. The programs are essentially separate, yet also somewhat parallel.

“We've had strong collaboration with the DOD side to ensure that the documents and guidance they're putting out align closely with how we on the federal civilian side are trying to help agencies move forward,” Connelly says. “It’s different paths to get to the same goals.”