What Is TIC 3.0’s Relationship to Zero Trust?
By looking beyond conventional perimeter defense strategies, TIC 3.0 supports the federal push toward zero-trust security architectures. “We're all in concert across the federal community between where we're going with TIC 3.0 and what we've done with zero trust,” Connelly says.
Says Simms: “We knew that the traditional TIC architecture, which is generally a stack of firewalls and proxies and some other technologies, just wasn't really adequate to support what we're trying to achieve with cloud modernization or with zero trust.”
“When the Office of Management and Budget released M-19-26, the Update to the Trusted Internet Connections Initiative memorandum in September 2019, it gave us the ability to look beyond the enterprise perimeter to protect against current attack vectors,” he adds. “Within the policy, there was a strong emphasis on flexibility. We used this to lay the groundwork for zero trust by updating the reference architecture, security capabilities and associated use cases.”
Both TIC and zero trust “are about shifting the focus from the perimeter to the application, data and users,” Simms says.
GET MORE INFO: What are the pillars of a zero-trust strategy?
How Is TIC Different from Other Federal Cybersecurity Programs?
Federal agencies must comply with a number of cyber guidelines these days. There’s FedRAMP, the General Services Administration program that empowers agencies to use modern cloud technologies. CISA operates the Continuous Diagnostics and Mitigation Program, and the Defense Department has its own Cybersecurity Maturity Model Certification (CMMC) program.
CDM effectively supports the new TIC guidance. “We recognize that more and more, there is a degree of overlap with each of these program capabilities, and in some cases, we have the ability to re-enforce concepts and capabilities with each to clarify the alignment for agencies,” Simms says.
TIC likewise works hand in hand with FedRAMP. “FedRAMP focuses more on how the vendors offer their services,” Connelly says. “The TIC program partners with FedRAMP to help the agencies understand, now that the vendor says they can support the service, how can that service be used to meet the intent of the TIC capability? How can we protect those assets based on what the FedRAMP program can offer?”
CMMC meanwhile applies to military systems, while TIC is geared toward federal civilian executive branch agencies. The programs are essentially separate, yet also somewhat parallel.
“We've had strong collaboration with the DOD side to ensure that the documents and guidance they're putting out align closely with how we on the federal civilian side are trying to help agencies move forward,” Connelly says. “It’s different paths to get to the same goals.”