On December 20, 2019, Homeland Security’s Cybersecurity and Infrastructure Security Agency released draft guidance for TIC 3.0. This new guidance is a significant change to the federal agencies' Trusted Internet Connections program, which until now has been focused on securing external network connections. This new approach to trust shifts the focus of the federal government’s cybersecurity framework from safeguarding perimeters to securing specific network areas.
TIC 3.0 is aimed at creating a framework that can accommodate agencies’ need to add mobile devices, remote users, and branch offices while enabling higher security standards. It is a significant step forward, removing many of the barriers that have blocked agency efforts to add remote users and move parts of their network into the cloud. To understand what these changes mean, let’s take a step back and see how we got to TIC 3.0.
TIC 1.0: Consolidating Federal Internet Access Points
The Trusted Internet Connections program was established in 2007 through a Directive issued by President Bush. In a 2010 interview with Matt Coose, then Director of Network Security at DHS, it was estimated there were a total of 8,000 Internet connections feeding into Federal Agencies. Public and private cloud adoption was still a relatively novel concept for the Federal Government.
The initial strategy for the program was to limit the number of manageable access points to 50. TIC outlined actions to establish trusted Federal access points across the various agencies, and then reduced and consolidated all external connections to run through those access points. Larger agencies established their own access points with their internal security operation center and network operating center functions. Smaller agencies utilized a central TIC access point provided by Managed Trusted Internet Protocol Service providers.
According to Coose, in 2009, as cloud adoption and distributed architecture needs evolved, DHS officials expanded their goal to 80 access points. At the same time, they revealed that there were more than 2,000 non-compliant Internet connections still feeding into federal networks. The TIC framework was too restrictive and required significant resources to establish trusted access points. As a result, the DHS established a working group to incorporate feedback from agencies and to develop a more realistic architecture.
TIC 2.0: Incorporating Feedback/Expanding Scope
In 2011, TIC 2.0 was released and received final OMB approval. While it was an improvement, it retained the overall objective of the program—to significantly consolidate Federal agency Internet connections. It established Policy Enforcement Zones (PEPs), placed on the network perimeter to secure traffic. TIC 2.0 included several new sections and appendices. It clarified policy references, added guidance for securing remote access connections, provided recommendations and guidance related to device synchronization and DNS deployment, and further clarified agency responsibilities.
The most critical aspect of TIC 2.0 was that it incorporated feedback into the TIC Critical Capabilities for Securing Access Points. 2.0 was further revised in 2013 to incorporate cloud considerations. While it represented an effort to incorporate real-world feedback, TIC 2.0 underestimated the vast expansion of the cloud and distributed network technology. DHS officials went back to the drawing board to "define scalable, comprehensive, and continuous validation processes for ensuring agency implementation of TIC capabilities in contrast to the point-in-time reviews."
TIC 3.0: Continuous Validation of Distributed Networks
To say third time's a charm, may be a bit premature, but TIC 3.0 represents a significant shift that incorporates the ever-evolving nature of distributed architecture. According to the CISA reference architecture, “This shift in approach from securing a single network boundary to a distributed architecture is the most fundamental change from the legacy TIC program. It allows agencies to apply security capabilities throughout their environment. The result is greater network visibility, service uptime, and improved user experiences.”
TIC 3.0 divides federal networks in “trust zones” rather than just network perimeters. This allows agencies to develop baseline security protections across more modern, dispersed network environments, including remote locations and branch offices.
Providing use cases as guidance, TIC 3.0 encompasses five network security objectives:
- Monitor and validate data connections to ensure the activities on the network are authorized, while also including the practices of least privilege and default deny.
- Verify senders and receivers and ensure that only authorized users can see data in transit.
- Prevent data tampering in transit and recognize if data was altered.
- Promote resiliency as technology evolves and threats change.
- React and adapt to threats in a timely manner.
As TIC 3.0 use cases evolve, it will provide agencies with even more guidance to implement these objectives. In the meantime, developing complete Internet visibility throughout their distributed networks will allow agencies to adapt and implement the guidance as it evolves.