The Cybersecurity and Infrastructure Security Agency (CISA) released several draft guidance documents for version 3.0 of its Trusted Internet Connections (TIC) initiative today, taking a less prescriptive and more multi-boundary focused approach in its updated policies.
The draft guidance consists of five volumes that are open for public comment from December 23 through January 31. Taken together, they offer a deeper description of what changes come with TIC 3.0, and the rationale behind those changes.
The Program Guidebook, the first in the sequence of guidance docs, is the principal guidance document of the bunch. It provides a general overview of the policy by describing the history of the program, program goals, and the core updates to the program in version 3.0.
“Upon completion of this guidebook, agencies should understand the history of the program, the modernization effort, and the expectation of TIC 3.0,” the document states.
The second of the policy documents is the Reference Architecture for TIC 3.0, which emphasizes a flexible perimeter and multiple levels of boundaries. The concept of ‘trust zones’ is a key part of the architecture, with high, medium, and low trust zones offered as examples. However, agencies can set trust zones as they like, based on criteria like control, transparency, verification, and data sensitivity. The architecture also makes policy enforcement points less prescriptive to allow for more cloud adoption.
“The [reference architecture] is a high-level technical document intended to provide federal agencies with the information needed to navigate through the process of implementing the program,” the document states.
Third up is the Security Capabilities Handbook, which provides security controls to guide implementation. The document sets security objectives to be achieved across networks, and security capabilities mapped to the NIST Cybersecurity Framework. In total, the guidance offers 43 security capabilities for agencies to follow, although CISA notes it is not an exhaustive list.
“The Security Capabilities Handbook enables agencies to apply risk management principles and best practices to protect federal information in various computing scenarios,” CISA notes.
The fourth document is the Use Case Handbook, which outlines the structure for different use cases. Accompanying the handbook are detailed descriptions of the structure of the traditional TIC use case and the branch office use case.
Closing out the guidance is the Service Provider Overlay Handbook, which identify the solutions that that can assist in protecting cloud environments. While not an endorsement, they provide a high-level mapping of services to security capabilities that will be periodically refreshed.
“The SP Overlay Handbook describes ways that federal agencies can utilize SP Overlays to secure their cloud environments in accordance with TIC guidance,” the document states.
CISA highlighted how guidance documents were developed in collaboration with agency and industry input.
“The success of the new TIC iteration is a group effort of over 50 participating federal agencies and industry,” a blog post notes.