In-Person, Remote, and Hybrid! Oh My! Securing Your New Reality With TIC 3.0


By: Eric Goldstein, Executive Assistant Director for Cybersecurity

It’s been over a year and a half since much of the Federal Government workforce headed to work from home due to the COVID-19 pandemic. As work around the world continues to shift between in-person, full-time remote, and hybrid, network defenders remain focused on maintaining a strong security posture to protect critical assets and data.  

TIC 3.0 AND REMOTE WORK   

The modernized Trusted Internet Connections (TIC) 3.0 initiative, outlined in Office of Management and Budget’s (OMB) M-19-26, is intentionally designed to be flexible and adaptive to agency needs, focusing on strategy, architecture, and visibility. CISA’s finalized TIC 3.0 Remote User Use Case is the latest document in the collection of TIC 3.0 guidance. The new TIC use case provides guidance on applying network and multi-boundary security for federal agencies that permit remote users on their networks. These users could be personnel working from home, connecting from a hotel, or telecommuting from a non-agency-controlled location. The use case also extends the definition of remote users to mobile devices, including Bring Your Own Device (BYOD).  

Built off of and replacing the TIC 3.0 Interim Telework Guidance, issued in April 2020 to meet urgent requirements imposed by the COVID-19 pandemic, the finalized Remote User Use Case provides significantly more depth and detail. The new TIC use case considers additional security patterns that agencies may face with remote users and includes four new security capabilities: User Awareness and Training, Domain Name Monitoring, Application Container, and Remote Desktop Access.  

The final TIC 3.0 Remote User Use Case is aligned to complement CISA’s ongoing efforts to modernize federal networks and support security initiatives driven by the President’s Cyber Executive Order.  Ensuring protected and resilient remote user connections to agency-sanctioned cloud services and internal agency services is paramount for CISA and we expect the security guidance will help agencies improve application performance and reduce costs through reduction of private links. 

A COLLABORATIVE EFFORT 

The release of this use case represents the conclusion of the adjudication period following the issuance of draft Remote User Use Case in December 2020. CISA received more than 70 comments on the use case from agencies, industry, and trade organizations during the January 2020 comment period. In collaboration with the Office of Management and Budget (OMB), the General Services Administration (GSA), and the Federal Chief Information Security Officer (CISO) Council TIC Subcommittee, CISA adjudicated the comments and updated the draft to address the comments’ prevailing themes. A summary of the comments and CISA’s response is available in the Response to Comments on TIC 3.0 Remote User Use Case

ADDITIONAL TIC 3.0 GUIDANCE 

In addition to the Remote User Use Case, CISA updated and published two other TIC 3.0 guidance resources today, to help support agencies security efforts.   

In developing the Remote User Use Case, CISA produced new TIC 3.0 security capabilities, which necessitated a refresh to the TIC 3.0 Security Capabilities Catalog. Indexing and describing all TIC security capabilities across all of the use cases, the revised catalog provides an updated list of deployable security controls, security capabilities, and best practices. It also includes capability identifiers and the four new security capabilities: User Awareness and Training, Domain Name Monitoring, Application Container, and Remote Desktop Access. 

CISA, in collaboration with the Federal Chief Information Security Officer (FCISO) Council, also finalized the TIC 3.0 Pilot Process Handbook. The handbook describes the process by which agencies will conduct TIC 3.0 pilots, in accordance with M-19-26. 

We recognize that for most agencies and businesses a remote or hybrid work environment will be in place for the foreseeable future. CISA is focused on ensuring we provide appropriate guidance and resources to better support our federal agency partners. All of these new documents and other helpful reference materials, like frequently asked questions (FAQs) and trainings, can be found on the TIC homepage.