Making the Right Connections


By Matt Hartman, Friday December 20th, 2019

It’s the holiday season, and reminders that life is about connections are all around us. But as those who have clicked the “unsubscribe” button or un-friended an old roommate know, some connections have to change over time.

A brief history of TIC

In the early 2000’s, the White House Office of Management and Budget initiated a data-call asking federal agencies to inventory their connections to the internet. The results were eye-opening: agencies reported more than 4,000 connections. This prompted a desire for network consolidation across the Federal Government in order to limit the number of tubes to monitor to a smaller set, spurring the initiative known today as Trusted Internet Connections (TIC).

TIC began with the goal of creating the first federal perimeter security baseline. The initiative focused on large federal agencies reducing the enterprise footprint to approximately 50 connections, or “TIC access points”. As technology continued to advance, CISA – back in our National Protection and Programs Directorate days – updated TIC to version 2.0 (and beyond) to address new focus areas of security. The world marches forward, and cloud computing, strong encryption, and mobile devices are now the norm. It’s time again to increment the TIC model.

A new TIC approach

Today, we’re releasing draft documentation to provide guidance for TIC 3.0, which we’ve developed to assist agencies in protecting modern information technology architectures and services, less focused on a perimeter. The following TIC guidance documents are sequential in nature and we recommend they be read in order:

  1. Program Guidebook (Volume 1) – Outlines the modernized TIC program and includes historical context
  2. Reference Architecture (Volume 2) – Defines the concepts of the program to guide and constrain the diverse implementations of the security capabilities
  3. Security Capabilities Handbook (Volume 3) – Indexes security capabilities relevant to TIC
  4. Use Case Handbook (Volume 4) – Introduces use cases, which describe an implementation of TIC for each identified use:
    • Traditional TIC Use Case. Describes the architecture and security capabilities required for the conventional TIC implementation
    • Branch Office Use Case. Describes the architecture and security capabilities required for remote offices
  5. Service Provider Overlay Handbook (Volume 5) – Introduces overlays, which map the security functions of a service provider to the TIC capabilities

The success of the new TIC iteration is a group effort of over 50 participating federal agencies and industry. CISA encourages readers to provide any comments, feedback, or questions via the TIC GitHub repository. An official request for comments (RFC) period will begin December 23, 2019 and conclude on January 31, 2020.

During the RFC period, any comments, questions, or concerns can be submitted to the Issues TIC page on GitHub or sent to CISA will conduct informative webinars during the RFC period to address general questions and comments posed from Civilian agencies. Upon closing of the RFC period, CISA will release the final versions of TIC 3.0 documentation to the public.

So, this holiday season cozy up to the fire with TIC 3.0 and invite the right TIC connection into your life.