Cybersecurity

TIC Guidance

Trusted Internet Connections (TIC) 3.0 core guidance documents are intended to be used collectively in order to achieve the goals of the program. The documents are additive; each builds on the other like chapters in a book. The current versions of guidance are available below.

The TIC 3.0 core guidance are sequential in nature and include:

Cloud Security Technical Reference Architecture

The purpose of the Cloud Security Technical Reference Architecture (TRA) is to illustrate recommended approaches to cloud migration and data protection, as outlined in Section 3(c)(ii) of Executive Order 14028. As the Federal Government continues to transition to the cloud, the TRA will be a guide for agencies to leverage when migrating to the cloud securely. Additionally, the document explains considerations for shared services, cloud migration, and cloud security posture management.

Zero Trust Maturity Model

Zero trust provides a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised. The goal is to prevent unauthorized access to data and services and make access control enforcement as granular as possible. Zero trust presents a shift from a location-centric model to a more data-centric approach for fine-grained security controls between users, systems, data and assets that change over time; for these reasons.

CISA Hosts Election Cybersecurity Navigators Forum for State and Local Election Officials

The Cybersecurity and Infrastructure Security Agency (CISA) recently concluded a forum for state and local election officials to discuss cyber navigator programs. Cyber navigators are state liaisons that can help under-resourced local jurisdictions manage their cyber risks, help sort through the onslaught of risk information, advice, and available services, and help fast-track mitigation efforts. During the two-day forum participants shared their experiences and identified lessons learned for navigator programs.
Last Published Date: December 21, 2021

Readout of CISA Call with Critical Infrastructure Partners on Log4j Vulnerabilities and the Need for Increased Vigilance this Holiday Season

WASHINGTON – This afternoon, the Cybersecurity and Infrastructure Security Agency (CISA) held a call with critical infrastructure entities from the public and private sectors to emphasize the importance of remaining vigilant against cyber threats over the holiday season, particularly with the widespread exploitation of vulnerabilities in the Log4j software, which pose a severe risk to network security. The call was led by CISA Director Jen Easterly and included updates from CISA’s Executive Assistant Director for Cybersecurity, Eric Goldstein.

Last Published Date: December 20, 2021

CISA Issues Emergency Directive Requiring Federal Agencies to Mitigate Apache Log4J Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive (ED) 22-02 today requiring federal civilian departments and agencies to assess their internet-facing network assets for the Apache Log4j vulnerabilities and immediately patch these systems or implement other appropriate mitigation measures. This Directive will be updated to further drive additional mitigation actions.
Last Published Date: December 17, 2021