CISA encourages agencies to read and review the Trusted Internet Connections (TIC) homepage and associated guidance for TIC 3.0 as the primary avenue to answer outstanding questions. However, to aid agencies in implementing the guidance, CISA maintains this list of frequently asked questions (FAQ) for agencies’ reference.
1. How does TIC 3.0 differ from earlier versions of the program?
TIC 2.0 focused exclusively on securing an agency’s perimeter by funneling all incoming and outgoing agency data through a TIC access point. Through Office of Management and Budget (OMB) M-19-26, OMB focuses on strategy, architecture, and visibility in TIC 3.0, recognizing the need to account for multiple and diverse architectures rather than single perimeter approach like TIC 2.0. The flexibility embedded into the guidance allows agencies to choose how to implement security capabilities in a way that fits best into their network architecture, IT modernization roadmap, risk management approach, and more. TIC 3.0 allows agencies to place security capabilities closer to the data using trust zones, policy enforcement points, and use cases rather than force the rerouting of data to the inspection sensors.
To allow agencies this flexibility, CISA works with agencies to conduct pilots in diverse agency environments. The lessons learned from these pilots feed the TIC 3.0 use cases. Agencies are encouraged to participate in TIC 3.0 pilots to bolster the current use cases and support the development of additional use cases.
Additional information can be found in the Program Guidebook.
2. How do agencies implement TIC 3.0?
Due to the wide variety of modern IT environments and requirements based upon varying missions, needs, and resources of agencies across the .gov, the updated policy allows for broader interpretation authorities to be assumed by federal civilian agencies. As modern architectures become both more complex and diverse, TIC 3.0 accommodates a wide variety of scenarios, focusing on cloud, mobility, and encryption. TIC 3.0 guidance intentionally has a different tone and level of detail when compared to earlier iterations to accommodate this wider variety of environments. The updated guidance regularly uses terms like “abstract,” “conceptual,” “high-level,” “typical,” “notional,” and “theoretical” to convey the intention of the concept while allowing agencies the flexibility they require to interpret the guidance as best fit their needs.
CISA encourages agencies to leverage the Security Capabilities Catalog, use cases, and overlays when implementing the TIC capabilities in their network environment. These documents, in conjunction with documents like National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) and NIST Special Publication (SP) 800-53, will help agencies design a secure network architecture and determine the appropriate requirements and service providers tailored to their agency. CISA recommends agencies track and record these efforts through architectural and security documentation for auditing and accountability purposes.
For more information on implementing TIC 3.0, please refer to the Reference Architecture.
3. How are MTIPS, EIS, TIC 3.0, and TIC 3.0 use cases connected?
The General Services Administration (GSA) Enterprise Infrastructure Solutions (EIS) acquisition vehicle was identified in the Report to the President on Federal IT Modernization as a primary acquisition vehicle for government IT modernization. EIS provides software-defined wide area network (SD-WAN) networking and connectivity options to and from agency networks, cloud services, and the internet. EIS provides agencies the ability to leverage managed security services (MSS) to provide “building blocks” for customized solutions to meet TIC use case requirements. GSA and CISA are working with industry to establish offerings which incorporate cloud-based tools and solutions.
Managed Trusted Internet Protocol Services (MTIPS) remains available as a baseline TIC solution for scenarios in the Traditional TIC Use Case. In addition, GSA is working to remove duplicative or unnecessary deliverables from MTIPS.
4. How do agencies comply with TIC 3.0? Are TIC Compliance Validation (TCV) assessments still required?
TIC 3.0 is non-prescriptive cybersecurity guidance developed to provide agencies with the flexibility to secure distinctive computing scenarios in accordance with their unique risk tolerance levels. While the modernized guidance requires agencies to comply with all applicable telemetry requirements like National Cybersecurity Protection System (NCPS) and Continuous Diagnosis and Mitigation (CDM), TIC 3.0 currently only requires agencies to self-attest on their adherence to the TIC guidance.
This requirement differs from legacy TIC Compliance Validation (TCV) assessments. TCVs were originally codified in OMB M-09-32, which was rescinded in the most recent OMB memorandum (M-19-26) published in September 2019. While TCVs are deprecated, CISA reserves the right to perform an assessment at the direction of OMB and CISA leadership. CISA is working to mature CDM capabilities to provide visibility into the .gov environment. Additional information can be found in the Program Guidebook.
5. Is the traditional TIC model still applicable/acceptable in TIC 3.0?
Yes. With TIC 3.0, agencies have the option to maintain the legacy TIC 2.0 implementation that use TIC access points while adopting TIC 3.0 capabilities. However, agencies are encouraged to leverage the flexibilities outlined in the modernized TIC 3.0 guidance to support the implementation of modern security practices like Zero Trust architecture.
For more information on how to implement the Traditional TIC model in TIC 3.0, please refer to the Traditional TIC Use Case.
6. How do Cloud Smart, FedRAMP, the NIST 800 series, NCPS EINSTEIN, and other current requirements play into the TIC 3.0 program?
TIC 3.0 complements other federal initiatives focused on cloud adoption and federal enterprise network security like the Federal Risk and Authorization Management Program (FedRAMP), the Chief Information Officer Council (CIOC) Cloud Smart strategy, National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, and the National Cybersecurity Protection System (NCPS) EINSTEIN program. At a high-level, TIC relates to these federal initiatives and requirements in the following ways:
- Agencies must consider FedRAMP authorization when selecting service providers to support their implementation of TIC 3.0 security capabilities in order to support agency risk management responsibilities.
- TIC supports the CIOC Cloud Smart strategy by supplying agencies with use cases to reference when selecting cloud-based security capabilities.
- CISA has mapped the TIC capabilities to the NIST Cybersecurity Framework (CSF) and NIST SP 800-53 to facilitate the development of overlays for several of the more widely used service providers.
- TIC and the NCPS initiatives will continue to support and complement each other in accordance with the Federal Cybersecurity Enhancement Act of 2015. However, CISA will provide independent guidance for each of the respective programs. Agencies should refer to the NCPS Cloud Interface Reference Architecture for telemetry requirements.
For more information on how current federal requirements play into the TIC program, check out the Program Guidebook.
7. How does an agency get selected to run a TIC Pilot?
To ensure the success of the TIC program, CISA, in collaboration with the Federal CISO Council, is looking for agencies to actively participate in pilots. The Council’s TIC Subcommittee is responsible for soliciting and reviewing TIC pilot proposals with CISA and OMB. The TIC Subcommittee assesses the relevance of the pilot to the TIC strategic program goals and, if acceptable, approves the pilot. Upon completion of a pilot, CISA will collect and analyze lessons learned from the sponsoring agency. The outcome can be used to develop new, and augment existing, use cases.
Agencies should be aware that the technical acumen of the project team, availability of resources, like pre-existing contractual arrangements with service providers and leadership buy-in, can impact the successful completion of a pilot. Additionally, agencies are not required to use the full suite of a service providers tools in their pilot, if the agency is focused on testing a smaller subset of services. Agencies should understand the way they utilize services may prevent their pilot from being used to generate a broader use case.
Agencies interested in sponsoring a pilot should reference the guidance outlined in the Pilot Process Handbook.
8. What are the upcoming use cases?
In accordance with OMB M-19-26, CISA has released three draft use cases to date, alongside the five-volume guidance. The use cases focus on TIC 3.0 security requirements for the traditional TIC scenario, branch office scenario, remote user scenario, respectively. The finalized versions of these use cases are projected to be released in Calendar Year (CY) 2021.
OMB M-19-26 also calls for CISA to develop cloud use cases that cover Infrastructure-as-a-Service, Software-as-a-Service, Email-as-a-Service, and Platform-as-a-Service. However, agencies continue to express a desire for CISA to create use cases covering zero trust, Internet of Things (IoT), partner networks, the General Services Administration (GSA) Enterprise Infrastructure Solutions (EIS) Managed Security Service (MSS), and unified communications. CISA is working with the OMB to understand whether the use cases required in the memo need to be published first.
9. How should service providers/vendors support TIC 3.0?
CISA encourages service providers to produce overlays and be proactive in explaining their security capabilities. The Security Capabilities Catalog and use cases identify the capabilities agencies should consider when securing their environments, but these documents do not map the capabilities to commercially available products. CISA is leaning on industry to fill that gap through overlays.
The Overlay Handbook is positioned to help guide vendors in developing overlays and agencies in using them. CISA encourages vendors to map cybersecurity capabilities inherent in their services to the TIC 3.0 capabilities in the guidance documentation. CISA will not validate or attest to the strength of vendor capability mappings. Agencies should continue to assess vendors through their standard due diligence and risk management processes.
10. What is an overlay? Are any overlays currently available?
TIC overlays map the TIC 3.0 security capabilities to functionality and capabilities within a vendor’s platform or tool. This approach will allow for dynamic updates as vendor capabilities evolve, independent of the update cadence for the TIC 3.0 guidance documentation.
Additional information on overlays can be found in the Overlay Handbook.
For questions concerning the TIC Program, please contact: firstname.lastname@example.org.
Sean Connelly, Trusted Internet Connections Program Manager