CISA encourages agencies to read and review the Trusted Internet Connections (TIC) homepage and associated guidance for TIC 3.0 as the primary avenue to answer outstanding questions. However, to aid agencies in implementing the guidance, CISA maintains this list of frequently asked questions (FAQ) for agencies’ reference.
1. How does TIC 3.0 differ from earlier versions of the program?
TIC 2.0 focused exclusively on securing an agency’s perimeter by funneling all incoming and outgoing agency data through a TIC access point based on a traditional network architecture. Through Office of Management and Budget (OMB) M-19-26, OMB focuses on strategy, architecture, and visibility in TIC 3.0, recognizing the need to account for multiple and diverse architectures rather than a single perimeter approach of TIC 2.0. The flexibility embedded into the new guidance allows agencies to implement security capabilities in a way that best fits their network architectures, IT modernization roadmaps, risk management approaches, and more. TIC 3.0 allows agencies to position security capabilities closer to the data using trust zones, policy enforcement points, and use cases rather than rerouting the data to inspection sensors. TIC 3.0 broadens the concepts of the program to accommodate cloud, mobile, and encrypted applications, services, and environments.
To allow agencies this flexibility, CISA works with agencies to conduct pilots in diverse agency environments. The lessons learned from these pilots feed the TIC 3.0 Use Cases. Agencies are encouraged to participate in TIC 3.0 pilots to bolster the current use cases and support the development of additional use cases.
Additional information can be found in the Program Guidebook.
2. How do agencies implement TIC 3.0?
Modern .gov IT environments and security requirements vary based on each agency’s mission, needs, and resources. TIC 3.0 addresses these differences by allowing agencies broader interpretation authorities when choosing security capabilities and designing network architectures. As modern architectures become more complex and diverse, TIC 3.0 accommodates a wide variety of scenarios, focusing on cloud, mobility, and encryption. TIC 3.0 guidance adopts a broader and less prescriptive tone compared to earlier iterations to accommodate this wide variety of environments. The updated guidance regularly uses terms like “abstract,” “conceptual,” “high-level,” “typical,” “notional,” and “theoretical” to encourage agencies to be flexible as they interpret the guidance as best fit their needs.
CISA encourages agencies to leverage the Security Capabilities Catalog, use cases, and overlays when implementing the TIC capabilities in their network environment. These documents, in conjunction with documents like National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) and NIST Special Publication (SP) 800-53, will help agencies design a secure network architecture and determine the appropriate requirements and service providers tailored to their agency. CISA recommends agencies track and record these efforts through architectural and security documentation for auditing and accountability purposes.
For more information on implementing TIC 3.0, please refer to the Reference Architecture. CISA also- recommends referencing Module 2 of the TIC 3.0 Training course, found on the Federal Virtual Training Environment(FedVTE), to further explain how the TIC 3.0 guidance can be used to implement TIC 3.0.
3. How are MTIPS, EIS, TIC 3.0, and TIC 3.0 use cases connected?
The General Services Administration (GSA) Enterprise Infrastructure Solutions (EIS) acquisition vehicle was identified in the Report to the President on Federal IT Modernization as a primary acquisition vehicle for government IT modernization. EIS provides software-defined wide area network (SD-WAN) networking and connectivity options to and from agency networks, cloud services, and the internet. EIS provides agencies the ability to leverage managed security services (MSS) to provide “building blocks” for customized solutions to meet TIC use case requirements. GSA and CISA are working with industry to establish offerings which incorporate cloud-based tools and solutions.
Managed Trusted Internet Protocol Services (MTIPS) remains available as a baseline TIC solution for scenarios in the Traditional TIC Use Case. In addition, GSA is working to remove duplicative or unnecessary deliverables from MTIPS.
4. How do agencies comply with TIC 3.0? Are TIC Compliance Validation (TCV) assessments still required?
TIC 3.0 is non-prescriptive cybersecurity guidance developed to provide agencies with the flexibility to secure distinctive computing scenarios in accordance with their unique risk tolerance levels. While the modernized guidance requires agencies to comply with all applicable telemetry requirements like National Cybersecurity Protection System (NCPS) and Continuous Diagnosis and Mitigation (CDM), TIC 3.0 currently only requires agencies to self-attest on their adherence to the TIC guidance.
This requirement differs from legacy TIC Compliance Validation (TCV) assessments. TCVs were originally codified in OMB M-09-32, which was rescinded in the most recent OMB memorandum (M-19-26) published in September 2019. While TCVs are deprecated, CISA reserves the right to perform an assessment at the direction of OMB and CISA leadership. CISA is working to mature CDM capabilities to provide visibility into the .gov environment. Additional information can be found in the Program Guidebook.
5. Is the traditional TIC model still applicable/acceptable in TIC 3.0?
Yes. With TIC 3.0, agencies have the option to maintain the legacy TIC 2.0 implementation that use TIC access points while adopting TIC 3.0 capabilities. However, agencies are encouraged to leverage the flexibilities outlined in the modernized TIC 3.0 guidance to support the implementation of modern security practices like Zero Trust architecture.
For more information on how to implement the Traditional TIC model in TIC 3.0, please refer to the Traditional TIC Use Case.
6. How do Cloud Smart, FedRAMP, the NIST 800 series, NCPS EINSTEIN, and other current requirements play into the TIC 3.0 program?
TIC 3.0 complements other federal initiatives focused on cloud adoption and federal enterprise network security like the Federal Risk and Authorization Management Program (FedRAMP), the Chief Information Officer Council (CIOC) Cloud Smart strategy, National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, and the National Cybersecurity Protection System (NCPS) EINSTEIN program. At a high-level, TIC relates to these federal initiatives and requirements in the following ways:
- Agencies must consider FedRAMP authorization when selecting service providers to support their implementation of TIC 3.0 security capabilities in order to support agency risk management responsibilities.
- TIC supports the CIOC Cloud Smart strategy by supplying agencies with use cases to reference when selecting cloud-based security capabilities.
- CISA has mapped the TIC capabilities to the NIST Cybersecurity Framework (CSF) and NIST SP 800-53 to facilitate the development of overlays for several of the more widely used service providers.
- TIC and the NCPS initiatives will continue to support and complement each other in accordance with the Federal Cybersecurity Enhancement Act of 2015. However, CISA will provide independent guidance for each of the respective programs. Agencies should refer to the NCPS Cloud Interface Reference Architecture for telemetry requirements.
For more information on how current federal requirements play into the TIC program, check out the Program Guidebook. Agencies can also reference Module 3 of the TIC 3.0 Training course, found on the Federal Virtual Training Environment(FedVTE), to further explain how the TIC 3.0 works with other federal initiatives.
7. How does an agency get selected to run a TIC Pilot?
To ensure the success of the TIC program, CISA, in collaboration with the Federal CISO Council, is looking for agencies to actively participate in pilots. The Council’s TIC Subcommittee is responsible for soliciting and reviewing TIC pilot proposals with CISA and OMB. The TIC Subcommittee assesses the relevance of the pilot to the TIC strategic program goals and, if acceptable, approves the pilot. Upon completion of a pilot, CISA will collect and analyze lessons learned from the sponsoring agency. The outcome can be used to develop new, and augment existing, use cases.
Agencies should be aware that the technical acumen of the project team, availability of resources, like pre-existing contractual arrangements with service providers and leadership buy-in, can impact the successful completion of a pilot. Additionally, agencies are not required to use the full suite of a service providers tools in their pilot, if the agency is focused on testing a smaller subset of services. Agencies should understand the way they utilize services may prevent their pilot from being used to generate a broader use case.
Agencies interested in sponsoring a pilot should reference the guidance outlined in the Pilot Process Handbook.
8. What are the upcoming use cases?
In accordance with OMB M-19-26, CISA has released three use cases to date, alongside the five-volume guidance, including finalized version of the Traditional TIC Use Case and the Branch Office Use Case and the draft version of the Remote User Use Case. The finalized version of the Remote User Use Case is projected to be released at the end of Calendar Year (CY) 2021.The use cases can be found on the TIC 3.0 Core Guidance Documents page.
OMB M-19-26 also calls for CISA to develop a Cloud Use Case that cover infrastructure-as-a-service (IaaS), software-as-a-service (SaaS), email-as-a-service, and platform-as-a-service (PaaS). However, agencies continue to express a desire for CISA to create use cases covering zero trust, Internet of Things (IoT), partner networks, the General Services Administration (GSA) Enterprise Infrastructure Solutions (EIS) Managed Security Service (MSS), and unified communications. CISA is working with OMB to prioritize future use cases.
9. How should service providers/vendors support TIC 3.0?
CISA encourages service providers to produce overlays and be proactive in explaining their security capabilities. The Security Capabilities Catalog and use cases identify the capabilities agencies should consider when securing their environments, but these documents do not map the capabilities to commercially available products. CISA is leaning on industry to fill that gap through overlays.
The Overlay Handbook is positioned to help guide vendors in developing overlays and agencies in using them. CISA encourages vendors to map cybersecurity capabilities inherent in their services to the TIC 3.0 capabilities in the guidance documentation. CISA will not validate or attest to the strength of vendor capability mappings. Agencies should continue to assess vendors through their standard due diligence and risk management processes.
10. What is an overlay? Are any overlays currently available?
TIC overlays map the TIC 3.0 security capabilities to functionality and capabilities within a vendor’s platform or tool. This approach will allow for dynamic updates as vendor capabilities evolve, independent of the update cadence for the TIC 3.0 guidance documentation.
Additional information on overlays can be found in the Overlay Handbook.
11. What resources are available to learn more about TIC 3.0?
CISA has released the TIC 3.0 training to the Federal Virtual Training Environment(FedVTE) to provide an overview of the modernized TIC initiative as defined by the Office of Management and Budget (OMB) Memorandum (M) 19-26. The training is highly recommended before beginning the TIC 3.0 transition.
The training explains how agencies can leverage the new TIC 3.0 guidance to secure their networks. The training also illustrates how the TIC 3.0 guidance can be used to securely transition to a cloud environment and as a pathway to implementing zero trust.
CISA also has partnered with the General Services Administrations (GSA) to create webinars on TIC 3.0’s integration with Enterprise Infrastructure Solutions (EIS). The webinars dives into updates on TIC 3.0, the National Cybersecurity Protection System, and EIS.
The most recent version of the webinar is hosted on GSA's Acquisition Gateway and accessible to federal employees only. An older version of the webinar is available to the public, hosted on GSA's YouTube channel.
12. How does TIC 3.0 align with Zero Trust?
TIC 3.0 provides agencies with flexibility to adopt modern security concepts, like zero trust architecture (ZTA). ZTA is defined by seven tenets (outlined in NIST SP 800-53, and explained below) which are a set of ideal goals. TIC 3.0 applies security capabilities in a "holistic" approach that can be aligned with zero trust principals. TIC 3.0 includes new security capabilities related to access control, network segmentation, and data protection to help with agencies’ transition to zero trust which support the following tenets:
- All data sources and computing services are considered resources.
TIC 3.0 adopts a flexible framework to address and support advanced security measures across branch offices, remote users, cloud and other service providers, mobile devices, etc. The new TIC model encourages agencies to more precisely define their resources via trust zones determined by agency criteria, such as agency structures, application workflows, and identities. This supports the tenet as the Federal Government transitions into cloud and mobile environments and need to account for and secure all agency resources, no matter where they’re located.
- All communication is secured regardless of network location.
Instead of securing traffic only at the physical agency network perimeters, TIC 3.0 introduces the concept of policy enforcement points (PEPs) to secure agencies’ multi-boundary environments. In TIC 3.0, agencies can place PEPs between, before, or within a trust zone to secure their communications and data on a more granular level. The PEPs support this tenet by enabling agencies to place security capabilities inside their cloud or mobile environments, protecting communications regardless of network location.
- Access to individual enterprise resources is granted on a per-session basis.
TIC 3.0 supports the Federal Government’s transition towards ZTA. The modernized TIC guidance includes security capabilities to help agencies enforce stricter access controls, namely the Universal Security Capabilities for Least Privilege and Strong Authentication, in support of this tenet.
- Access to resources is determined by dynamic policy
TIC 3.0 introduces PEPs—a security device, tool, function, or application that enforces security policies through technical capabilities. PEPs consist of focused security capabilities based on the environment or location they are implemented. This supports the tenet by providing access to resources only if the PEP criteria set by the agency is met. PEPs allows for security policies to be configured at a more granular level that best fit an agency’s needs.
- The enterprise monitors and measures the integrity and security posture of all owned and associated assets.
TIC 3.0 includes network-level capabilities that inform the technical implementation of specific use cases, known as PEP security capabilities. One of the capability groups within the PEP security capabilities is Data Protection. In support of this tenet, the Data Protection group includes specific security consideration for protecting data at rest and in transit, data loss prevention, and monitoring telemetry for data access and use to help agencies monitor the integrity and security of their network.
- All resource authentication and authorization are dynamic and strictly enforced before access is allowed.
TIC 3.0 uses trust zones and PEPs to more secure agencies network at a more microsegmented level. Agencies are encouraged to leverage the universal capabilities on access control and least privilege to dynamically and strictly enforce access to trust zones. The tenet is supported by TIC 3.0 allowing agencies to secure their network more precisely.
- The enterprise collects as much information as possible about the current state of assets, network infrastructure and communications and uses it to improve its security posture.
CISA is evolving the National Cybersecurity Protection System (NCPS) program to ensure that security information about cloud-based traffic can be captured and analyzed and CISA analysts can continue to provide situational awareness and support to the agencies. TIC supports this tenet in collaboration with our partners in NCPS by capturing the artifacts collected in TIC PEPs to provide visibility for the agency and CISA. At CISA, these artifacts from the cloud will be ingested into the new NCPS Cloud Log Aggregation Warehouse (CLAW), which collects and analyzes agency cloud security data.
For questions concerning the TIC Program, please contact: email@example.com.
Sean Connelly, Trusted Internet Connections Program Manager