The Trusted Internet Connections (TIC) initiative, since its establishment in 2007, has moved the government from a period of uncontrolled and unmonitored internet connections to a controlled state, reducing the .gov’s attack surface. In accordance with the Office of Management and Budget (OMB) Memorandum (M) 19-26: Update to the TIC Initiative, TIC 3.0 expands on the original initiative to drive security standards and leverage advances in technology to secure a wide spectrum of agency network architectures. This new version of TIC is highly iterative, which means the guidance will better reflect modern processes and technological innovations compared to previous iterations of the program. TIC 3.0 recognizes shifts in modern cybersecurity and pushes agencies toward adoption, while recognizing their challenges and constraints in modernizing IT infrastructure.
In support of the TIC 3.0 Interim Telework Guidance released in April 2020, CISA released a Capacity Enhancement Guide (CEG) for Remote Vulnerability and Patch Management on August 27, 2020. The purpose of this document is to assist federal agencies with patching roaming devices, i.e., remote devices outside agency campus networks. For more information, check out the Complementary Implementation Guidance section below.
The National Cybersecurity Protection System (NCPS) program is evolving to ensure that security information about cloud-based traffic can be captured and analyzed, and CISA analysts can continue to provide situational awareness and support to the agencies. To support this goal, CISA is developing a cloud-based architecture, the Cloud Log Aggregation Warehouse (CLAW), to collect and analyze agency cloud security data. For more information, check out the NCPS Cloud Interface Reference Architecture section below.
Core Guidance Documents
OMB M-19-26 tasks the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) with modernizing the TIC initiative to help accelerate the adoption of cloud, mobile, and other emerging technologies. To further this effort, CISA has released guidance to assist federal civilian agencies in their transition to contemporary architectures and services.
The updated TIC guidance provides agencies with the flexibility to secure distinctive computing scenarios in accordance with their unique risk tolerance levels. Agencies are expected to reference the initiative’s Program Guidebook, Reference Architecture, and Security Capabilities Catalog (formerly known as the Security Capabilities Handbook) to determine how to protect their environments to conform with their risk management strategy and the security considerations outlined in TIC Use Cases.
Note: Historical TIC program documentation has been archived to the TIC page on OMB MAX.
The following TIC guidance documents are sequential in nature and should be read in the following order to gain a complete understanding of the modernized initiative:
- Program Guidebook (Volume 1) – Outlines the modernized TIC program and includes its historical context
- Reference Architecture (Volume 2) – Defines the concepts of the program to guide and constrain the diverse implementations of the security capabilities
- Security Capabilities Catalog (Volume 3) – Indexes security capabilities relevant to TIC
- Draft Use Case Handbook (Volume 4) – Introduces use cases, which describe an implementation of TIC for each identified use
- Draft Service Provider Overlay Handbook (Volume 5) – Introduces overlays, which map the security functions of a service provider to the TIC capabilities
The use cases, overlays, and security capabilities will continue to be developed, including those listed in OMB M-19-26. CISA expects to post updates to the Security Capabilities Catalog, and additional TIC use cases, to this site as they become available. CISA is coordinating with the Federal Chief Information Security Officers (CISO) Council TIC Subcommittee to develop use cases above and beyond those listed in the memoranda, including use cases for zero trust, partner networks, and other pertinent scenarios. CISA is currently developing overlay guidance for third-party service providers interested in mapping their services to the TIC security capabilities.
The TIC use cases posted to this site are not an exhaustive representation of all the scenarios agencies may wish to consider when securing their environments. Agencies are encouraged to combine uses cases, as appropriate, to suit their needs.
CISA expects to release final versions of the Use Case Handbook, Traditional TIC Use Case, Branch Office Use Case, and Overlay Handbook later this summer.
Complementary Implementation Guidance
In addition to the core guidance documents, CISA has developed and released complementary guidance to address exigent needs or support agencies during TIC 3.0 implementation.
TIC 3.0 Interim Telework Guidance
The TIC 3.0 Interim Telework Guidance was produced to support OMB M-20-19 and the surge in teleworking. This document provides security capabilities for remote federal employees securely connecting to private agency networks and cloud environments. The guidance is short-term for Calendar Year (CY) 2020 and is expected to be incorporated into a Remote User Use Case.
Capacity Enhancement Guide for Remote Vulnerability and Patch Management
In support of the TIC 3.0 Interim Telework Guidance released in April 2020, CISA released a Capacity Enhancement Guide (CEG) for Remote Vulnerability and Patch Management. The purpose of this document is to assist federal agencies with patching roaming devices, i.e., remote devices outside agency campus networks. This guide assists federal agencies in leveraging the TIC 3.0 Interim Telework Guidance to improve remote vulnerability management efforts to meet the growing demands on network capacity that may otherwise require an increase in bandwidth for existing internet service providers (ISP) or VPN services.
Agencies are encouraged to participate in TIC pilots that may be developed into use cases to help identify the security capabilities required to protect different types of modern computing scenarios. CISA, in coordination with the OMB and the Federal CISO Council, established a framework for agencies to execute pilots. Each pilot is expected to:
- Address technology that can be used by the broader federal government,
- Identify applicable security capabilities to secure their environments,
- Explain how the applicable security capabilities requirements are met,
- Follow a defined and structured timeline,
- Be carefully considered and planned, and
- Be supported by agency leadership.
The piloting process is a collaborative and iterative process that ensures consistency in the execution of each pilot. Sponsoring agencies are the primary executors of this process, while other key stakeholders, like CISA, the Office of Management and Budget (OMB), the General Services Administration (GSA), and the Federal Chief Information Security Officer (CISO) Council TIC Subcommittee, will review submissions, provide feedback and offer ongoing support in accordance with OMB M-19-26.
Agencies interested in piloting potential use cases should review the process outlined in the draft Pilot Process Handbook. Pilot proposals should be submitted to the Federal CISO Council TIC Subcommittee. Additional pilot information can be found on the TIC Pilot Process page on OMB MAX.
CISA expects to release the final version of the Pilot Process Handbook later this summer.
TIC Use Cases
The modernized initiative, M-19-26, no longer requires agencies to route traffic through TIC access points if they have a TIC alternative. The purpose of TIC use cases is to provide agencies with guiderails for implementing TIC 3.0 in scenarios that do not necessarily require the use of a TIC access point. The use cases supplement the guidance detailed in the Reference Architecture.
TIC use cases provide guidance on the secure implementation and/or configuration of specific platforms, services, and environments. The guidance is derived from pilot programs and best practices from the public and private sector. Each use case identifies security architectures, data flows, and environments applicable in a given scenario and describes the implementation of relevant TIC security capabilities.
CISA expects to continuously generate TIC use cases as new and emerging technologies are implemented across the .gov. Agencies must understand the inherent risks in implementing scenarios that do not leverage TIC access points. Agencies must leverage the use cases, in coordination with guidance from the senior official accountable for risk management, to implement compensating controls that fortify their network and cloud environments. Additional information on use cases can be found in the Use Case Handbook.
The TIC Use Cases available to agencies for reference are listed below.
- Draft Traditional TIC Use Case – Describes the architecture and security capabilities guidance for the conventional TIC implementation
- Draft Branch Office Use Case – Describes the architecture and security capabilities guidance for remote offices
CISA is actively working to develop additional use cases. CISA is prioritizing the development of the use cases outlined in M-19-26. After those use cases are complete, CISA will work with agencies to develop other use cases widely applicable across the .gov.
The upcoming use cases outlined in M-19-26 include:
- Remote User
- Infrastructure-as-as-Service (IaaS)
- Platform-as-a-Service (PaaS)
- Software-as-Service (SaaS)
- Email-as-a-Service (EaaS)
Other use cases under consideration for development include:
- Zero Trust Architecture
- Internet of Things (IoT)
- Partner Networks
- General Services Administration (GSA) Enterprise Infrastructure Solutions (EIS) Managed Security Service (MSS)
- Unified Communications
CISA expects to release final versions of the Traditional TIC Use Case and Branch Office Use Case later this summer.
TIC & National Cybersecurity Protection System
As outlined in the TIC 3.0 Program Guidebook, TIC and the National Cybersecurity Protection System (NCPS) initiatives will continue to support and complement each other in accordance with the Federal Cybersecurity Act of 2015. However, CISA will provide independent guidance for each of the respective programs.
The NCPS is supporting the TIC modernization efforts via the release of its Cloud Interface Reference Architecture. This document begins to explain how agencies can satisfy CISA's EINSTEIN cloud requirements.
Additional information concerning NCPS can be found on CISA's NCPS page.
CISA encourages agencies to read and review the core and interim guidance for TIC 3.0 linked above as the primary avenue to answer outstanding questions. However, to aid agencies in implementing the guidance, CISA maintains a list of frequently asked questions for agencies’ reference.
For questions concerning the TIC Program, please contact: firstname.lastname@example.org
Sean Connelly, Trusted Internet Connections Program Manager