The purpose of the Trusted Internet Connections (TIC) initiative, as outlined in the Office of Management and Budget (OMB) Memorandum M-19-26: Update to the TIC Initiative, is to enhance network and perimeter security across the Federal Government. Initially, this was done through the consolidation of external connections and the deployment of common tools at these access points. While this prior work has been invaluable in securing federal networks and information, the program must adapt to modern architectures and frameworks for government information technology (IT) resource utilization. Accordingly, OMB’s memorandum provides an enhanced approach for implementing the TIC initiative that provides agencies with increased flexibility to use modern security capabilities. OMB’s memorandum also establishes a process for ensuring the TIC initiative is agile and responsive to advancements in technology and rapidly evolving threats.
Request for Comments
OMB Memorandum M-19-26 tasks the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) with modernizing the TIC initiative to help accelerate the adoption of cloud, mobile, and other emerging technologies. To further this effort, CISA is releasing draft guidance to assist federal civilian agencies in their transition to contemporary architectures and services.
The updated draft TIC guidance provides agencies with the flexibility to secure distinctive computing scenarios in accordance with their unique risk tolerance levels. Agencies are expected to reference the initiative’s Program Guidebook, Reference Architecture, and Security Capabilities Handbook to determine how to protect their environments to conform with their risk management strategy and the security considerations outlined in TIC Use Cases.
Note: Historical TIC program documentation has been archived to the TIC page on OMB MAX.
The following draft TIC guidance documents are sequential in nature and should be read in the following order to gain a complete understanding of the modernized initiative:
- Program Guidebook (Volume 1) – Outlines the modernized TIC program and includes its historical context
- Reference Architecture (Volume 2) – Defines the concepts of the program to guide and constrain the diverse implementations of the security capabilities
- Security Capabilities Handbook (Volume 3) – Indexes security capabilities relevant to TIC
- Use Case Handbook (Volume 4) – Introduces use cases, which describe an implementation of TIC for each identified use
- Service Provider Overlay Handbook (Volume 5) – Introduces overlays, which map the security functions of a service provider to the TIC capabilities
- Overlays are under development and will be released at a later date
The use cases, overlays, and security capabilities are going to continue to be developed, including those listed in OMB Memorandum M-19-26. CISA expects to post updates to the Security Capabilities Handbook, and additional TIC Use Cases, to this site as they become available. CISA is coordinating with the Federal Chief Information Security Officers Council TIC Subcommittee to develop use cases above and beyond those listed in the memoranda, including use cases for Zero Trust, Partner Networks, and other pertinent scenarios. The TIC PMO is collaborating with cloud and other service providers to develop the overlays. Agencies should refer to the Service Provider Overlay Repository on GitHub to retrieve overlays produced by third-party service providers.
The TIC Use Cases posted to this site are not an exhaustive representation of all the scenarios agencies may wish to consider when securing their environments. Agencies are encouraged to combine uses cases, as appropriate, to suit their needs.
TIC Use Case Pilots
Agencies are encouraged to participate in TIC pilots that may be developed into use cases to help identify the security capabilities required to protect different types of modern computing scenarios. CISA, in coordination with the OMB and the Federal CISO Council, established a framework for agencies to execute pilots.
Agencies interested in piloting potential use cases should review the process outlined in the Pilot Process Handbook. Pilot proposals should be submitted to the Federal CISO Council TIC Subcommittee. Additional pilot information can be found on the TIC Pilot Process page on OMB MAX.
TIC & National Cybersecurity Protection System
The National Cybersecurity Protection System (NCPS) is supporting the TIC modernization efforts via the release of its Cloud Interface Reference Architecture. This document begins to explain how agencies can satisfy CISA's EINSTEIN cloud requirements.
Additional information regarding NCPS can be found on the program's CISA web page.
Comments & Key Questions
CISA is interested in gathering agency responses focused on the following key questions:
- How does your agency expect to utilize the updated TIC guidance to modernize and secure its environments?
- How does your agency expect to adopt the TIC Use Cases?
- Does your agency have any suggestions for other use cases?
- Are there additional documents or artifacts that would be helpful to agencies when implementing the TIC guidance?
Comments addressing these questions should be submitted via the issue submission form on GitHub. The TIC PMO can also be reached at email@example.com. All comments should be submitted by January 31, 2020, and may be publicly displayed (excluding contact information) on the GitHub comment repository.
CISA expects to adjudicate the comments and release the final guidance documents in Spring 2020.
1. Are TIC Compliance Validation assessments still required? How do agencies comply with TIC Use Cases?
TIC 3.0 is cybersecurity guidance developed to provide agencies with the flexibility to secure distinctive computing scenarios in accordance with their unique risk tolerance levels. As such and in accordance with the National Security Presidential Directive (NSPD) 54 and Homeland Security Presidential Directive (HSPD) 23, TIC requires agencies to comply with applicable telemetry requirements. Currently, TIC 3.0 requires agencies to provide self-attestation on their adherence to the TIC guidance. In the modernized program, TIC Compliance Validation (TCV) assessments are not currently required. Additional information can be found in the TIC 3.0 Program Guidebook. The TIC Program Management Office (PMO) is closely coordinating with the Continuous Diagnostics and Mitigation (CDM) PMO on ways to automate and promote continuous verification.
2. How do agencies implement TIC 3.0?
Due to the wide variety of modern IT environments and requirements based upon the agency’s missions, needs and resources, the updated policy allows for broader interpretation authorities to be assumed by the agencies. As modern architectures become both more complex and diverse, TIC 3.0 accommodates a wide variety of scenarios, focusing on cloud, mobility and encryption. TIC 3.0 guidance intentionally has a different tone and level of detail when compared to earlier iterations to accommodate this wider variety of environments. The guidance regularly uses terms such as “abstract,” “conceptual,” “high-level,” “typical,” “notional,” and “theoretical" to convey the intention of the concept while allowing agencies the flexibility they require to interpret the guidance as best fit their needs.
3. How should agencies use the TIC 3.0 guidance?
The documents, listed in the figure, are intended to be used collectively to achieve the goals of the program. The documents are additive; each build on the other like chapters in a book. The catalog of TIC documents is depicted in the figure below.
4. How should agencies use the Use Cases and Overlays?
TIC Use Cases and Overlays supplement the guidance detailed in the TIC 3.0 Reference Architecture. TIC Use Cases provide guidance on the secure implementation and/or configuration of specific platforms, services and environments. The guidance is derived from pilot programs and best practices from the public and private sector. The purpose of each TIC Use Case is to identify the applicable security architectures, data flows, and environments and describe the implementation of the security capabilities in a given scenario. The use cases will include details on traffic flow and the implementation of TIC security capabilities. Service Provider (SP) Overlays map the TIC 3.0 security capabilities to functionality and capabilities within a SP’s platform or tool. This approach will allow capabilities to evolve with the need to update use cases independent of the overlays. Overlays will be reviewed and updated to keep pace with SP offerings. Additional information can be found in the TIC 3.0 Use Case Handbook and TIC 3.0 Service Provider Overlay Handbook.
5. If an agency’s network complies with TIC 2.2, does the agency need to take immediate action to update to TIC 3.0?
No. While OMB Memorandum M-19-26 deprecates the original policies that categorized agencies as TICAP and Service Seeking Agencies, the legacy architectures are still valid under the modernized guidance. With TIC 3.0, agencies have the option to either maintain existing TIC compliance and relationships under the legacy policy construct or leverage the flexibilities outlined in the modernized TIC 3.0 guidance.
6. How do EINSTEIN requirements integrate with TIC 3.0?
CISA continues to provide security capabilities in accordance with the Federal Cybersecurity Enhancement Act of 2015 to protect “all information traveling between an agency information system and any information system other than an agency information system.” While the relationship between NCPS EINSTEIN and TIC initiative has changed in TIC 3.0, the initiatives will continue to support and complement each other in accordance with this legislation. The NCPS PMO and TIC PMO will independently provide guidance for their respective initiatives. Additional information regarding the relationship between the TIC and NCPS initiatives can be found in the TIC 3.0 Program Guidebook.
7. How does an agency get selected to run a TIC Pilot?
To ensure the success of the TIC program, the Federal CISO Council TIC Subcommittee is looking for agencies to actively participate in pilots. A pilot should test the configuration and security capabilities of a technology in an agency’s environment. Each pilot is expected to:
- Address technology that can be used by the broader Federal Government,
- Identify applicable security capabilities to secure their environments,
- Explain how the applicable security capabilities requirements are met,
- Follow a defined and structured timeline,
- Be carefully considered and planned, and
- Be supported by agency leadership.
The piloting process is a collaborative and iterative process that ensures consistency in the execution of each pilot. Sponsoring agencies are the primary executors of this process, while other key stakeholders, such as CISA, OMB, GSA and the Federal CISO Council TIC Subcommittee, will review submissions, provide feedback and offer ongoing support in accordance with OMB Memorandum M-19-26. The TIC Subcommittee reviews the proposal with key stakeholders, assessing the relevance of the pilot to the TIC strategic program goals and, if acceptable, approves the pilot. Upon completion of a pilot, CISA will collect and analyze lessons learned from the sponsoring agency. The outcome can be used to develop new, and augment existing, use cases. Agencies interested in sponsoring a pilot should reference the guidance outlined in the TIC 3.0 Pilot Process Handbook.
8. Are there any other use cases currently in development?
Use cases for Zero Trust, Partner Networks, and other pertinent scenarios are in development. CISA will post the use cases to this site as they become available.
For questions concerning the TIC Program, please contact: firstname.lastname@example.org
Sean Connelly, Trusted Internet Connections Program Manager