Back in December 2019, months before the COVID-19 pandemic hit, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) released a draft document of its Trusted Internet Connections (TIC) 3.0 guidance.
CISA would later release interim telework guidance in April 2020 and followed that by releasing remote user use case guidance in December 2020. Taken altogether, these documents substantially aided agencies’ move to, and continued use of, remote work environments, Federal officials said Thursday at a FedInsider digital training.
“The timing [of TIC 3.0’s release] was very fortunate for a lot of us,” Sean Connelly, TIC manager at CISA, said at the event. “There’s a number of things that were poised to be available at just the right moment. In TIC 2.0, there was essentially one architecture, the castle and moat and that was how agencies had to lead, and in TIC 3.0, there’s a variety of architectures that we can support.”
The guidance, along with other guidance from NIST and on Zero Trust releasing around the same time, allowed agencies like the Department of Education to move to telework more seamlessly, Steve Hernandez, Department of Education CIO said at the same event.
“We took TIC 3.0 and we also took a considerable amount of the interim TIC guidance for COVID in the pandemic and between the two, we’ve been really able to reimagine what border security looks like but also how we’re moving more of the security to the edge of the discussion and also how we’re moving closer to Zero Trust and Zero Trust architectures,” Hernandez said.
The remote user use case guidance released in December was largely about helping agencies “shrink the attack surface,” Connelly said.
“The document also provides use case-specific guidance towards the TIC 3.0 security capabilities and those create notional trust zones that the agencies may want to consider for segmenting and protecting their environments,” Connelly said. “Ideally, those agencies can use these trust zones, and they want to shrink those trust zones down, shrink the attack surface down as much as possible, but the agencies have the flexibility to understand where to apply those capabilities along the path of the connection from their remote user to their services that they’re connecting to.”
Hernandez said that between the TIC 3.0 guidance and continuity of operations planning (COOP) that the Department of Education was already working on, the agency has been able to continue operations at over 90 percent telework “without missing a beat.”
“Because we had designed an efficient routing mechanism for basically how we get into our network, for most users, it was seamless because the technology said go to the best connection,” Hernandez said. “And then, of course, we were able to also modernize all the TIC pieces … we were able to put those pieces in so that as people were coming through, we still had that great visibility and monitoring that Einstein program and other enhancements out of TIC provide us.”
Connelly said CISA is still in the process of building out guidance for more TIC 3.0 use cases and architectures but said TIC 3.0 aided agencies in how it provided them flexibility in not only architectures, but also in security and how they apply that security.
“I think those three are the keys to flexibility. And one difference – we’re still working with agencies on this – is the determination of risk,” Connelly said. “Before, it was all implicit trust. … Now with the introduction to TIC 3.0, there’s different trust zone levels and in the guidance, for example purposes, we provide three different gradients of trust. High trust zones, medium trust zones, and low trust zones.”