CISA updates internet connection policies

network monitoring (nmedia/ 

The Cybersecurity and Infrastructure Security Agency has published finalized versions of core guidance for the Trusted Internet Connection Program.

The TIC 3.0 Program Guidebook, Reference Architecture and Security Capabilities Catalog were all updated to reflect feedback gleaned from nearly 500 comments and questions submitted by the public earlier this year.

According to the agency, much of the feedback it received fell into five categories: proposing additional use cases for the program, questions about how TIC interacted with other agency programs like EINSTEIN and Continuous Diagnostics and Mitigation, questions around how much support CISA plans to provide agencies, requests for additional detail in the Program Guidebook and Reference Architecture documents and requests for more information around the development, schedule and authority of use cases.

Commenters were also seeking additional capabilities at the operating system and application levels, encrypting data at rest and in transit, logging, allow lists and whether any capabilities from TIC 2.0 were still applicable.

In response, the updated documents have been tweaked to support newer technologies employed by agencies and include new architectural and security concepts “to reflect the growing number of cybersecurity threats and adoption of cloud-based services.” It offers more clarity on the relationship between TIC 3.0, zero trust networking, and trust zones established by the program. It has also provided CISA with new insight into how to develop use cases to apply to a broader set of agencies and better leverage service provider capabilities.

Another set of documents -- including the Use Case Handbook, Overlay Handbook, Traditional TIC Use Cases and Branch Office Use Cases – will be refreshed later this summer.

The moves put CISA one-step closer to completing an overhaul of a program that started out as an effort to cut down on the number of trusted internet access points used by federal agencies but has since transformed into a set of network security standards designed to account for a more distributed architecture, accounting for the widespread adoption of cloud computing and an increasingly remote workforce in government.

These days, “an agency’s assets, data, and components are commonly located in areas beyond their network boundary – on remote devices, at cloud data centers, with external partners” and not strictly on-premise at federal facilities, the new security catalogue notes.

Those trends were already happening before the novel coronavirus hit U.S shores this year, and the resulting move to telework for most federal employees in the wake of the pandemic has placed an added sense of urgency on federal IT and security managers. In April, CISA released emergency interim TIC guidance to help federal managers deal with the sudden shift, but it was more an effort to triage the problem in the short-term and expires at the end of this year.

About the Author

Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.

Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.

Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at [email protected], or follow him on Twitter @derekdoestech.

Click here for previous articles by Johnson.


  • Defense
    concept image of radio communication (DARPA)

    What to look for in DOD's coming spectrum strategy

    Interoperability, integration and JADC2 are likely to figure into an updated electromagnetic spectrum strategy expected soon from the Department of Defense.

  • FCW Perspectives
    data funnel (anttoniart/

    Real-world data management

    The pandemic has put new demands on data teams, but old obstacles are still hindering agency efforts.

Stay Connected