CISA looks for input on new, 'less prescriptive' TIC

The Department of Homeland Security is asking agencies for input on the newly issued Trusted Internet Connection (TIC 3.0) draft guidance and hoping they'll get their feet wet implementing the new security policies, according to one of the agency's top cybersecurity officials.

The Cybersecurity and Infrastructure Security Agency (CISA) at DHS issued five draft documents for TIC 3.0 on Dec. 20, including a program guidebook, a reference architecture, a security capabilities handbook, a TIC use-case handbook with traditional and branch office examples and a service provider overlay handbook.

All those documents, said Sean Connelly, TIC program manager at CISA, are critical for agencies to review as they digest how TIC 3's "less prescriptive, more descriptive" approach to implementing secure internet connections.

The draft documents follow the Office of Management and Budget's September release of its first guidance update to its secure internet connection policy in over a decade. TIC 3.0 gives agencies more flexibility in how they connect to the net.

The documents are grouped into two categories, Connelly said at an Advanced Technology Academic Research Center's TIC 3.0 briefing on Jan. 15. One is policy-oriented, including the program guidebook and the architecture; the others operational, including the use cases and overlays, explaining the more flexible capabilities of TIC 3.0 compared to TIC 2.0, he said.

TIC 3.0, he said, "is more multi-boundary focused," unlike the previous guidance's "inside or outside" firewall-focused approach to TIC.

"We're looking to become less prescriptive," he said, and allow more agency interpretation of how to secure connections.

Some agencies are already trying out that flexibility in pilots and having some success, but also raising some questions.

For instance, Health and Human Services Inspector General's Office is using TIC 3.0 to set up two connections for its operations -- one in California, the other in Washington D.C., Hassen Sheikh, the agency's chief technology strategist, said during a panel discussion.

The agency was looking to get around the department's shared connections that slowed things down, he said. It now uses cloud providers for the two TICs, he said.

The State Department, said Gerald Caron, acting director of the agency's enterprise network management office, is experimenting with an overseas-based trusted connection using TIC 3.0. The arrangement, he said, would allow the agency to avoid backhauling its traffic to the U.S. to its stateside TIC. The move will save money and boost performance.

CISA wants agencies to leverage the documents to shape their own pilot programs and use cases. The agency, along with the OMB, the Federal CISO Council and the General Services Administration, have set up a pilot process to test real-world applications, Connelly said.

Agencies can submit a pilot proposal to the CISO Council to move ahead. CISA will monitor the pilot's progress "from the background," he said. Successful pilots can then be turned into use cases.

Comments on the draft documents are due at the end of January.