First TIC 3.0 use cases finalized
The first finalized Trusted Internet Connections 3.0 use cases helping agencies secure external connections to federal networks were released by the Cybersecurity and Infrastructure Security Agency on Wednesday.
The Traditional TIC Use Case details the “castle-and-moat” security architecture that most major agencies have used for a decade, while the Branch Office Use Case outlines networking directly to the cloud or an external trust zone — rather than directing internet traffic through a TIC access point or headquarters first.
CISA released draft versions of the two use cases in December 2019, but the November presidential election delayed final approval by the Federal Chief Information Security Officer Council until 2021.
TIC Program Manager Sean Connelly said zero-trust and partner research and development use cases might also come in 2021. And CISA already plans to release infrastructure-as-a-service (IaaS), software-as-a-service (SaaS), platform-as-a-service (PaaS), and email use cases at some point.
Remaining guidance rounds out CISA’s effort to support multiple architectures for securing agency networks as they increasingly move their data to the cloud and their users off premise during the COVID-19 pandemic.
A draft Remote User Use Case released in December replaced Interim Telework Guidance that CISA released in April 2020 in response to vendor requests for help aiding agencies with the pandemic surge in telework. And a draft Volume 2 of the National Cybersecurity Protection System (NCPS) Cloud Interface Reference Architecture (NCIRA) was released at the same time providing an index of common cloud telemetry reporting patterns and characteristics, so agencies can send cloud-specific data to NCPS cloud-based architecture.
Finalized versions of initial TIC 3.0 core guidance — the Program Guidebook, Reference Architecture: Volume 1 and Security Capabilities Catalog — were released in July. The first two documents will be fairly static and the latter a living document that adds capabilities and controls into use cases as they’re announced.