‘Immense’ synergies to be gained between TIC 3.0 and CDM

TIC 3.0 and CDM — both developed by DHS’s CISA — are meant to work hand-in-hand in giving agencies visibility into their IT networks and securing them.
TIC 3.0
(Getty Images)

As agencies gain more flexibility in how they connect to the internet through the government’s Trusted Internet Connection (TIC) 3.0 policy, there are opportunities to leverage natural synergies between the TIC program and how agencies secure their enterprise with the Continuous Diagnostics and Mitigation (CDM) program.

Both programs were developed by and managed through the Cybersecurity and Infrastructure Security Agency in the Department of Homeland Security to monitor traffic on federal networks and secure them from external threats.

The synergies are particularly important as more and more agencies connect externally to cloud services — something that the TIC 3.0 policy champions.

“In regard to cloud security, we’re making sure agencies … get the right visibility of their data in the cloud to ensure that it’s protected and make sure they have proper understanding of who’s accessing it,” Kevin Cox, CDM program manager, said during a recent SNG Live session on TIC 3.0. “So we’re working closely with the TIC team, as well as with the agencies to get those right solutions in place.”

James Saunders, CISO of the Small Business Administration, likens TIC and CDM to the peanut butter and jelly of federal cybersecurity.

“Yes, you can eat a peanut butter sandwich by itself or you can eat a jelly sandwich by itself. But together, you get that good old PB&J, right?  So from our perspective, the synergies between the two different programs are immense,” Saunders said.

“TIC to me, it’s that protection piece — making sure your protections are in place so that can counter the adversary — where CDM accounts for that as well as accounts for the ability for you to see what’s happening, and most importantly, share what’s happening with DHS. Because their mission is to see what’s happening across the entirety of the federal enterprise versus just a particular agency.”

Saunders said because TIC and CDM requirements are meant to be so similar, the SBA lumps them together in some regard so that “when we’re selecting tools, building processes, and looking at staff, we’re able to, in short, make sure we’re selecting the right people, processes, procedures to meet those requirements.”

One takeaway from all of this is the increasing ability to use commercial off-the-shelf technology in the government space, said Fortinet CISO Jim Richberg, who devoted much of his career to leading cybersecurity intelligence work in the federal government.

“We’re not saying we’re trying to build typically unique products or capabilities — we’re defining the use cases. TIC does a great job on that,” said Richberg. Then the issue becomes, “What does that imply in terms of network topologies and architectures that you can then deploy things that will give you the high speed diagnostics and the high speed ability from controls to mitigate adverse consequences,” he said.

“So in one sense, it’s a matter of saying, ‘This is the government defining the use cases for which you’re going to apply commercial products to meet CDM-required levels of performance.’”

During the discussion on TIC and CDM, the cybersecurity experts explore more synergies between the two programs. Make sure to see the full video below.

View the full video panel discussion from SNG Live’s virtual event on TIC 3.0.

This article was produced by FedScoop and underwritten by Fortinet.

Latest Podcasts