TIC-mas is here: CISA issues network security guidance for remote work
Agencies received network security guidance for remote work from the Cybersecurity and Infrastructure Security Agency on Tuesday.
The draft Remote User Use Case is the latest addition to Trusted Internet Connections 3.0 core guidance, which covers the security of external connections to federal networks.
TIC Program Manager Sean Connelly had promised a draft version of the use case by year’s end to replace the Interim Telework Guidance, released in April in response to vendor requests for help aiding agencies with the pandemic surge in telework.
“The draft use case is designed to help agencies preserve security as they move away from traditional network scenarios in support of the maximized telework environment,” said Matt Hartman, acting assistant director of CISA‘s Cybersecurity Division, in the announcement. “CISA expects the security guidance will help agencies improve application performance, reduce costs through reduction of private links and improve user experience by facilitating remote user connections to agency-sanctioned cloud services and internal agency services.”
Remote users include employees working from home, a hotel or another location outside their agency’s control, as well as mobile devices and even bring your own device (BYOD).
CISA also released a draft Volume 2 of the National Cybersecurity Protection System (NCPS) Cloud Interface Reference Architecture (NCIRA). The second volume builds on TIC program concepts introduced in the first while providing an index of common cloud telemetry reporting patterns and characteristics, so agencies can send cloud-specific data to NCPS cloud-based architecture.
The public has until Jan. 29, 2021, to comment on both draft documents.
Regarding NCIRA, CISA is particularly interested in learning if agencies:
- Find that Volume 1 provides “adequate”background for reporting patterns in Volume 2,
- Have cloud deployments matching those patterns or use different ones.
- Gain sufficient information from the structure.
- Require additional guidance.
- Are interested in having their deployment become a pilot.
CISA pushed the release of finalized versions of the draft Traditional TIC and Branch Office use cases to 2021, with Connelly having said previously that the November election might delay things.
The Traditional TIC Use Case will detail the “castle-and-moat” security strategy that’s existed at most major agencies for about a decade, Connelly said. And the Branch Office Use Case will allow agencies to network directly to the cloud or an external trust zone, rather than going through the headache of directing traffic through their TIC access point or headquarters first.
Potential zero-trust and partner research and development use cases could come in 2021, Connelly said. And CISA is already on the hook for infrastructure-as-a-service (IaaS), software-as-a-service (SaaS), platform-as-a-service (PaaS) and email use cases.
Remaining guidance rounds out CISA’s effort to support multiple architectures for securing agency networks as they increasingly move their data to the cloud and their users off premise during the pandemic.
Finalized versions of initial TIC 3.0 core guidance — the Program Guidebook, Reference Architecture: Volume 1 and Security Capabilities Catalog — were released in July. The first two documents will be fairly static and the latter a living document that adds capabilities and controls into use cases as they’re announced.