Are zero trust, IoT the next TIC 3.0 use cases?
The Department of Homeland Security wants to finalize its Trusted Internet Connections 3.0 guidance as soon as possible so pilots for new use cases like zero trust and the Internet of Things (IoT) can ramp up.
TIC 3.0 introduces a multi-boundary approach to network security established in guidance released by the Office of Management and Budget in September and fleshed out by DHS’s Cybersecurity and Infrastructure Security Agency in December.
CISA’s draft guidance is open to public comment through Jan. 31, and it won’t take more than a year to finalize like its predecessor TIC 2.0 did, said Sean Connelly, TIC program manager, at an ATARC briefing Wednesday.
“Pilots have been going on since prerelease of the TIC, and it’s been about five or six pilots,” Connelly told FedScoop after his presentation. “Once we start getting momentum — and after the documents get released — we’ll work with the [Federal CISO Council TIC] Subcommittee to measure how many pilots we’ll work with.”
Those pilots will be evaluated for the possibility of becoming official TIC use cases — “proven, secure scenarios, where agencies are not required to route traffic through a [TIC Access Provider/Managed Trusted Internet Protocol Services] solution to meet the requirements for government-wide intrusion detection and prevention efforts.”
Some of that will depend on the resources stakeholders like the TIC program, Continuous Diagnostics and Mitigation (CDM) program, EINSTEIN program, and General Services Administration can pull together, he added.
The new pilots will begin with the TIC Subcommittee issuing data calls to agencies for proposals in areas like zero trust, Connelly said during his presentation. The subcommittee will then select the pilot or pilots that best reflect the use case, and day-to-day monitoring will be handed over to CISA.
CISA’s job is not to intervene but distill lessons into the use case that the subcommittee will ultimately deliver governmentwide, Connelly said.
The Small Business Administration has had one TIC 3.0 pilot and the Department of Energy two to date, but the TIC program won’t promote the rest without agencies’ go-ahead due to sensitivities, he said.
Current use cases are traditional TIC, cloud (infrastructure-as-a-service, software-as-a-service, email-as-a-service, platform-as-a-service), branch office, and remote users.
But the TIC program office is considering zero trust, IoT, partner networks, and GSA’s Enterprise Infrastructure Solutions as additions.
Typically, one agency pilots one use case for the TIC program, but the divergence of zero-trust architectures could lead to pilots across multiple agencies, Connelly said.
Pilots have taken longer than anyone in government anticipated, which is why the fifth volume of CISA’s guidance, the Security Provider Overlay Handbook, maps the security functions of service providers to TIC capabilities, he said.
Overlays were only developed in the last few months and fill in gaps in use cases, which are intentionally high-level because going into detail on, say, one cloud provider would require that for every cloud provider, Connelly said.
For instance, one overlay gives agencies an idea of the cloud services they can use to restrict traffic — a TIC capability — in lieu of using a firewall.
The challenge for the TIC program with overlays is keeping pace with the speed of new technologies; one cloud service provider added 150 new services in the last month alone, Connelly said.
CISA will adjudicate new overlays and then post them to GitHub, but the process remains a work in progress.
“It depends on where we go with the agencies and what they want to hear,” Connelly told FedScoop. “I just want to have more information, but the pace is just so fast I don’t know where we’re going to be able to fit in.”
Connelly’s office is also in the early stages of working with the CDM program to develop a validation process for monitoring agencies’ TIC environments.
Questions like how to measure vendors and TIC providers remain up in the air, Connelly said.
“A lot of the CDM team and a lot of the TIC team have worked together for a long time. We know where we’re trying to head together,” he said. “It’s also dependent on the maturity of CDM deployments across agencies.”