Diving into Government’s Trusted Internet Connections Standard 3.0
The policy lays out the framework for security, but allows agencies to fill in the details based on their unique missions.
The Trusted Internet Connections, or TIC, initiative in government upgraded to the 3.0 standard just before the COVID-19 pandemic struck. It has proven to be an invaluable resource for agencies trying to securely manage their internet connections while quickly adopting a largely telecommuting workforce. But fearing that TIC 3.0 may not go far enough given the circumstances, the Cybersecurity and Infrastructure Security Agency released the Interim Telework Guidance report to help agencies continue to respond to the teleworking situation.
At a recent webinar that I moderated, I was fortunate enough to sit down virtually with Sean Connelly, the TIC program manager and senior cybersecurity architect at CISA, to discuss both TIC 3.0 and the teleworking supplement. Probably more than anyone else, Connelly is responsible for creating the TIC standard for the government, having worked on the original document as well as both the 2.0 and the new 3.0 standard.
As a little background about this critical government program, the need for TIC began back in 2006 when the Office of Management and Budget asked the seemingly simple question about how many internet connections were streaming out from federal agencies. When the answer came back, it was pretty surprising for a lot of people including those in the White House, which was led by President George W. Bush at the time. It turns out that there were about 4,000 connections, and many of them were not properly secured. There was also no standard that could be used to secure the connections, which created quite a huge vulnerability.
The federal government as a whole is bigger than some of the largest corporations and a lot more distributed with each agency responsible for their own missions and objectives. Because of this, it was not surprising that internet connections grew like weeds with no oversight, and would probably continue to grow unless controlled. And so, the first thing that the Trusted Internet Connections initiative did was to consolidate.
“Back in 2007 with direction from Karen Evans and OMB, it was recognized that we needed network consolidation across all of this,” Connelly said. “And we started bringing those 4,000 different connections back to a finite number of locations called TIC access points.”
Once the sheer number of connections were brought under control, the next step was to begin to secure and standardize them. That is when the TIC 2.0 standard was born.
“At [Department of Homeland Security] and CISA, we were starting to deploy our physical centers to monitor the agency environments to get the visibility, this holistic visibility across the whole panorama, if you will,” Connelly said. “TIC wanted the original network to be more focused on consolidating the connections down to the finite access points. And then TIC 2.0 moved to have the standardization and security connections across the enterprise, improving the security posture, awareness and capabilities for everyone.”
TIC 2.0 served government well for a long time, but it was, by design, not very flexible. It also assumed a perimeter security model, which was true at the time, but is out of date in today’s world.
Connelly describes TIC 2.0 like a castle, where both federal users and the data that needs to be protected, the so-called crown jewels, reside. In TIC 2.0, agencies need to build firewalls and other defenses to protect that data, and then use limited connections like a castle’s drawbridges, to temporarily extend to the outside world.
“The traditional model made one type of drawbridge for virtual private networks and remote users to enter the castle to get some of the data inside the castle,” Connelly said. “And then they had a different type of drawbridge for users, those in the castle, to be able to surf the web. And then a separate one for the agencies that have services that are publicly available.”
Like a castle, TIC 2.0 was very strong but not flexible. Today, many of the so-called crown jewels don’t exist inside the castle anymore. They have moved to the cloud. And especially during the pandemic, the users don’t work from inside the castle anymore. TIC 2.0 wasn’t designed to connect remote users to cloud assets, none of which are inside the castle at all. And as written, it could not even fully support modernization because anything that an agency would want to do to modernize would likely be incompatible or restricted based on the 2.0 standard.
That is why the federal government decided to create a new, more flexible standard with 3.0. Instead of mandating certain kinds of hardware, firewalls and network connections, TIC 3.0 provides a series of templates and best practices for agencies to follow. It lays out the framework for security, but allows agencies to fill in the details based on their unique missions and circumstances. Instead of being designed to protect the network, TIC 3.0 is made to protect the entire federal enterprise, no matter where its assets or its users reside.
“With TIC 2.0, there was only one solution in town, and now we have TIC 3.0,” Connelly said. “The traditional perimeter is still the default, but we give alternatives. We have alternate ways to secure data with use cases that provide examples for agencies to leverage how to secure their data.”
TIC 3.0 came out at just the right time, as agencies quickly had to adapt to a large telecommuting workforce, something TIC 2.0 never envisioned. Even with the new standard, initially there was a lot of stress at agencies that went from almost no telecommuting to full telecommuting overnight.
To help even further, CISA released the Interim Telework Guidance to help manage the surge. The document is not meant to be permanent, and will eventually be incorporated into a more comprehensive Remote User Use Case as part of TIC 3.0 later on.
“It was a quick way for agencies to leverage the guidance to support their mission needs while the agency to choose how to implement the security abilities and security architecture … from the traditional VPN users to more virtual desktop users and all the way towards trust,” Connelly said. “There's a large spectrum of uses. But the updates help to secure their networks and execute their missions in a way we did not have before the guidance came out.”
Connelly didn’t know if TIC 3.0 will continue as a living document or eventually get updated to a new, yet unknown 4.0 standard. For now, TIC 3.0 provides agencies with solid cybersecurity planning and advice, along with the freedom to innovate and modernize based on their unique missions and needs.
John Breeden II is an award-winning journalist and reviewer with over 20 years of experience covering technology. He is the CEO of the Tech Writers Bureau, a group that creates technological thought leadership content for organizations of all sizes. Twitter: @LabGuys