The Cybersecurity and Infrastructure Security Agency (CISA) released an interim Trusted Internet Connections (TIC) 3.0 guidance today focused on the rapid transition to telework as Federal agencies adjust their operations to combat spread of the COVID-19 coronavirus.
The TIC 3.0 Interim Telework Guidance supports Office of Management and Budget Memorandum 20-19, calling on agencies to “utilize technology to the greatest extent practicable to support mission continuity.” The document focuses on how remote Federal employees can securely connect to private government networks and cloud environments.
“This document is intended to be architecture-agnostic and broadly support a wide spectrum of architectural implementations … It is not intended to be prescriptive; instead, it should be leveraged by agencies and adapted for practical teleworking scenarios,” CISA explains in the guidance.
CISA outlines 18 universal security capabilities that agencies should consider when transitioning to telework, including configuration management, incident response planning, and situational awareness. The guidance also outlines a teleworker-to-cloud service provider security pattern, policy enforcement point capabilities, data protection, and intrusion detection, among others.
Federal employees working remotely should refer to the National Cybersecurity Protection System EINSTEIN for security guidance on connecting to the public internet.
Following the release of the TIC 3.0 draft guidance, TIC Program Manager Sean Connelly told MeriTalk in January that the goal of the guidance is to allow for agencies to approach network security with some flexibility.
“The guidance provides agencies with the flexibility to determine the placement and level of rigor required for each security capability,” he said. “However, agencies are expected to consider the trust criteria presented in the Reference Architecture, Federal guidelines, and their risk tolerance to determine the rigor required for the security capabilities.”
The short-term TIC 3.0 Interim Telework Guidance will apply through calendar year 2020, CISA said. The guidance is only intended to apply to the current teleworking surge sparked by the coronavirus pandemic. After it expires, the agency expects to incorporate the guide into a Remote User Use Case.
Stephen Kovac, vice president of global government and head of corporate compliance at Zscaler, praised CISA’s efforts to adapt to the changing work environment.
“CISA has shown real leadership, pushing forward quickly with needed changes and guidance for remote telework in this time of need. The new options, like zero trust, for the first time include the potential for direct-to-cloud connections with specific reference to Zero Trust and the importance of connecting authorized users directly to cloud service providers,” he said.
He added that the CISA guidance is supporting a “more modern architecture” that will allow Federal leaders to more quickly adapt to telework. Further, principles throughout the guidance help support other initiatives such as FedRAMP, he said.
“This more modern architecture will give federal leaders an opportunity to more quickly enable employees to work from home with a faster experience and stronger security than possible with VPNs. With the zero-trust approach, users are never on the agency network, there is reduced risk of malware, DDOS, ransomware, and other security risks,” Kovac said.
“The guidance highlights important compliance controls such as the continued requirement to collect and stream telemetry data to DHS as specified under the TIC 3.0 policy, and the continued requirement to meet critical NIST 800-53 guidelines, which govern FedRAMP,” he said.
CISA encourages vendors interested in working with the Federal government to map services in accordance with the new TIC 3.0 Interim Telework Guidance.
Kovac commented, “The new CISA guidance notes vendors are responsible for mapping their services to the suggested TIC objectives and security capabilities. At Zscaler, we’ve already taken these steps. Our FedRAMP authorized TIC 3.0 solutions are based on Zero Trust Architecture (ZTA) and Secure Access Service Edge (SASE) technology. We can connect users to the internet, agency-approved applications (i.e. 0365), and applications hosted in destination clouds, directly. Users are never on the network. Importantly, as a cloud-based service, Zscaler is deployed quickly, and scales to help agencies keep teleworkers connected, secure with better performance.”
“To ensure organizations can swiftly respond, the Zscaler team has developed a business continuity program to help organizations give employees fast, secure, reliable access to applications and services and includes free access to professional services to help deploy Zscaler Private Access (ZPA) (FedRAMP Moderate today, with High anticipated in the coming days),” he said.