While the Cybersecurity and Infrastructure Security Agency’s Trusted Internet Connections (TIC) 3.0 guidance was finalized in late July, Program Manager Sean Connelly reiterated at an August 26 FedInsider webinar that the documents are only the first steps of TIC 3.0 efforts.
“The guidance that we released in July, a lot of people look at it as the finish. It’s really just a starting point,” he said. “Now that those core documents are out, now we’ll be starting to focus in on those use cases … We’re really just at the starting point with what we can do with TIC 3.0.”
Connelly explained that the use cases will be announced through the Federal CIO Council and will be a way for agencies to sponsor pilots and work with vendors on TIC solutions. Some use cases, such as the State Department’s branch office use case, are already underway. Representing that effort, Brian Moore, Chief of the State Department’s Perimeter Security Division, explained his perspective on TIC 3.0 development.
“With cloud becoming so prevalent, the performance of on-ramp to the cloud has become such a key performance measurement that the TIC 3.0 freedom that it gives you allows for much better performance while still maintaining the security posture,” he said.
Connelly explained that TIC 1.0 was about consolidating access points and TIC 2.0 moved to have standardization across the enterprise. TIC 3.0, however, is a less prescriptive and more multi-boundary guidance than its predecessors.
“When we talk about the guidance, you don’t hear us talking too much about requirements from CISA or OMB … [It’s] allowing the agencies that flexibility to interpret the guidance to best fit their needs,” he said. “That’s the major difference from TIC 2.0 to TIC 3.0.”
Discussing the State Department’s contributions to TIC 3.0, Moore added, “One of the big things for us … is just the pure flexibility.” He went on to explain that the network perimeter has shifted since the original TIC documents were issued, in connection with many agencies’ moves to cloud or hybrid environments.
TIC 3.0 takes this modernization into account, Moore continued, “The great thing about the TIC 3.0 is it allows you to have that flexibility and acknowledgement that your perimeter is now dispersed and you can have a lot of options available to you in terms of how you can apply, in a secure and predictable way, the principles.”