CISA | CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY

TRUSTED INTERNET
CONNECTIONS
MAKING THE RIGHT CONNECTIONS:
AN OVERVIEW OF TRUSTED
INTERNET CONNECTIONS (TIC) 3.0

Sean Connelly
February 6, 2020
AGENDA

 TIC History
 TIC Present
 TIC Future
 Next Steps

Sean Connelly
2
February 6, 2020
TIC HISTORY

Sean Connelly
3
February 6, 2020
 TLP:WHITE

Pre-TIC Federal Horizon

 In the mid 2000s, OMB held a data call asking agencies

to inventory their connections to the internet
 Agencies reported ~4,000 external connections
 OMB and the Agency CIOs and CISOs:
 Were not aware of the total number of connections until the
data call
 Did not have parity of security across all connections
 Challenged at managing growth

 DHS was beginning to mature its authorities to monitor

and secure the federal .gov horizon

Sean Connelly
4
February 6, 2020
 TLP:WHITE

OMB Data Call Reaction

Explicit Goals (it was recognized there was a need for):

 Network consolidation across agencies
 Standardization of security perimeter
 Provides a platform for DHS/CISA to deploy sensors (EINSTEIN)

Implicit Goals (new authorities required):

 Empower enterprise CIOs and CISOs
 Motivate all agencies towards a stronger cyber posture
 CISA to weaken exfiltration activities across .gov

Sean Connelly
5
February 6, 2020
 TLP:WHITE

Program History
TIC 1.0 - Consolidate
 Reduced internet connections points
 Stand-up TICs for agencies and MTIPS Vendors

TIC 2.0 - 2.2 – Standardize

 Standardized the security of network connections in use by the federal enterprise,
improving security posture, awareness, and incident response capability

TIC 3.0 – Modernize

 Environment-agnostic to drive security standards
 Leverage advances in technology as agencies move into the cloud
 Establishes agency and CISA visibility into modern cloud-based computing
platforms

Sean Connelly
6
February 6, 2020
 TLP:WHITE

Focusing TIC Capabilities

As the goals of TIC evolve, the capabilities also evolve
 TIC 3.0 concentrates cybersecurity strategy, architecture and visibility
 Capabilities in TIC 2.2, which are not embedded in TIC 3.0, may exist
elsewhere
 High-level changes in capabilities are categorized into three criteria

Some TIC 2.2

Some TIC 2.2
requirements are
requirements are CAP Scoring and
better captured in
no longer TCVs were retired
other CISA/OMB
applicable
initiatives

Sean Connelly
7
February 6, 2020
 TLP:WHITE

TIC Program Evolution Overview

TIC 1 & 2
SINCE TIC 2 RELEASE IN 2012 TIC 3.0 Future Approach
(PRE-2012)
Circuit Consolidation  4,300 down to ~50 TICs  Declared complete in 2016  Controlled expansion of multi-
Goal boundaries
NCPS Compliance  HSPD-54 & TIC  Federal Cybersecurity  Stronger delineation between
Requirement Enhancement Act of 2015 NCPS and TIC
 NCPS Cloud Reference
Architecture
Incident  ~8 TIC Requirements  M-15-01  CISA’s Federal Incident
Response/NCCIC Response Requirements (FIRR)
 OMB’s M-20-04
SCIF, Secure People &  ~5 TIC Requirements  TIC 2.2 relaxed requirements in  M-20-04 includes clearance
Communications  SCIF requirements were 2016 requirements
prepositioned for E3
External Penetration  NCATS began in TIC  NCATS moved out of FNR in  High-level 3rd party testing
Testing PMO 2013 requirement as applicable
Validation  ~17 TICAPS: TCV  TCVs disbanded in 2016  Policy promotes CDM and NCPS
Teams  Currently no validation of visibility
 MTIPS: TCV Teams TICAPs  FISMA 2014
 Smalls: Self-attestation  MTIPS: No Validation  TCV teams and framework
 Smalls: No validation integrated into HVA assessments
Compliance  2 OMB CAP Goals  Discontinued as CAP Goals  FISMA 2014
 POA&M in Cyberscope  POA&Ms discontinued  CDM visibility
 CSP inventory moved to FISMA  NCPS telemetry

Sean Connelly
8
February 6, 2020
 TLP:WHITE

TIC 2 Strategic Challenges

TIC 2 Environment Challenges to Traditional TIC

 Consolidation of networks  The Perimeter is dissolving
 One solution that offered a binary  Mobile, cloud environments,
choice: partner networks, collaboration
tools
 Networks are either External or
Internal  The risk tolerance of agencies
 One security model to meet all varies
data types  Agency embracement of the same
cloud can vary per agency

 Traditional security assets (FW,

IDS, WAF, AV) are not as easily
transferrable to new environments

Sean Connelly
9
February 6, 2020
TIC PRESENT

Sean Connelly
10
February 6, 2020
 TLP:WHITE

OMB Memorandum M-19-26

 Released September 2019

 Tasks DHS CISA with modernizing
the TIC initiative
 Calls for updated program
guidance, use cases, and pilots
 Focus is towards:
 Strategy
 Architecture
 Visibility

Sean Connelly
11
February 6, 2020
 TLP:WHITE

TIC 3.0 Accelerates Cloud Adoption

Eliminates the Provider

“TIC Tax”: A
Branch
Office
 Reduces
transport costs
Branch
Office TIC
 Reduces latency Provider Agency HQ
B
 Improves user
experience Branch
Office Provider
C

Sean Connelly
12
February 6, 2020
 TLP:WHITE

Multi-Boundary Approach Benefits

 TIC 3.0 supports the creation of trust zones to address

agencies’ distributed networks
 These zones create additional network boundaries and require
the placement of security capabilities throughout the
environment
 The additional security capabilities will give agencies greater
visibility into their network, leading to operational and fiscal
efficiencies

Sean Connelly
13
February 6, 2020
 TLP:WHITE

Multi-Boundary Approach Guidance

Agencies should designate trust zones based on their control,

transparency, sensitivity, and verification of the data

Sample Trust Zones

High Trust Medium Trust Low Trust

Zone Examples Zone Examples Zone Examples

 CSP  CSP  CSP

environments environments environments
 Agency internal  Interagency  Open internet
networks connections  Internet 2
 HVAs  Branch office  Interagency
connections

Sean Connelly
14
February 6, 2020
 TLP:WHITE

Key Program Documents

 CISA released
1| Program Guidebook updated draft
guidance December
2019
2| Reference Architecture
 Key draft program
documents are
3| Security Capabilities Handbook
high-level and
conceptual in nature
4| TIC Use Case Handbook & Use Cases
 Request for
Comments (RFC)
5| SP Overlay Handbook & Overlays period closes
February 7, 2020

Sean Connelly
15
February 6, 2020
 TLP:WHITE

1| Program Guidebook

TIC Strategic Program Goals

1. Boundary-Focused
 The draft TIC Program
Guidebook outlines the 2. Descriptive, Not Prescriptive
modernized TIC program, 3. Risk-Based
expectations, and historical
4. Environment-Agnostic
context
5. Dynamic and Adaptable
 Introduces the TIC Strategic
6. Automated and Streamlined
Program Goals Verification
7. Delineate TIC and NCPS

Sean Connelly
16
February 6, 2020
 TLP:WHITE

2| Reference Architecture
TIC 3.0 Example Trust Zone Diagram

 The draft Reference

Architecture defines the
concepts of the program
(Trust Zones, PEPs, MGMT)
to guide and constrain the
diverse implementations of
the security capabilities
 Introduces a solid technical
foundation that provides a
baseline for TIC Use Cases

Sean Connelly
17
February 6, 2020
 TLP:WHITE

3| Security Capabilities Handbook

 The draft Security Capabilities

Handbook provides a list
TIC 3.0 Security Objectives
of security objectives, controls,
capabilities, and best practices  Manage Traffic
 Protect Traffic Confidentiality
 Intended to keep pace with the
evolution of policy and  Protect Traffic Integrity
technology  Ensure Service Resiliency

 Capabilities will be continuously  Ensure Effective Response

evaluated and expanded upon

Sean Connelly
18
February 6, 2020
 TLP:WHITE

Security Capabilities Application

 There are two types of security capabilities:
 Universal (enterprise-level and apply across use cases)
 Policy Enforcement Point (network-level and apply to specific use cases)

 Agencies should determine the level of rigor required for each security
capability with the following considerations:
 Trust criteria (presented in the Reference Architecture)
 Federal guidelines
 Risk tolerance

 Agencies have discretion to position capabilities:

 In the communication path
 At endpoints
 At trust zone boundaries
 Through service providers

Sean Connelly
19
February 6, 2020
 TLP:WHITE

4| Use Case Handbook & Use Cases

 The draft TIC Use Case Handbook introduces use cases,

which describe an implementation of TIC for each identified use
 Published use cases (branch office and traditional TIC) reflect
current architectures
 CISA and Federal CISO Council TIC Subcommittee will
continue to develop additional use cases (partner networks,
zero trust, etc.) over time

Sean Connelly
20
February 6, 2020
 TLP:WHITE

Branch Office Use Case Example

Branch Office Conceptual Architecture

The branch office use case

defines how network and multi-
boundary security should be
applied when an agency has
personnel in more than one
physical location

Use case contains:

 Conceptual architecture
 Security capabilities
 Security patterns
 Telemetry requirements

Sean Connelly
21
February 6, 2020
 TLP:WHITE

Branch Office Security Capabilities

Universal Security Capabilities PEP Security Capabilities

Capability Use Case Guidance* PEP
Inclusion Justification and
Capability
Secure Branch office system components Implementation Guidance*
Group
Administration may not permit the same out-of- Files Branch office users will perform information
band administration as… exchanges utilizing file transfers. The…
Strong Agencies must ensure branch office Web Branch locations may have specialized roles
Authentication functions with the same that permit a more granular approach to…
authentication protections as…
Time Agencies should consider whether Networking Connectivity from the branch location to all
Synchronization the branch office component time other resources must be done utilizing all
synchronization occurs against… feasible security mechanisms. Traffic…
Vulnerability The assessment should explicitly DNS While it is unlikely an agency will be hosting
Assessment consider the case where authoritative name services from a branch
communication between the… location, the agency should ensure…
Resilience The Branch Office Use Case Intrusion Branch locations may have specialized roles
presents the agency with the option Detection that permit a more fine/granular approach to
to depend upon centralized… enforcement of IDS protections. Agencies…
Policy When branch office locations are Enterprise VPN services provide bulk data encryption
Enforcement configured to permit connections to between network devices for given
Parity CSP and Web services directly… source/destination locations.

*Use case guidance provided for illustrative purposes only. Refer to Branch Office Use Case for complete information.

Sean Connelly
22
February 6, 2020
 TLP:WHITE

Branch Office to CSP Security Pattern

Applicable capabilities are articulated for each security pattern

Sean Connelly
23
February 6, 2020
 TLP:WHITE

Branch Office to Web Security Pattern

Capabilities are positioned according to agency discretion

Sean Connelly
24
February 6, 2020
 TLP:WHITE

Branch Office Telemetry Sharing

Telemetry diagram provided for illustrative purposes only. Refer to NCPS Cloud Interface RA for complete information.

Sean Connelly
25
February 6, 2020
 TLP:WHITE

5| Service Provider Overlay Handbook

 The draft Service Provider (SP) Handbook introduces overlays,

which are high-level mappings of a vendor’s security functions
to the TIC capabilities
 Overlays were developed to address use case limitations, but
they are independent of the use cases and do not map to any
specific use case
 Mappings may be imprecise since a vendor’s security solution
may not map exactly to a TIC security capability
 CISA will adjudicate overlays and post to GitHub as they
become available

Sean Connelly
26
February 6, 2020
 TLP:WHITE

Service Provider Overlay Examples

TIC Overlay for Azure* TIC Overlay for AWS*
Traditional On- Traditional On-
TIC TIC
Prem TIC Access Azure Services Prem TIC Access AWS Services
Capabilities Capabilities
Point Point
Restrict Firewall & ACLs Network Security Restrict Firewall & ACLs Security Groups
Groups (NSG) AWS Network
ACLs
Detect IPS/IDS 3rd Party Only Detect IPS/IDS 3rd Party Only
Restrict Web Application Application Restrict Web Application AWS WAF
Firewall (WAF) Gateway Firewall (WAF) AWS Firewall
Manager
Monitor SIEM Log Analytics Advanced Log Monitor SIEM Log Analytics AWS Security Hub
Analytics Azure Amazon
Monitor GuardDuty
Identity Privileged Access Azure AD Identity Privileged Access 3rd Party Only
Management (PAM) Privileged Management (PAM)
Identity
Management
Detect Data Loss Information Detect Data Loss Amazon Macie
Prevention (DLP) Protection (AIP) Prevention (DLP)

*Overlays provided for illustrative purposes only. Refer to vendor overlays for complete information.
Sean Connelly
27
February 6, 2020
 TLP:WHITE

Implementing TIC 3.0 Guidance

Use Cases
Agency Risk
Management
NIST CSF
 Architectural Documents
Security Capabilities Requirements  System Design Documents
Handbook
NIST SP  Security Documents
800-53
 Acquisition Documents
 Key Artifacts (A&A)
Overlays

Sean Connelly
28
February 6, 2020
TIC Future

Sean Connelly
29
February 6, 2020
 TLP:WHITE

Updated Document Release

Finalized documents will be released Spring 2020

Sean Connelly
30
February 6, 2020
 TLP:WHITE

Agency Interpretation

 Agencies are expected to incorporate guidance into their risk

management strategy
 Guidance is intentionally abstract, high-level, and theoretical to
provide agencies with flexibility to interpret guidance to suit their
needs
 Agencies should determine if protections are commensurate
with the level of risk pertaining to their computing scenarios
 TIC PMO is collaborating with Continuous Diagnostics &
Mitigation (CDM) program to develop a validation process

Sean Connelly
31
February 6, 2020
 TLP:WHITE

Next-Gen Tech Adoption Prioritization

 Pilots will enable agencies to prioritize the

adoption of next-generation technologies
 Perpetual pipeline of pilots will ensure
continuous learning and updating of
Pilot /
guidance Use Case
Development
 DevOps approach (build, test, release) Cycle
will facilitate faster production of options
 Central repository will be available to
stakeholders

Sean Connelly
32
February 6, 2020
 TLP:WHITE

TIC Pilots – Overview

Pilot Stakeholders
 Sponsoring Agency
TIC pilots will use real world
 OMB implementation test cases to identify
 Federal CISO Council solutions for securing new types of
environments
 GSA
 CISA

Sean Connelly
33
February 6, 2020
 TLP:WHITE

TIC Pilots – Process

Federal
Federal
CISO
Agencies CISO CISA
Council
Submit Council Works with
Announces
Pilot Selects Pilot
Data Call
Proposals Proposals Agency
for Pilot
for Pilot(s)
Proposals

CISA Federal
Distills CISO
GSA Adds
Agency Pilot’s Council
Use Cases
Completes Lessons Approves
to Service
Pilot Learned Use Case
Packages
into Use for Agency
Case Adoption

Process provided for illustrative purposes only. Refer to Pilot Process Handbook for complete information.

Sean Connelly
34
February 6, 2020
 TLP:WHITE

TIC Pilots – Agency Participation

 CISA is seeking agencies to actively participate in pilots

 Agencies should submit Pilot Proposals to the Federal CISO
Council
 A TIC 3.0 pilot should test the configuration and security
capabilities of a technology in an agency’s environment
 Upon completion of a pilot, CISA will collect and analyze
lessons learned from the sponsoring agency

Sean Connelly
35
February 6, 2020
 TLP:WHITE

TIC 3.0 Use Case & Overlay Cadence

Use cases and overlays can be developed at different paces
Sample Document Cadence
Use Case 1
Pilot A
Use Case 2
Use Cases
Pilot B
Use Case 3
Pilot C
Pilot D Use Case 4
Overlay 1
Service
Provider (SP) Overlay 2
Overlays Overlay 3
Overlay 4
Overlay 5
Overlay 6

0 Months 3 Months 6 Months 9 Months 12 Months

Duration

KEY
Pilot Proposal SP Engagement
Pilot Overlay Creation
Use Case Creation Sean Connelly
36
February 6, 2020
 TLP:WHITE

Anticipated Use Cases

OMB M-19-26 Use Cases Potential Use Cases

 Traditional TIC  Zero Trust
 Cloud:  Internet of Things (IoT)
 Infrastructure as a Service
 Zero Trust
 Software as a Service
 Email as a Service  Partner Networks
 Platform as a Service  Zero Trust
 Branch Office  GSA Enterprise Infrastructure
Solutions (EIS)
 Remote Users
 Zero Trust
 Unified Communications
Sean Connelly
37
February 6, 2020
 TLP:WHITE

TIC 2.0 vs Zero Trust

TIC 2.0 Zero Trust

 Perimeter-based strategy  Data protection strategy
 Network focused  Endpoint focused
 Host-agnostic  Network-agnostic
 Consolidation/control of networks  Networks are suspect
 Relies on tools/sensors on the  Relies on APIs/agents on the
network endpoints

Sean Connelly
38
February 6, 2020
 TLP:WHITE

TIC 3.0 & Zero Trust

 Independent Zero Trust Architecture (ZTA) efforts going on for

over a year
 TIC 3.0 aligns with ZTA goals & objectives
 OMB, NIST, GSA, and CISA have been meeting with agencies
and vendors for the last year
 There is enough critical mass to begin and formalize ZTA
towards TIC 3.0

 Zero Trust is not a complete enterprise solution for federal

enterprises (yet)

Sean Connelly
39
February 6, 2020
 TLP:WHITE

TIC & NCPS

 NCPS released draft Cloud

Interface Reference
Architecture
 Agencies should refer to
document for telemetry
requirements
 Contact NCPS for additional
information

Sean Connelly
40
February 6, 2020
 TLP:WHITE

GSA EIS Support for Modernization

 The Report to the President on Federal IT Modernization

identified EIS as a primary acquisition vehicle for government
IT modernization
 EIS encourages SD-WAN, Zero Trust, 5G/IoT and cloud-
based security solutions
 Security “building blocks” are already in the contract to create
new solutions
 GSA and CISA will work with Industry to establish baseline
solution sets once new services reach a maturity level

Sean Connelly
41
February 6, 2020
 TLP:WHITE

GSA EIS Support for TIC Policy Update

Managed Network Services

 SD-WAN
 Secure connections to cloud services
Managed Security Services
 Managed Prevention Service (MPS)
 Vulnerability Scanning Service (VSS)
 Incident Response Service (INRS)
TIC 2.2/MTIPS
 MTIPS remains available as a baseline package
SaaS-based tools
Flexibility to update existing and add new cybersecurity services
as needed in response to evolving threats

Sean Connelly
42
February 6, 2020
 TLP:WHITE

Future of the Federal Enterprise

 Data centers are no longer the center of the enterprise

 The federal enterprise of tomorrow will support:
 More work performed off of the enterprise network than on it
 More workloads running in the cloud than at data centers
 More traffic destined to the cloud than to data centers
 More traffic from branch offices going directly to the cloud than to
the enterprise

Sean Connelly
43
February 6, 2020
 TLP:WHITE

TIC & Future Federal Enterprise

 The flexibility provided by TIC 3.0 can be used to shape the
federal enterprise of the future
 TIC 3.0 allows agencies to place security capabilities closer to the
data, and not force the rerouting of data to the inspection sensors
TIC 2.2 (Consolidated Architecture) TIC 3.0 (Distributed Architecture)

Email Web All Security Email

Web Capabilities
PEP Capability 2
TIC Capability 4
Capability 1
Service Capability 3 Service
PEP Provider Provider
PEP TIC PEP
PEP PEP Capability 5
Branch Branch Capability 7
All Security PEP
Office Capabilities Office
Capability 1
Capability 3 PEP Capability 2
Capability 5 Capability 4
Agency HQ Capability 6 Agency HQ

Sean Connelly
44
February 6, 2020
 TLP:WHITE

TIC Future Goals

The TIC initiative will continue to evolve to support its core goals:
 Empower enterprise CIOs and CISOs
 Motivate all agencies towards a stronger cyber-posture
 CISA to weaken exfiltration activities across .gov

By remaining committed to these goals, TIC will ensure it

continues to provide visibility into network traffic while enabling
agencies to secure their ever fluctuating boundaries and
perimeters

Sean Connelly
45
February 6, 2020
NEXT STEPS

Sean Connelly
46
February 6, 2020
 TLP:WHITE

Request for Comments

Agencies are encouraged to answer RFC questions:

1. How does your agency expect to utilize the updated TIC guidance
to modernize and secure its environments?
2. How does your agency expect to adopt the TIC Use Cases?
3. Does your agency have any suggestions for other use cases?
4. Are there additional documents or artifacts that would be helpful to
agencies when implementing the TIC guidance?

Comments addressing these questions should be submitted via the issue submission
form on GitHub (https://github.com/cisagov/tic3.0/issues/new) or via email
at [email protected]. All comments should be submitted by February 7, 2020.

Sean Connelly
47
February 6, 2020
 Questions?

Contact TIC PMO at

[email protected]

Sean Connelly
48
February 6, 2020