Sean Connelly, Trusted Internet Connections (TIC) program manager at the Cybersecurity and Infrastructure Security Agency (CISA), said this week his office expects to issue finalized documents sometime this spring for version 3.0 of the TIC initiative. The agency issued draft guidance documents for TIC 3.0 late last year.
Speaking at an event organized by FCW, he said the release of finalized TIC 3.0 documents will take place, “ideally, sometime this spring.” He noted that would mark a much quicker timeline compared to the year it took for TIC 2.0 documents to go from proposed to finalized.
In a wide-ranging discussion of the TIC initiative from conception to the TIC 3.0 effort that aims to accelerate Federal agency cloud adoption by allowing for more flexible security architecture, Connelly talked about pilot projects and recent comments about TIC 3.0 tenets in the age of “zero trust” security.
CISA solicited public comments on TIC 3.0, and received some feedback during that process that questioned the idea of establishing “trust zones” in an era when security is shifting more toward a “zero trust” philosophy.
While briefly acknowledging those comments, Connolly said this week the intent of TIC 3.0 is to shrink trust zones in order to reduce attack surfaces. And trust zones, he explained, can comprise something as large as a network, as well as something much smaller, like “a container, an app, a user.” He added, “we hope that is understood by the greater community.”
He also said that independent zero trust architecture (ZTA) efforts have been going on for more than a year, and that TIC 3.0 aligns with ZTA goals and objectives.
The TIC 3.0 effort, he emphasized, aims to accelerate cloud adoption, and in doing so, provide more flexibility to security arrangements, and better adapt to the ongoing dissolution of traditional security perimeters. The policy also eliminates what he called the “TIC tax” that taxes the form of higher data transport costs required by the use of TIC access points, while reducing latency and improving user experience.
He said that two Federal agencies – the Small Business Administration (SBA) and the Department of Energy (DoE) – have completed TIC 3.0 pilots. Other agencies may also be undertaking such pilots, he indicated, but don’t want to disclose that they are in progress.
More pilots are envisioned, and he said the process begins with a call from the Federal CISO Council for proposals. Federal agencies can then submit those proposals, and if selected by the council, CISA will work with the pilot agency. When the pilot is completed, CISA will distill lessons learned into a use case, the council will consider approving the use case for agency adoption, and then the General Services Administration (GSA) will add uses cases to service packages.
Connelly commented that pilots are unique to each agency, affected by the technical acumen of project teams, and only represent a snapshot in time.
Anticipated TIC 3.0 use cases, he said, may include those involving zero trust, internet of things, partner networks, unified communications, and GSA’s Enterprise Infrastructure Solutions (EIS) program.