New Department of Homeland Security draft guidance on an updated version of the federal government’s external network security program takes a new approach to trust, moving toward a more “nuanced” view to allow for flexibility across different agencies’ mission areas.
The draft guidance, released for public comment Dec. 20 by Homeland Security’s Cybersecurity and Infrastructure Security Agency, outlines significant changes to the Trusted Internet Connections program, which secures federal agencies’ external network connections, as federal agencies continue to add remote users and move parts of their network into the cloud. The draft documents, released in five volumes, are out for comment from Dec. 23 to Jan. 31, 2020.
CISA wrote in the draft that, under the new TIC, the government is ditching old documents that established a “strictly-defined” approach to trust, instead taking an approach that “recognizes the reality that the definition of ‘trust’ may vary across specific computing contexts."
The new approach to trust is a significant change in the broad TIC 3.0 plan aimed at revising the federal government’s cybersecurity framework focus from securing network perimeters to securing each individual area within a network.
The new TIC wants to create a “flexible” framework to accommodate the growing number of mobile devices, remote users, agency branch offices and higher security standards like encryption. TIC 3.0 will divide federal networks in “trust zones” aimed at “shifting the emphasis from a strictly physical network perimeter to the boundaries of each zone within an agency environment to ensure baseline security protections across dispersed network environments,” like remote offices and branch offices, according to the draft documents.
“This shift in approach from securing a single network boundary to a distributed architecture is the most fundamental change from the legacy TIC program,” CISA officials wrote in the draft guidance.
A new memo from the Office of Management and Budget outlines four approved use cases for Trusted Internet Connections.
In each trust zone — defined as a computing environment used for processing, storage or transmission — agencies must label with a trust level. In previous versions of TIC 2.0, internet traffic flowed through TIC access points — called Policy Enforcement Zones (PEPs) — placed on the network perimeter to secure traffic. Under TIC 3.0 PEPs will be allowed to sit on the boundary of trust zones, thus giving “agencies the flexibility to implement security capabilities closer to the agency’s data in the different trust zones.”
“By applying security capabilities throughout their environment, agencies will have greater visibility into their network, leading to increases in operational and fiscal efficiencies,” the officials wrote.
Under the new draft guidance, the old TIC manual compliance validation process and cybersecurity metrics will be eliminated in favor of automated metric collection to create a better picture of agency cybersecurity, instead of point-in-time snapshots of the agency cybersecurity posture.
“The program’s goal is to define scalable, comprehensive and continuous validation processes for ensuring agency implementation of TIC capabilities in contrast to the point-in-time reviews,” the draft guidance reads.
TIC 3.0′s five objectives
The TIC 3.0 draft guidance aims to blend new updated cybersecurity measures for federal networks with agencies’ adoption to cloud computing, a cheaper and more effective way for federal agencies to store their data. Office Management and Budget officials have said that the policy under TIC 2.0, released in 2011 when the federal government was just beginning to move to the cloud, obstructed cloud adoption.
TIC 3.0 encompasses five network security objectives:
- Managing traffic: monitor and validate data connections to ensure the activities on the network are authorized, while also including the practices of least privilege and default deny.
- Protecting traffic confidentiality: guarantee that only authorized users can see data in transit, while also verifying senders and receivers.
- Protecting traffic integrity: prevent data tampering in transit and recognizing if data are altered.
- Ensuring service resiliency: TIC 3.0 wants to promote “resilient application and security services” as technology and threats change.
- Ensuring effective response: the draft security objectives call for “timely” reaction and adaptation to threats with defined policies.
Still, the security measures are meant to provide agencies with flexibility.
“The TIC Security Objectives should be viewed independently of the types of traffic being secured, but different types of traffic will influence how the objectives are interpreted,”
OMB directed DHS to update TIC guidance in a September memo.