Cyberattacks against federal agencies are a persistent, ever-evolving threat that requires an increasingly sophisticated response. The growing use of cloud and mobile environments, coupled with an unprecedented rise in the number of remote workers, has made agencies more vulnerable to the threat of hackers, fraudsters, and malicious state actors who have targeted the federal government’s expansive online presence. The release of an updated version of the Trusted Internet Connections policy (TIC 3.0) puts agencies in a better position to meet these new risk challenges.
One of the primary goals of TIC 3.0 is to facilitate agencies’ move toward modernization, including broader cloud adoption and accommodation of remote workers using multiple devices. If your agency is moving robustly into these areas, now would be an excellent time to consider upgrading your security approach using TIC 3.0 guidance.
TIC 3.0 Upgrades
The TIC initiative, introduced in 2007, was an important step in federal cybersecurity, setting up a framework of security controls, analytics, governance, and application SDLC practices. TIC 3.0 represents the latest guidelines for deploying secure, flexible, and scalable architectures, taking into consideration facets beyond infrastructure technology.
The three agencies overseeing the initiative—the Office of Management and Budget (OMB), the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA), and the General Services Administration (GSA)—cited as their goal for TIC 3.0 to secure federal data, networks, and boundaries while providing visibility into agency traffic, including cloud communications. Key upgrades include more flexible guidance and actual use cases to cover the need for alternate approaches to traditional network security.
There are currently four use cases—traditional TIC, cloud, branch office, and remote users—giving agencies the ability to facilitate new information technology solutions suited to today’s changing work environment. Previous TIC versions did not effectively address remote work, even though it has become an increasingly common practice in the workplace. The COVID-19 pandemic has greatly accelerated the pace of remote work, creating an even more urgent need for a strategy that provides secure, reliable access for non-traditional work environments. With proper implementation of TIC 3.0 guidelines, agencies will be able to promote secure network and perimeter traffic within the federal enterprise trust zones, expanding it into all agency traffic.
Assess Your Architecture
The TIC 3.0 Use Case Handbook advises agencies to assess their architecture to determine which use cases are applicable and explains how they can secure their architectures and comply with TIC requirements. I believe this is a great tool for agencies, especially for those that lack the architectural components required for specific use cases.
Agencies are expected to secure network boundaries in accordance with OMB Memorandum M-19-26. However, every agency is different. That’s why it’s important you keep your mission in mind when determining your security approach and also to balance the strategies put forth by TIC 3.0 with your own mission goals.
The Right Cybersecurity Framework for Agencies Matters
The TIC 3.0 framework is based primarily on the National Institute of Standards and Technology (NIST)’s Cybersecurity Framework, which consists of five critically important core functions:
Identify: Have a full understanding of your systems, people, assets, data, and capabilities so that you can assess and manage risks.
Protect: Develop and implement appropriate safeguards to limit or contain the impact of a potential cybersecurity event.
Detect: Use continuous monitoring solutions so that you can quickly detect the occurrence of a cybersecurity event.
Respond: Develop a response plan that will allow you to take action and contain the impact of a detected cybersecurity event.
Recover: Develop and implement an effective plan to restore systems and/or assets that were affected by the cybersecurity incident. Incorporate lessons learned into a revised strategy.
Perhaps the most important piece of this framework is that each of these functions is mapped to a Universal Security or Policy Enforcement Point Control within the TIC 3.0 framework. While it is critical to use identity for access as a single point of control, it was eye-opening to learn—as we did from an F5 Labs report—that 33% of breaches initially targeted identities. Thus, the need to protect the identity perimeter is critical.
Access proxies are an effective tool for enforcing a single point of control, providing a consistent method of implementing the access controls and authentication requirements needed in front of applications. This eliminates the need to trust that every application developer is an authentication expert, which is an unlikely scenario.
As you implement your updated security standards, I’d recommend that you have the right adaptive application solutions in place to meet the appropriate aspects of the TIC guidance. You should follow a continuum from code to customer that touches upon the following six core elements that integrate and satisfy many of the guiding principles in the TIC 3.0 framework, particularly as they relate to the relevant use cases for your agency:
- application-centric view (versus infrastructure-focused)
- platform independence as a multi-cloud proposition
- open source at the core
- integrated security
- built-in analytics/AI-enabled
- API first for modern application development
Time to Closely Review Your Agency Security Approach
TIC 3.0 is an excellent opportunity to review your security approach. Because of evolving threats, agency security experts know it’s important to stay vigilant. While technology changes, the ultimate goal remains the same—to protect your agency.
F5 Can Help: Virtually all of F5’s products and capabilities meet some aspect of the TIC guidance, putting us in a strong position to meet many of the recommendations and controls outlined in TIC 3.0. All cabinet-level agencies and branches of the Department of Defense rely on F5 to deliver apps that citizens, employees, and soldiers can securely access at any time, on any device, from any location. At F5, we give our customers the freedom to securely deliver every app, anywhere, with confidence. Learn more at our F5 for US Federal Solutions page.
Bill Church
Chief Technology Officer – F5 US Federal Solutions
About the Author
Related Blog Posts
F5 accelerates and secures AI inference at scale with NVIDIA Cloud Partner reference architecture
F5’s inclusion within the NVIDIA Cloud Partner (NCP) reference architecture enables secure, high-performance AI infrastructure that scales efficiently to support advanced AI workloads.
F5 Silverline Mitigates Record-Breaking DDoS Attacks
Malicious attacks are increasing in scale and complexity, threatening to overwhelm and breach the internal resources of businesses globally. Often, these attacks combine high-volume traffic with stealthy, low-and-slow, application-targeted attack techniques, powered by either automated botnets or human-driven tools.
F5 Silverline: Our Data Centers are your Data Centers
Customers count on F5 Silverline Managed Security Services to secure their digital assets, and in order for us to deliver a highly dependable service at global scale we host our infrastructure in the most reliable and well-connected locations in the world. And when F5 needs reliable and well-connected locations, we turn to Equinix, a leading provider of digital infrastructure.
Volterra and the Power of the Distributed Cloud (Video)
How can organizations fully harness the power of multi-cloud and edge computing? VPs Mark Weiner and James Feger join the DevCentral team for a video discussion on how F5 and Volterra can help.
Phishing Attacks Soar 220% During COVID-19 Peak as Cybercriminal Opportunism Intensifies
David Warburton, author of the F5 Labs 2020 Phishing and Fraud Report, describes how fraudsters are adapting to the pandemic and maps out the trends ahead in this video, with summary comments.
The Internet of (Increasingly Scary) Things
There is a lot of FUD (Fear, Uncertainty, and Doubt) that gets attached to any emerging technology trend, particularly when it involves vast legions of consumers eager to participate. And while it’s easy enough to shrug off the paranoia that bots...