Should TIC 3.0 Guidance Change Your Security Approach?

Bill Church Miniatura
Bill Church
Published August 31, 2020

Cyberattacks against federal agencies are a persistent, ever-evolving threat that requires an increasingly sophisticated response. The growing use of cloud and mobile environments, coupled with an unprecedented rise in the number of remote workers, has made agencies more vulnerable to the threat of hackers, fraudsters, and malicious state actors who have targeted the federal government’s expansive online presence. The release of an updated version of the Trusted Internet Connections policy (TIC 3.0) puts agencies in a better position to meet these new risk challenges.

One of the primary goals of TIC 3.0 is to facilitate agencies’ move toward modernization, including broader cloud adoption and accommodation of remote workers using multiple devices. If your agency is moving robustly into these areas, now would be an excellent time to consider upgrading your security approach using TIC 3.0 guidance.

TIC 3.0 Upgrades

The TIC initiative, introduced in 2007, was an important step in federal cybersecurity, setting up a framework of security controls, analytics, governance, and application SDLC practices. TIC 3.0 represents the latest guidelines for deploying secure, flexible, and scalable architectures, taking into consideration facets beyond infrastructure technology.

The three agencies overseeing the initiative—the Office of Management and Budget (OMB), the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA), and the General Services Administration (GSA)—cited as their goal for TIC 3.0 to secure federal data, networks, and boundaries while providing visibility into agency traffic, including cloud communications. Key upgrades include more flexible guidance and actual use cases to cover the need for alternate approaches to traditional network security.

There are currently four use cases—traditional TIC, cloud, branch office, and remote users—giving agencies the ability to facilitate new information technology solutions suited to today’s changing work environment. Previous TIC versions did not effectively address remote work, even though it has become an increasingly common practice in the workplace. The COVID-19 pandemic has greatly accelerated the pace of remote work, creating an even more urgent need for a strategy that provides secure, reliable access for non-traditional work environments. With proper implementation of TIC 3.0 guidelines, agencies will be able to promote secure network and perimeter traffic within the federal enterprise trust zones, expanding it into all agency traffic.

Assess Your Architecture

The TIC 3.0 Use Case Handbook advises agencies to assess their architecture to determine which use cases are applicable and explains how they can secure their architectures and comply with TIC requirements. I believe this is a great tool for agencies, especially for those that lack the architectural components required for specific use cases.

Agencies are expected to secure network boundaries in accordance with OMB Memorandum M-19-26. However, every agency is different. That’s why it’s important you keep your mission in mind when determining your security approach and also to balance the strategies put forth by TIC 3.0 with your own mission goals.

The Right Cybersecurity Framework for Agencies Matters

The TIC 3.0 framework is based primarily on the National Institute of Standards and Technology (NIST)’s Cybersecurity Framework, which consists of five critically important core functions:

Identify: Have a full understanding of your systems, people, assets, data, and capabilities so that you can assess and manage risks.

Protect: Develop and implement appropriate safeguards to limit or contain the impact of a potential cybersecurity event.

Detect: Use continuous monitoring solutions so that you can quickly detect the occurrence of a cybersecurity event.

Respond: Develop a response plan that will allow you to take action and contain the impact of a detected cybersecurity event.

Recover: Develop and implement an effective plan to restore systems and/or assets that were affected by the cybersecurity incident. Incorporate lessons learned into a revised strategy.

Perhaps the most important piece of this framework is that each of these functions is mapped to a Universal Security or Policy Enforcement Point Control within the TIC 3.0 framework. While it is critical to use identity for access as a single point of control, it was eye-opening to learn—as we did from an F5 Labs report—that 33% of breaches initially targeted identities. Thus, the need to protect the identity perimeter is critical.

Access proxies are an effective tool for enforcing a single point of control, providing a consistent method of implementing the access controls and authentication requirements needed in front of applications. This eliminates the need to trust that every application developer is an authentication expert, which is an unlikely scenario.

As you implement your updated security standards, I’d recommend that you have the right adaptive application solutions in place to meet the appropriate aspects of the TIC guidance. You should follow a continuum from code to customer that touches upon the following six core elements that integrate and satisfy many of the guiding principles in the TIC 3.0 framework, particularly as they relate to the relevant use cases for your agency:

  • application-centric view (versus infrastructure-focused)
  • platform independence as a multi-cloud proposition
  • open source at the core
  • integrated security
  • built-in analytics/AI-enabled
  • API first for modern application development

Time to Closely Review Your Agency Security Approach

TIC 3.0 is an excellent opportunity to review your security approach. Because of evolving threats, agency security experts know it’s important to stay vigilant. While technology changes, the ultimate goal remains the same—to protect your agency.

F5 Can Help: Virtually all of F5’s products and capabilities meet some aspect of the TIC guidance, putting us in a strong position to meet many of the recommendations and controls outlined in TIC 3.0. All cabinet-level agencies and branches of the Department of Defense rely on F5 to deliver apps that citizens, employees, and soldiers can securely access at any time, on any device, from any location. At F5, we give our customers the freedom to securely deliver every app, anywhere, with confidence. Learn more at our F5 for US Federal Solutions page.

Bill Church
Chief Technology Officer – F5 US Federal Solutions