CISA fast-tracks TIC telework guidance
- By Derek B. Johnson
- Apr 09, 2020
To better secure telework for federal employees, the Cybersecurity and Infrastructure Security Agency is preparing an update to its Trusted Internet Connection program, possibly as early as this week.
The new guidance is temporary and is set to expire at the end of the year, according to a source outside of government. It will not be part of the TIC 3.0 document set and will not support any use cases for the program. According to those who have seen draft, the technical guidance will address email, networking, DNS, intrusion detection, data protection and other issues.
Late last year, CISA released draft documents describing a "less prescriptive, more descriptive" approach to the TIC program, which has struggled to adapt to the government's expanding use of cloud computing. The latest iteration, TIC 3.0, was specifically designed to address increasing numbers of federal employees working remotely or connecting to off-premise clouds. Those documents are expected to be finalized this spring.
The 3.0 guidance diverges from previous iterations of the program by emphasizing a distributed architecture rather than a securing a single federal network.
An industry source who has reviewed the new guidance said it is designed to augment, not substantially alter, that approach. Rather than wait for use cases or feedback from bodies like the CIO Council, CISA wanted to put out guidance now that would address the explosion of remote connections taking place during the COVID-19 crisis.
According to this source, users will still have to connect through TIC or a TIC-like service, such as use cases created through the program, and cloud service providers must still route telemetry data to EINSTEIN and meet certain requirements set out by the National Institute of Standards and Technology.
"If you look at the current TIC 3.0 … they have taken the telework component out of that and basically put it on an accelerator," the source said.
The use of personal devices like mobile phones or computers to conduct government work is also likely to see an increase. In March, the NIST released a draft update to its federal guidance on mobile security that covers topics like data synchronization between personal and work devices, the use of biometric authentication measures like facial recognition or fingerprint scanners and how system administrators can remotely wipe enterprise data and applications from personal mobile phones.
Federal News Network first reported on the pending TIC update.
This article was first posted to FCW, a sibling site to GCN.
Derek B. Johnson is a former senior staff writer at FCW.