The Cybersecurity and Infrastructure Security Agency wants agencies to comment on new draft guidance as they shape their own pilot programs and use cases.
The Cybersecurity and Infrastructure Security Agency wants agency feedback on five draft guidance documents for the new version of the Trusted Internet Connection, TIC 3.0.
The guidance includes a program guidebook, a reference architecture, a security capabilities handbook, a TIC use-case handbook with traditional and branch office examples and a service provider overlay handbook.
Those documents are critical for agencies to review as they digest how to take advantage of TIC 3.0's "less prescriptive, more descriptive" approach to implementing secure internet connections, according to Sean Connelly, CISA's TIC program manager.
The guidance falls into two categories, Connelly said at an Advanced Technology Academic Research Center's TIC 3.0 briefing on Jan. 15. One group is policy-oriented, including the program guidebook and the architecture; the other is operational, including the use cases and overlays, which explain the more flexible capabilities of TIC 3.0 compared to TIC 2.0, he said.
TIC 3.0, he said, "is more multi-boundary focused," unlike the previous guidance's "inside or outside" firewall-focused approach to TIC. "We're looking to become less prescriptive," he said, and allow more agency interpretation of how to secure connections.
Some agencies are already trying out that flexibility in pilots and having some success, but also raising some questions.
For instance, the Department of Health and Human Services Inspector General's Office is using TIC 3.0 to set up two connections for its operations, Hassen Sheikh, the agency's chief technology strategist, said during a panel discussion. One connection is in California, the other in Washington D.C.
The OIG wanted to get around the department's shared connections that slowed things down, he said. It now uses cloud providers for the two TICs, he said.
The State Department, said Gerald Caron, acting director of the agency's enterprise network management office, is experimenting with an overseas-based trusted connection using TIC 3.0. The arrangement, he said, would allow the agency to avoid backhauling its traffic to the U.S. to its stateside TIC. The move will save money and boost performance.
CISA wants agencies to leverage the documents to shape their own pilot programs and use cases. The agency, along with the Office of Management and Budget, the Federal CISO Council and the General Services Administration, have set up a pilot process to test real-world applications, Connelly said.
Agencies can submit a pilot proposal to the CISO Council to move ahead. CISA will monitor the pilot's progress "from the background," he said. Successful pilots can then be turned into use cases.
Comments on the draft documents are due at the end of January.
This article was first posted to FCW, a sibling site to GCN.
NEXT STORY: VA benefits platform: Big bang, less bucks