Editor’s note: This story has been corrected to assert that the Federal CISO Council TIC Subcommittee is calling for agency pilot programs.
The federal government is getting closer to rolling out its Trusted Internet Connection 3.0 policy, and the Cybersecurity and Infrastructure Security Agency is laying the groundwork for agencies to begin using the program. Strategic documents were recently released and one of the objectives of TIC 3.0 is dividing agencies architectures into trust zones.
Sean Connelly, TIC program manager at CISA, said is hosting interagency working groups, with membership from more than 50 agencies. CISA has also conducted one-on-ones with vendors and cloud service providers, as well as done pilot programs, he said.
“The interest or the focus on those documents is about the use cases, the overlays and capabilities in them, and the alternative architectures that’s allowed through [the Office of Management and Budget’s] TIC memo,” Connelly said on Federal Monthly Insights ꟷ Zero Trust Month.
As CISA works through the adjudication process, Connelly noted some observations around the trust zones and how they might be able to expand the trust zones which are, in truth, abstract and conceptual. But as CISA builds out its TIC 3.0 pilots, the agency needs to see what is available. For now, the pilots are geared more toward infrastructure alternatives and infrastructure service, he said.
“Ideally, though, we expect at some point we’ll start having zero trust pilots when we start embedding some of those concepts more into the zero trust use case itself,” Connelly said on Federal Drive with Tom Temin. “[The trust zone] can be a network, it can be a VPC with a cloud provider. Ideally we want to shrink that trust zone down to be as small as possible to focus on the application, to focus on identity user. But with the pilots we have right now is more focused on a larger spectrum of networks and systems.”
He distinguished the difference between zero trust, a mindset and concept of cybersecurity that encourages highly selective network access, and “trust zones,” which can be a system, application or even a person which is secured. It’s the trust zone that needs to be shrunk as much as possible to ensure it’s protected.
The pilots started from a new OMB policy seeking different alternative cloud architecture solutions. The federal Chief Information Security Officer Council TIC Subcommittee will soon be calling for new pilots and build out proposals from agencies. The subcommittee will decide which proposals best meet the intent of the use case and from there, Connelly said, will work with the agency for their architecture risk strategy.
But once the pilots finish, CISA will still observe them in the background, so as to derive lessons which can be built into a draft use case, he said.
Aside from a couple proposals from the Small Business Administration and others, he expected the subcommittee would announce the guidance ideally in late spring or summer, after which the data call for pilots will start.