US-CISAが信頼できるインターネット接続(TIC)プログラムのコアガイダンスドキュメントをリリースしましたね。。。
こんにちは、丸山満彦です。
米国のCybersecruity & infrastructure Security Agent.
● CISA
・2020.07.31 CISA RELEASES TIC 3.0 CORE GUIDANCE DOCUMENTATION
・TIC 3.0 CORE GUIDANCE DOCUMENTS
まずは、Program Guidebook (Volume 1) 、Reference Architecture (Volume 2) 、Security Capabilities Catalog (Volume 3) が公開されていますね。Zero Trustがベースになっていますね。。。
The TIC 3.0 core guidance includes:
- Program Guidebook (Volume 1) – Outlines the modernized TIC program and includes its historical context
- Reference Architecture (Volume 2) – Defines the concepts of the program to guide and constrain the diverse implementations of the security capabilities
- Security Capabilities Catalog (Volume 3) – Indexes security capabilities relevant to TIC
- Draft Use Case Handbook (Volume 4) – Introduces use cases, which describe an implementation of TIC for each identified use
- Draft Traditional TIC Use Case – Describes the architecture and security capabilities guidance for the conventional TIC implementation
- Draft Branch Office Use Case – Describes the architecture and security capabilities guidance for remote offices
- Draft Service Provider Overlay Handbook (Volume 5) – Introduces overlays, which map the security functions of a service provider to the TIC capabilities
- Overlays are under development and will be released at a later date
- Pilot Process Handbook - Establishes a framework for agencies to execute pilots
- Response to Comments on Draft TIC 3.0 Guidance Documentation – Summarizes the comments, and modifications in response to, the feedback received for the draft core documents
Executive Summary
The Trusted Internet Connections (TIC) initiative was established in 2007 by the National Security Presidential Directive (NSPD) 54 and Homeland Security Presidential Directive (HSPD) 23. The Office of Management and Budget (OMB), Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA), and General Services Administration (GSA) oversee the TIC initiative which originally consolidated federal networks and standardized perimeter security for the federal enterprise.
The TIC initiative has evolved from simply reducing external network connections to protecting agency enterprise perimeters, mobile, and cloud connections with a focus on increasing the use of boundary protection capabilities to protect agency assets from an evolving threat landscape. Over time, greater bandwidth demands, transport encryption, and perimeter services were placed on agency TIC access points beyond their ability to scale. The growing demands on the enterprise perimeter and degraded performance increased the cost and decreased the effectiveness of the TIC initiative when using cloud services.
In 2017, the Report to the President on Federal Information Technology Modernization identified the TIC initiative as a barrier to cloud adoption. Removing barriers to modernization is one of the primary goals of the recent update to the TIC policy, TIC 3.0. A key feature of both the report and the policy update is the ability for agencies to conduct cloud and TIC pilots to leverage modern architectures and technology to improve agency information technology (IT) and cybersecurity approaches to protect assets. Results and lessons learned from the TIC pilots will inform the TIC use cases, developed to support the broader use of cloud by agencies. While the policy update provides greater flexibility, agencies will have to carefully consider the risks associated with hosting agency information and applications in the cloud.
Authorities
The TIC initiative was originally derived from the NSPD 54 and HSPD 23. OMB Memorandum (M) 19-26: Update to the Trusted Internet Connections (TIC) Initiative was published to update the initiative and provide agencies with increased flexibility to take advantage of advanced capabilities, flexible architectures, and removing barriers to cloud and modern technologies. The TIC initiative is also influenced by other federal authorities that set the groundwork for the TIC initiative.
- Federal Information Security Modernization Act (P.L. 113-283), December 2014.
- Executive Order (EO) 13800, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, May 2017.
- Report to the President on Federal Information Technology Modernization, December 2017.
A list of relevant legislation, policies, directives, regulations, memoranda, standards, and guidelines can be found in Appendix B.
Scope and Audience of the TIC 3.0 Guidance
The scope of the TIC 3.0 guidance encompasses the TIC initiative and other federal program artifacts and publications necessary to explain key elements, goals, and objectives of TIC 3.0. Publications and artifacts may consist of acquisition, technical, and non-technical procedures and policies that are relevant to support the implementation of TIC capabilities at, or on behalf of, federal agencies.
The primary audience of the TIC 3.0 guidance documentation includes federal civilian agencies, contractors, and vendors that align with the TIC initiative. The documents can be leveraged by stakeholders ranging from policy, acquisition, technical, and cybersecurity personnel to agency information technology leadership (e.g., Chief Information Officers (CIOs) and/or Chief Information Security Officers (CISOs)). Non-federal organizations may derive value from the documents as programs, strategies, and approaches are being considered to address multi-boundary or perimeter security needs.
Reader’s Guide
The TIC initiative is defined through key documents that describe the directive, the program, the capabilities, the implementation guidance, and capability mappings. Each document has an essential role in describing TIC and its implementation. The documents provide an understanding of how changes have led up to the latest version of TIC and why those changes have occurred. The documents go into highlevel technical detail to describe the exact changes in architecture for TIC 3.0. The documents are additive; each builds on the other like chapters in a book. As depicted in Figure 1, the documents should be referenced in order and to completion to gain a full understanding of the modernized initiative.
| 1 | Program Guidebook | Outlines the modernized TIC program and includes historical context |
| 2 | Reference Architecture | Defines the concepts of the program to guide and constrain the diverse implementations of the security capabilities |
| 3 | Security Capabilities Handbook | Indexes security capabilities relevant to TIC |
| 4 | TIC Use Case Handbook and Use Cases | Describes an implementation of TIC for each identified use |
| 5 | Service Provider Overlay Handbook and Overlays | Maps the security functions of service providers to the TIC capabilities |
1. Introduction
Trusted Internet Connections (TIC), originally established in 2007, is a federal cybersecurity initiative intended to enhance network and boundary security across the Federal Government. The Office of Management and Budget (OMB), the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA), and the General Services Administration (GSA) oversee the TIC initiative through a robust program that sets guidance and an execution framework for agencies to implement a baseline boundary security standard.
The initial versions of the TIC initiative sought to consolidate federal networks and standardize perimeter security for the federal enterprise. As outlined in OMB Memorandum (M) 19-26: Update to the Trusted Internet Connections (TIC) Initiative, this modernized version of the initiative expands upon the original to drive security standards and leverage advances in technology as agencies adopt mobile and cloud environments. The goal of TIC 3.0 is to secure federal data, networks, and boundaries while providing visibility into agency traffic, including cloud communications.
TIC 3.0 Program Guidebook (Volume 1)
Table of Contents
1. Introduction
1.1 Key Terms
1.2 Policy Updates and Strategic Changes
2. Purpose of the Program Guidebook
3. History of TIC
4. Strategic Program Goals
5. Security Objectives of TIC 3.0
6. Modernization Transition Strategy
6.1 Core Program Updates
7. Key Program Documents
8. Security Capabilities, Use Cases, and Overlays
9. TIC Pilot Process
10. Integrating TIC into a Risk Management Plan
11. Telemetry Requirements
11.1 TIC Information Cycle
12. Agency Engagement
13. TIC Service Options
14. TIC and Other Initiatives
15. Conclusion
Appendix A – TIC and NCPS Program Authorities
Appendix B – Key Federal Policy and Directives
Appendix C – Glossary and Definitions
List of Figures
Figure 1: TIC 3.0 Guidance Snapshot
Figure 2: TIC Lens on the Cybersecurity Framework Functions
Figure 3: Transition from a Consolidated to Distributed Security Architecture
Figure 4: TIC 3.0 Key Program Documents List
Figure 5: How an Agency Can Integrate TIC into an Agency Risk Management Plan
Figure 6: TIC Information Cycle
List of Tables
Table 1: Revision History
Table 2: TIC Working Group Participants
Table 3: TIC 3.0 Security Objectives
TIC 3.0 Reference Architecture (Volume 2)
Table of Contents
1. Introduction
1.1 Key Terms
2. Purpose of the Reference Architecture
3. Security Objectives of TIC 3.0
4. Key Concepts of TIC 3.0
4.1 Security Capabilities
4.2 Policy Enforcement Points
4.3 Trust Zones
4.3.1 Trust Levels
4.3.2 Trust Level Considerations
4.3.3 Management Entities
5. Conceptual Implementation of TIC 3.0
5.1 Security Patterns
5.2 Use Case Models
6. Evolving from the Traditional Perimeter Architecture
6.1 A More Flexible TIC Model
7. Conclusion
Appendix A – Glossary and Definitions
List of Figures
Figure 1: TIC 3.0 Guidance Snapshot
Figure 2: Security Capabilities Are Positioned Along Data Flows
Figure 3: PEP Protections Affect Trust
Figure 4: PEP Capabilities Grouped into Shared Positions
Figure 5: Endpoints Sharing PEP Positions Make Up A Trust Zone
Figure 6: Segmentation Within a Trust Zone
Figure 7: Segments as Separate Trust Zones
Figure 8: Example Trust Zone Gradient
Figure 9: Trust Level Designation Examples
Figure 10: Example Security Pattern
Figure 11: Example Security Pattern Implementation Options
Figure 12: Example Use Case Diagram
Figure 13: Example Agency TIC Architecture Diagram
Figure 14: Traditional TIC Trust Zone Diagram
Figure 15: Traditional TIC Trust Zone Diagram for a Distributed Agency
Figure 16: Distributed Policy Enforcement
Figure 17: Logical Trust Zones
List of Tables
Table 1: Revision History
Table 2: TIC 3.0 Security Objectives
Table 3: Sample Trust Considerations
TIC 3.0 Security Capabilities Catalog (Volume 3)
Table of Contents
1. Introduction
1.1 Key Terms
2. Purpose of the Security Capabilities Catalog
3. Security Objectives of TIC 3.0
4. Security Capabilities List
4.1 Universal Security Capabilities
4.2 Policy Enforcement Point Capabilities
5. Conclusion
Appendix A – Glossary and Definitions
List of Figures
Figure 1: TIC 3.0 Guidance Snapshot
Figure 2: TIC Lens on the Cybersecurity Framework Functions
List of Tables
Table 1: Revision History
Table 2: TIC 3.0 Security Objectives
Table 3: Universal Security Capabilities
Table 4: Policy Enforcement Point Security Capabilities for Files
Table 5: Policy Enforcement Point Security Capabilities for Email
Table 6: Policy Enforcement Point Security Capabilities for Web
Table 7: Policy Enforcement Point Security Capabilities for Networking
Table 8: Policy Enforcement Point Security Capabilities for Resiliency
Table 9: Policy Enforcement Point Security Capabilities for DNS
Table 10: Policy Enforcement Point Security Capabilities for Intrusion Detection
Table 11: Policy Enforcement Point Security Capabilities for Enterprise
Table 12: Policy Enforcement Point Security Capabilities for Unified Communications and Collaboration
Table 13: Policy Enforcement Point Security Capabilities for Data Protection
« NISTがクラウドシステムに対する一般的なアクセス制御のガイダンスを公表していますね。。。 | Main | FBIがTwitterのアカウントを乗っ取った被疑者3名を起訴したと発表していましたね。。。 »
Comments