“CISA Releases Guidance: IPv6 Considerations for TIC 3.0”
CISA Guidance, September 23, 2021
By Cybersecurity and Infrastructure Security Agency (CISA)
CISA Releases Guidance: IPv6 Considerations for Trusted Internet Connections (TIC) 3.0
Original release date: September 23, 2021
The federal government has prioritized the transition of federal networks to Internet Protocol version 6 (IPv6) since the release of Office of Management and Budget (OMB) Memorandum 05-22 in 2005. In 2020, OMB renewed its focus on IPv6 through the publication of OMB Memorandum 21-07. That memorandum specifically entrusts CISA with enhancing the Trusted Internet Connections (TIC) program to fully support the implementation of IPv6 in federal IT systems.
In accordance with this OMB mandate, CISA has issued IPv6 Considerations for TIC 3.0 to provide federal agencies with guidance to help them use IPv6 to secure their networks by:
- Providing IPv6 protocol information to enable a general understanding,
- Informing agencies of their responsibilities concerning OMB M-21-07,
- Aligning TIC 3.0 security objectives and security capabilities with IPv6, and
- Offering awareness and guidance regarding IPv6 security considerations.
CISA encourages IT decision-makers and administrators in all federal government agencies and organizations to review IPv6 Considerations for TIC 3.0 to facilitate advancing IPv6 networks and ensuring future growth and innovation in internet services and technology.
TIC 3.0 core guidance documents are intended to be used collectively in order to achieve the goals of the program. The documents are additive; each builds on the other like chapters in a book. The final core guidance is available below.
The TIC 3.0 core guidance are sequential in nature and include:
- Program Guidebook (Volume 1) – Outlines the modernized TIC program and includes its historical context
- Reference Architecture (Volume 2) – Defines the concepts of the program to guide and constrain the diverse implementations of the security capabilities
- Security Capabilities Catalog (Volume 3) – Indexes security capabilities relevant to TIC
- Use Case Handbook (Volume 4) – Introduces use cases, which describe an implementation of TIC for each identified use
- Overlay Handbook (Volume 5) – Introduces overlays, which map the security functions of a vendor to the TIC capabilities
The current TIC use cases available, as generally described by the Use Case Handbook, are:
- Traditional TIC Use Case – Describes the architecture and security capabilities guidance for the conventional TIC implementation
- Branch Office Use Case – Describes the architecture and security capabilities guidance for remote offices
- Remote User Use Case – Describes the architecture and security capabilities guidance for remote users
In addition to the core guidance, this page houses other pertinent references, such as:
- Pilot Process Handbook – Establishes a framework for agencies to execute pilots
- Response to Comments on Draft TIC 3.0 Guidance Documentation (2020) – Summarizes the comments and modifications in response to the feedback received for the draft core documents in Summer 2020.
- Response to Comments on TIC 3.0 Traditional TIC Use Case and TIC 3.0 Branch Office Use Case (2021) – Summarizes the comments and modifications in response to feedback received for the draft TIC 3.0 Traditional TIC Use Case and draft TIC 3.0 Branch Office Use Case,
- Response to Comments on TIC 3.0 Remote User Use Case (2021) – Summarizes the comments and modifications in response to feedback received for the draft TIC 3.0 Remote User Use Case.
Deprecated versions of the core guidance can be referenced here for comparison. Additional information regarding TIC 3.0 documentation can be found on the CISA website. Historical TIC program documentation has been archived to the TIC page on OMB MAX.
[Refer to TIC 3.0 Core Guidance Documents for full listing of attached media.]
About the Author:
Cybersecurity and Infrastructure Security Agency: CISA works with partners to defend against today’s threats and collaborates to build a more secure and resilient infrastructure for the future.
CISA builds the national capacity to defend against cyber attacks and works with the federal government to provide cybersecurity tools, incident response services and assessment capabilities to safeguard the ‘.gov’ networks that support the essential operations of partner departments and agencies.
From helping to secure the COVID-19 supply chain to supporting free and fair elections – See what CISA accomplished in 2020.
We coordinate security and resilience efforts using trusted partnerships across the private and public sectors, and deliver technical assistance and assessments to federal stakeholders as well as to infrastructure owners and operators nationwide. CISA also delivers insights on these assessments related to current capabilities to identify gaps, which—along with an examination of emerging technologies—help determine the demand for future capabilities (both near- and long-term).
- Trusted Internet Connections – Frequently Asked Questions
CISA encourages agencies to read and review the Trusted Internet Connections (TIC) homepage and associated guidance for TIC 3.0 as the primary avenue to answer outstanding questions. However, to aid agencies in implementing the guidance, CISA maintains this list of frequently asked questions (FAQ) for agencies’ reference.
- Trusted Internet Connections
Since 2007, the Trusted Internet Connections (TIC) initiative has redefined federal cybersecurity by consolidating network connections and enhancing visibility and security measures throughout the federal network. In accordance with the Office of Management and Budget (OMB) Memorandum (M) 19-26: “Update to the TIC Initiative,” TIC 3.0 expands on the original initiative by leveraging modern security practices and technology to secure a wide range of agency network architectures. Compared to previous iterations of the TIC program, TIC 3.0 is highly iterative, meaning the guidance continually reflects modern processes and technological innovations as they become available. TIC 3.0 recognizes shifts in modern cybersecurity and assists agencies in adoption, while recognizing their challenges and constraints in modernizing IT infrastructure.
- Program Guidebook v1.1 (Volume 1) (PDF)
The Trusted Internet Connections (TIC) initiative was established in 2007 by the National Security Presidential Directive (NSPD) 54 and Homeland Security Presidential Directive (HSPD) 23. The Office of Management and Budget (OMB), Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA), and General Services Administration (GSA) oversee the TIC initiative which originally consolidated federal networks and standardized perimeter security for the federal enterprise.
The TIC initiative has evolved from simply reducing external network connections to protecting agency enterprise perimeters, mobile, and cloud connections with a focus on increasing the use of boundary protection capabilities to protect agency assets from an evolving threat landscape. Over time, greater bandwidth demands, transport encryption, and perimeter services were placed on agency TIC access points beyond their ability to scale. The growing demands on the enterprise perimeter and degraded performance increased the cost and decreased the effectiveness of the TIC initiative when using cloud services.
In 2017, the Report to the President on Federal Information Technology Modernization identified the TIC initiative as a barrier to cloud adoption. Removing barriers to modernization is one of the primary goals of the recent update to the TIC policy, TIC 3.0. A key feature of both the report and the policy update is the ability for agencies to conduct cloud and TIC pilots to leverage modern architectures and technology to improve agency information technology (IT) and cybersecurity approaches to protect assets. Results and lessons learned from the TIC pilots will inform the TIC use cases, developed to support the broader use of cloud by agencies. While the policy update provides greater flexibility, agencies will have to carefully consider the risks associated with hosting agency information and applications in the cloud.