The Cybersecurity and Infrastructure Security Agency (CISA) has released version 3.2 of the Trusted Internet Connections (TIC) 3.0 Security Capabilities Catalog (SCC), a key resource designed to help federal agencies strengthen their cybersecurity defenses.
This updated version aligns with the latest guidance from the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) Version 2.0, ensuring that TIC continues to the modern standards.
The new release enhances agencies’ ability to secure their IT environments, particularly as agencies increasingly adopt cloud-based services and decentralized infrastructures.
The Role of the Security Capabilities Catalog
The TIC 3.0 SCC is an essential resource for federal agencies, offering a comprehensive set of security controls, capabilities, and best practices. The catalog’s goal is to guide agencies in implementing secure network environments and ensuring compliance with cybersecurity standards.
With the rapid shift to more complex computing environments, the SCC ensures that agencies can adapt to new risks while maintaining security measures across a variety of computing environments, including cloud, mobile, and on-premises infrastructures.
Version 3.2 of the TIC 3.0 SCC builds on previous releases by integrating the latest updates from the NIST Cybersecurity Framework (CSF). The CSF, which provides a structured approach to managing cybersecurity risks, is based around the core functions of Govern, Identify, Protect, Detect, Respond, and Recover. These functions are vital to organizations’ risk management strategies and are now reflected in the updated catalog’s security capabilities, ensuring that TIC aligns with best practices in managing cybersecurity risks, detecting incidents, and responding to threats.
Key Security Objectives of TIC 3.0
The TIC 3.0 program outlines specific security objectives aimed at mitigating risks as federal data moves through various trust zones, especially with the increasing use of cloud and mobile services. These objectives are designed to provide scalable and consistent protections, regardless of the data’s location or transmission method.
The updated Security Capabilities Catalog helps agencies implement these objectives, ensuring secure management of federal data. One key objective is Manage Traffic, which focuses on filtering data connections to ensure they align with authorized activities, enforcing least privilege and default-deny policies to restrict access to sensitive data.
Another important goal is to Protect Traffic Confidentiality, ensuring that sensitive data remains confidential during transit by securing communication channels to prevent unauthorized access. Protect Traffic Integrity aims to ensure that data in transit remains unaltered, protecting it from tampering by cybercriminals.
Finally, the objective to Ensure Effective Response stresses the need for timely action to mitigate damage during cybersecurity incidents and adapt security policies to address online threats.
Universal and PEP Security Capabilities
The updated SCC divides security capabilities into two primary categories: Universal Security Capabilities and PEP (Policy Enforcement Point) Security Capabilities. Both categories are essential for helping federal agencies secure their networks and implement effective risk management measures.
Universal Security Capabilities
Universal security capabilities are high-level principles that apply to all federal agencies, regardless of their specific use cases, helping them implement broad cybersecurity measures to address enterprise-level risks. Key universal capabilities in the catalog include Backup and Recovery, which ensures that data and configurations are backed up and can be restored in the event of an incident, failure, or corruption.
Central Log Management with Analysis is another critical capability, collecting, storing, and analyzing security logs to support threat detection and forensic analysis. Incident Response Planning and Handling helps agencies prepare for and respond to cybersecurity incidents, ensuring quick recovery and detection measures are in place.
The principle of Least Privilege limits access to the minimum necessary resources, reducing exposure to potential threats, while Patch Management ensures systems are regularly updated with patches to mitigate vulnerabilities from known exploits.
PEP Security Capabilities
PEP security capabilities focus on technical implementations that are more granular and can be tailored to an agency’s specific needs. These capabilities directly support the TIC 3.0 security objectives and align with emerging cybersecurity architectures, such as Zero Trust.
Key examples include Anti-malware, which detects and quarantines malicious code that could compromise the integrity of the network, and Network Segmentation, which divides networks into smaller, isolated segments to limit the spread of cyber threats. Multi-factor Authentication (MFA) adds an extra layer of authentication, ensuring that only authorized users can access sensitive information.
These capabilities are essential for helping agencies implement targeted security measures across diverse environments, including cloud, email, and network security solutions.
