Trusted Internet

Connections 3.0
TIC Core Guidance Volume 3:
Security Capabilities Catalog
July 2020
Version 1.0
Cybersecurity and Infrastructure Security Agency
Cybersecurity Division
ii

Revision History
The version number will be updated as the document is modified. This document will be updated as
needed to reflect modern security practices and technologies.

Table 1: Revision History

Version Date Revision Description Sections/Pages Affected

Draft December 2019 Initial Release All

1.0 July 2020 Response to RFC Feedback All

Vol. 3: TIC 3.0 Security Capabilities Catalog July 2020

iii

Reader’s Guide
The TIC initiative is defined through key documents that describe the directive, the program, the
capabilities, the implementation guidance, and capability mappings. Each document has an essential role
in describing TIC and its implementation. The documents provide an understanding of how changes have
led up to the latest version of TIC and why those changes have occurred. The documents go into high-
level technical detail to describe the exact changes in architecture for TIC 3.0. The documents are
additive; each builds on the other like chapters in a book. As depicted in Figure 1, the documents should
be referenced in order and to completion to gain a full understanding of the modernized initiative.

Figure 1: TIC 3.0 Guidance Snapshot

Vol. 3: TIC 3.0 Security Capabilities Catalog July 2020

iv

TIC 3.0 Security Capabilities Catalog

Table of Contents
1. Introduction .......................................................................................................................................... 1
1.1 Key Terms ................................................................................................................................... 1
2. Purpose of the Security Capabilities Catalog ....................................................................................... 2
3. Security Objectives of TIC 3.0 ............................................................................................................. 3
4. Security Capabilities List ..................................................................................................................... 5
4.1 Universal Security Capabilities ................................................................................................... 5
4.2 Policy Enforcement Point Capabilities ....................................................................................... 8
5. Conclusion.......................................................................................................................................... 16
Appendix A – Glossary and Definitions ..................................................................................................... 17

List of Figures
Figure 1: TIC 3.0 Guidance Snapshot .......................................................................................................... iii
Figure 2: TIC Lens on the Cybersecurity Framework Functions ................................................................. 4

List of Tables
Table 1: Revision History ............................................................................................................................. ii
Table 2: TIC 3.0 Security Objectives............................................................................................................ 3
Table 3: Universal Security Capabilities ...................................................................................................... 6
Table 4: Policy Enforcement Point Security Capabilities for Files .............................................................. 9
Table 5: Policy Enforcement Point Security Capabilities for Email ............................................................. 9
Table 6: Policy Enforcement Point Security Capabilities for Web ............................................................. 10
Table 7: Policy Enforcement Point Security Capabilities for Networking ................................................. 12
Table 8: Policy Enforcement Point Security Capabilities for Resiliency ................................................... 13
Table 9: Policy Enforcement Point Security Capabilities for DNS ............................................................ 13
Table 10: Policy Enforcement Point Security Capabilities for Intrusion Detection ................................... 14
Table 11: Policy Enforcement Point Security Capabilities for Enterprise .................................................. 14
Table 12: Policy Enforcement Point Security Capabilities for Unified Communications and Collaboration
.................................................................................................................................................................... 15
Table 13: Policy Enforcement Point Security Capabilities for Data Protection ......................................... 16

Vol. 3: TIC 3.0 Security Capabilities Catalog July 2020

1

1. Introduction
Trusted Internet Connections (TIC), originally established in 2007, is a federal cybersecurity initiative
intended to enhance network and boundary security across the Federal Government. The Office of
Management and Budget (OMB), the Department of Homeland Security (DHS) Cybersecurity and
Infrastructure Security Agency (CISA), and the General Services Administration (GSA) oversee the TIC
initiative through a robust program that sets guidance and an execution framework for agencies to
implement a baseline boundary security standard.
The initial versions of the TIC initiative sought to consolidate federal networks and standardize perimeter
security for the federal enterprise. As outlined in OMB Memorandum (M) 19-26: Update to the Trusted
Internet Connections (TIC) Initiative 1, this modernized version of the initiative expands upon the original
to drive security standards and leverage advances in technology as agencies adopt mobile and cloud
environments. The goal of TIC 3.0 is to secure federal data, networks, and boundaries while providing
visibility into agency traffic, including cloud communications.

1.1 Key Terms

In an effort to avoid confusion, terms frequently used throughout the TIC 3.0 documentation are defined
below. Some of these terms are explained in greater detail throughout the TIC 3.0 guidance. A
comprehensive glossary and acronyms list with applicable attributions can be found in Appendix A.
Boundary: A notional concept that describes the perimeter of a zone (e.g. mobile device services, general
support system (GSS), Software-as-a-Service (SaaS), agency, etc.) within a network architecture. The
bounded area must have an information technology (IT) utility.
Internet: The internet is discussed in two capacities throughout TIC documentation.
1. A means of data and IT traffic transport.
2. An environment used for web browsing purposes, hereafter referred to as “Web.”
Managed Trusted Internet Protocol Services (MTIPS): Services under GSA’s Enterprise
Infrastructure Solutions (EIS) contract vehicle that provide TIC solutions to government clients as a
managed security service. It is of note that the EIS contract is replacing the GSA Networx contract
vehicle that is set to close out by Fiscal Year (FY) 2023.
Management Entity (MGMT): A notional concept of an entity that oversees and controls security
capabilities. The entity can be an organization, network device, tool, service, or application. The entity
can control the collection, processing, analysis, and display of information collected from the policy
enforcement points (PEPs), and it allows IT professionals to control devices on the network.
Policy Enforcement Point (PEP): A security device, tool, function, or application that enforces security
policies through technical capabilities.
Security Capability: A combination of mutually-reinforcing security controls (i.e., safeguards and
countermeasures) implemented by technical means (i.e., functionality in hardware, software, and
firmware), physical means (i.e., physical devices and protective measures), and procedural means (i.e.,
procedures performed by individuals). 2 Security capabilities help to define protections for information
being processed, stored, or transmitted by information systems.

1
“Update to the Trusted Internet Connections (TIC) Initiative,” Office of Management and Budget M-19-26 (2019).
https://www.whitehouse.gov/wp-content/uploads/2019/09/M-19-26.pdf.
2
"Security and Privacy Controls for Federal Information Systems and Organizations (NIST SP 800-53 R4)," April
2013. http://dx.doi.org/10.6028/NIST.SP.800-53r4.

Vol. 3: TIC 3.0 Security Capabilities Catalog July 2020

2

Telemetry: Artifacts derived from security capabilities that provide visibility into security posture.
TIC: The term “TIC” is used throughout the Federal Government to denote different aspects of the TIC
initiative; including the overall TIC program, a physical TIC access point (also known as a Traditional
TIC), and a TIC Access Provider (TICAP – see below). This document refers to TIC as an adjective or as
the Trusted Internet Connections initiative.
TIC Access Point: The physical location where a federal civilian agency consolidates its external
connections and has security controls in place to secure and monitor the connections.
TIC Access Provider (TICAP): An agency or vendor that manages and hosts one or more TIC access
points. Single Service TICAPs serve as a TIC Access Provider only to their own agency. Multi-Service
TICAPs also provide TIC services to other agencies through a shared services model.
TIC Overlay: A mapping of products and services to TIC security capabilities.
TIC Use Case: Guidance on the secure implementation and/or configuration of specific platforms,
services, and environments. A TIC use case contains a conceptual architecture, one or more security
pattern options, security capability implementation guidance, and CISA telemetry guidance for a common
agency computing scenario.
Trust Zone: A discrete computing environment designated for information processing, storage, and/or
transmission that share the rigor or robustness of the applicable security capabilities necessary to protect
the traffic transiting in and out of a zone and/or the information within the zone.
Web: An environment used for web browsing purposes. Also see Internet.

2. Purpose of the Security Capabilities Catalog

The TIC 3.0 Security Capabilities Catalog (Security Capabilities Catalog) provides a list of deployable
security controls, security capabilities, and best practices. The catalog is intended to guide secure
implementation and help agencies satisfy program requirements within discrete networking environments.
The capabilities included in this document can be aligned with TIC overlays to enable deployment of
existing and future TIC use cases.
The Security Capabilities Catalog helps agencies to apply risk management principles and best practices
to protect federal information in various computing scenarios. The trust considerations presented in the
TIC 3.0 Reference Architecture can be further applied to an agency’s implementation of a given use case
to determine the level of rigor required for each capability. In some cases, the security capabilities may
not adequately address residual risks necessary to protect information and systems; agencies are obligated
to identify and apply compensating controls or alternatives that provide commensurate protections.
Additional collaboration with vendors is necessary to ensure security requirements are adequately
fulfilled, configured, and maintained.
The capabilities presented in this document are derived from modern and emerging technologies in
addition to requirements articulated in previous TIC documentation. The following selection criteria
guides decision-making for including capabilities found in Section 4.
• Technology Maturity: Is the underlying technology mature enough to support the adoption of
the capability?
• Sensor Positioning: Can the capability be positioned to effectively measure performance and
security within a network or environment?
• Policy Enforcement Point Deployment: Can the capability be deployed at a policy enforcement
point (PEP) within a given TIC implementation scenario?

Vol. 3: TIC 3.0 Security Capabilities Catalog July 2020

3

• Scoped to TIC Initiative: Does the capability’s purpose fall within the scope of TIC (i.e.,
baseline network security, consolidation of trusted connections, address TIC security objectives)?
• Use Case Applicability: Does the capability apply to one or more networking scenarios (such as
those outlined in TIC use cases)?
• Goal-Based: Does the capability specify a goal to be achieved (rather than specifying how to
achieve a goal)?

The list of security capabilities in this catalog does not represent an exhaustive listing of security
capabilities; many otherwise valuable security capabilities are excluded by the selection criteria above.
For example, while supply chain risk is an important security consideration, it falls outside the scope of
the TIC initiative.
The Security Capabilities Catalog is intended to keep pace with the evolution of policy and technology.
Consequently, this document will be updated periodically to assess existing TIC capabilities against
changes in business mission needs, market trends, and threat landscape.

3. Security Objectives of TIC 3.0

As the Federal Government continues to expand into cloud and mobile environments, an agency’s assets,
data, and components are commonly located in areas beyond their network boundary – on remote devices,
at cloud data centers, with external partners, etc. To protect these dispersed assets, the TIC program
defines encompassing security objectives to guide agencies in securing their network traffic. The
objectives intend to limit the likelihood of a cybersecurity event. Agencies are granted discretion to apply
the objectives at a level commensurate to the type of resources being protected.

Agencies are granted discretion to apply the objectives at a level commensurate to the
type of resources being protected.

The TIC security objectives should be viewed independently of the types of traffic being secured, but
different types of traffic will influence how the objectives are interpreted. Each objective stands on its
own, independent of the other objectives. They should not be considered an order-of-operations. In other
words, the intent of the objectives is not to suggest that an agency must execute one objective to execute
another.
The TIC objectives, described in Table 2, are intended to set expectations for architectures, guide
implementation, and establish clear goals at the network level. The term “traffic” in the TIC objectives
refers to network traffic or data in transit between trust zones or stored at either or both trust zones.
Table 2: TIC 3.0 Security Objectives

Objective 3 Description

Manage Traffic Observe, validate, and filter data connections to align with authorized
activities; least privilege and default deny

3
The term “traffic” in the TIC objectives refers to network traffic or data in transit between trust zones or stored at
either or both trust zones.

Vol. 3: TIC 3.0 Security Capabilities Catalog July 2020

4

Objective 3 Description

Protect Traffic Ensure only authorized parties can discern the contents of data in transit;
Confidentiality sender and receiver identification and enforcement

Protect Traffic Prevent alteration of data in transit; detect altered data in transit
Integrity

Ensure Service Promote resilient application and security services for continuous operation
Resiliency as the technology and threat landscape evolve

Ensure Effective Promote timely reaction and adapt future response to discovered threats;
Response policies defined and implemented; simplified adoption of new
countermeasures

The TIC security objectives can be mapped to the five functions of the National Institute of Standards and
Technology (NIST) Cybersecurity Framework (CSF) 4: Identify, Protect, Detect, Respond, and Recover.
The relationship between the CSF and TIC security objectives is depicted in Figure 2. Furthermore, the
TIC security capabilities are mapped to the NIST CSF in the Security Capabilities Catalog in the
following sections. This mapping will facilitate the development of TIC overlays for several of the more
widely used vendors.

Figure 2: TIC Lens on the Cybersecurity Framework Functions

4
“Framework for Improving Critical Infrastructure Cybersecurity,” National Institute of Standards and Technology
SP 800-53 Rev 1.1 (2018). https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf.

Vol. 3: TIC 3.0 Security Capabilities Catalog July 2020

5

4. Security Capabilities List

The capabilities list is composed of two parts.
• Universal Security Capabilities: Enterprise-level capabilities that outline guiding principles for
TIC use cases.
• Policy Enforcement Point Security Capabilities: Network-level capabilities that inform
technical implementation for relevant use cases.
The capabilities are intended to fulfill the TIC objectives outlined in Section 3. The Security Capabilities
Catalog is not intended to be an exhaustive listing, and it does not provide detailed guidance about how to
deploy each capability. The purpose of the Security Capabilities Catalog is to provide goals to be
achieved, not detailed guidance on how to accomplish these goals. As such, the choice of which solution
or solutions to employ is left for each agency to determine, as they balance application and rigor of
security capabilities with their risk tolerance. Security capabilities can be achieved using agency-hosted
solutions, leveraging offerings from vendors, consolidating disparate services into federated options,
employing centralized management tools, or any combination thereof. While the choice of which solution
or solutions to employ is left to the agency based upon their needs, care should be taken to ensure PEP
parity. Once an agency determines that a particular security capability is required to protect their network
or data, the agency needs to make sure that all methods to access that network or data implement that
security capability.
With respect to telemetry, both CISA and the agencies themselves require visibility, both relying on
common data sources. Since visibility requirements will often align, the same telemetry may be used for
both CISA and agency purposes (if desired) to simplify collection. Whereas previously a 24-hour packet
capture was required, in this iteration of TIC there are no longer any explicit telemetry collection
requirements specified related to duration or timeliness. Agencies remain free to address any unique
telemetry requirements beyond those required by CISA.

4.1 Universal Security Capabilities

Universal capabilities are enterprise-level capabilities that outline guiding principles for TIC use cases.
Universal capabilities are selected to be broadly applicable; the same list of capabilities apply to every use
case. However, certain use cases may provide unique guidance on specific capabilities where necessary.
Agencies have significant discretion regarding how to meet the individual security capability
requirements and address their particular needs. Agencies are free to determine the level of rigor
necessary for applying universal capabilities based on federal guidelines and risk tolerance. While it is
expected that agencies may often be able to employ a common solution to fulfill multiple roles or serve
multiple purposes, the selection of an appropriate set of solutions is left to each agency.

Vol. 3: TIC 3.0 Security Capabilities Catalog July 2020

6

Table 3 below provides: (1) a list of the universal security capabilities, (2) a description of each
capability, and (3) a mapping of each capability to relevant NIST CSF categories.
Table 3: Universal Security Capabilities

Universal Security Capabilities

Capability Description NIST CSF Mapping

Backup and Recovery Keeping copies of configuration and data, ID.BE, PR.IP, PR.DS,
as needed, to allow for the quick RS.MI, RC.RP
restoration of service in the event of
malicious incidents, system failures, or
corruption.

Central Log Management Collecting, storing, and analyzing ID.AM, PR.PT, DE.AE,
with Analysis telemetry, where the collection and RS.AN
storage are designed to facilitate data
fusion and the security analysis aids in
discovery and response to malicious
activity.

Configuration Management Implementing a formal plan for ID.BE, PR.DS, PR.IP,

documenting, managing changes to the PR.MA
environment, and monitoring for
deviations, preferably automated.

Incident Response Plan and Documenting and implementing a set of ID.GV, ID.RA, PR.IP,
Incident Handling instructions, procedures, or technical DE.DP, DE.AE, RS.RP,
capabilities to sense and detect, respond RS.CO, RS.AN, RS.MI
to, limit consequences of malicious
cyberattacks, and restore the integrity of
the network and associated systems.

Inventory Developing, documenting, and ID.AM, PR.AC, PR.DS,

maintaining a current inventory of all PR.IP
systems, networks, and components so
that only authorized devices are given
access, and unauthorized and unmanaged
devices are found and prevented from
gaining access.

Least Privilege Designing the security architecture such ID.AM, PR.AC, PR.IP,
that each entity is granted the minimum PR.PT, DE.CM
system resources and authorizations that
the entity needs to perform its function.

Vol. 3: TIC 3.0 Security Capabilities Catalog July 2020

7

Capability Description NIST CSF Mapping

Secure Administration Performing administrative tasks in a PR.MA

secure manner, using secure protocols.

Strong Authentication Verifying the identity of users, devices, or PR.AC

other entities through rigorous means
(e.g. multi-factor authentication) before
granting access.

Time Synchronization Coordinating clocks on all systems (e.g. PR.IP

servers, workstations, network devices) to
enable accurate comparison of
timestamps between systems.

Vulnerability Management Proactively working to discover ID.RA, PR.IP DE.AE,

vulnerabilities, including the use of both DE.CM, DE.DP
active and passive means of discovery,
and taking action to mitigate discovered
vulnerabilities.

Patch Management Identifying, acquiring, installing, and ID.AM, PR.IP, PR.MA

verifying patches for products and
systems.

Auditing and Accounting Capturing business records, including ID.SC, PR.AC, PR.PT
logs and other telemetry, and making
them available for auditing and
accounting as required. Design of the
auditing system should take insider threat
into consideration, including separation of
duties violation tracking, such that insider
abuse or misuse can be detected.

Resilience Ensuring that systems, services, and ID.BE, PR.PT

protections maintain acceptable
performance under adverse conditions.

Enterprise Threat Obtaining threat intelligence from private ID.RA, DE.AE, DE.CM,
Intelligence and government sources and DE.DP
implementing mitigations for the
identified risks.

Situational Awareness Maintaining effective awareness, both ID.AM, ID.RA, PR.DS,

current and historical, across all PR.IP, DE.AE, DE.CM,
components. DE.DP, RS.CO

Vol. 3: TIC 3.0 Security Capabilities Catalog July 2020

8

Capability Description NIST CSF Mapping

Dynamic Threat Discovery Using dynamic approaches (e.g. ID.RA, DE.AE, DE.CM,
heuristics, baselining, etc.) to discover DE.DP
new malicious activity.

Policy Enforcement Parity Consistently applying security protections PR.DS, PR.IP, PR.MA
and other policies, independent of the
communication mechanism, forwarding
path, or endpoints used.

Effective Use of Shared Employing shared services, where ID.AM, ID.GV, ID.RM,
Services applicable, that can be individually ID.SC, PR.AT, RS.CO
tailored, measured to independently
validate service conformance, and offer
effective protections for tenants against
malicious actors, both external as well as
internal to the service provider.

Integrated Desktop, Mobile, Defining polices such that they apply to a ID.AM, PR.AC, PR.DS,
and Remote Policies given agency entity no matter its location. PR.IP, PR.MA

4.2 Policy Enforcement Point Capabilities

PEP capabilities are network-level capabilities that inform technical implementation for relevant use
cases. In contrast to the universal capabilities, which are expected to apply in each use case, PEP
capabilities may or may not be applicable based on the use case scope. PEP capabilities are divided into
groups around shared themes.
The PEP capability groups listing is not exhaustive. Additional groups may be developed to reflect new
use cases. Each PEP capability group table provides the following: (1) a list of PEP capabilities, (2) a
description of each capability, and (3) a mapping to relevant NIST CSF categories.
The PEP capability groups correspond to the following security functions:
• Files,
• Email,
• Web,
• Networking,
• Resiliency,
• DNS,
• Intrusion detection,
• Enterprise,
• Unified communications and collaboration (UCC), and
• Data Protection.

Vol. 3: TIC 3.0 Security Capabilities Catalog July 2020

9

Table 4: Policy Enforcement Point Security Capabilities for Files

Files PEP Security Capabilities

Capability Description NIST CSF Mapping

Anti-malware Anti-malware protections detect the presence PR.DS, PR.PT, DE.CM,

of malicious code and facilitate its quarantine DE.DP RS.MI
or removal.

Content Disarm & Content disarm and reconstruction PR.PT, DE.CM, DE.DP
Reconstruction technology detects the presence of
unapproved active content and facilitates its
removal.

Detonation Detonation chambers facilitate the detection DE.CM, DE.DP RS.AN,

Chamber of malicious code through the use of RS.MI
protected and isolated execution
environments to analyze the files.

Data Loss Data loss prevention technologies detect PR.DS

Prevention instances of the exfiltration, either malicious
or accidental, of agency data.

Table 5: Policy Enforcement Point Security Capabilities for Email

Email PEP Security Capabilities

Capability Description NIST CSF Mapping

Anti-phishing Anti-phishing protections detect instances of PR.AT, PR.PT, DE.CM

Protections phishing and prevent users from accessing
them.

Anti-SPAM Anti-SPAM protections detect and PR.PT, DE.CM

Protections quarantine instances of SPAM.

Authenticated Authenticated Received Chain allows for an PR.AC

Received Chain intermediary, like a mailing list or
forwarding service, to sign its own
authentication of the original email, allowing
downstream entities to accept the
intermediary’s authentication even if the
email was changed.

Vol. 3: TIC 3.0 Security Capabilities Catalog July 2020

10

Capability Description NIST CSF Mapping

Data Loss Data loss prevention technologies detect PR.DS

Prevention instances of the exfiltration, either malicious
or accidental, of agency data

DMARC for DMARC protections authenticate incoming PR.PT, PR.IP

Incoming Email email according to the DMARC email
authentication protocol defined in RFC 7489.

DMARC for DMARC protections facilitate the PR.PT, PR.IP

Outgoing Email authentication of outgoing email by signing
the emails and ensuring that external parties
may validate the email signatures. The
DMARC email authentication protocol is
defined in RFC7489.

Encryption for Email services are configured to use PR.PT, PR.DS

Email encrypted connections, when possible, for
Transmission communications between clients and other
email servers.

Malicious URL Malicious URL protections detect malicious PR.PT, DE.CM

Protections URLs in emails and prevent users from
accessing them.

URL Click- URL click-through protections ensure that PR.PT, DE.CM

Through when a URL from an email is clicked, the
Protection requester is directed to a protection that
verifies the security of the URL destination
before permitting access.

NCPS E3A NCPS E3A is an intrusion prevention PR.PT, DE.CM

Protections capability, provided by DHS, that includes an
email filtering security service.

Table 6: Policy Enforcement Point Security Capabilities for Web

Web PEP Security Capabilities

Capability Description NIST CSF Mapping

Break and Inspect Break-and-Inspect systems, or encryption PR.PT, DE.CM

proxies, terminate encrypted traffic, logging
or performing policy enforcement against the
plaintext, and re-encrypting the traffic, if

Vol. 3: TIC 3.0 Security Capabilities Catalog July 2020

11

Capability Description NIST CSF Mapping

applicable, before transmitting to the final

destination.

Active Content Active content mitigation protections detect PR.PT, DE.CM

Mitigation the presence of unapproved active content
and facilitate its removal.

Certificate Certificate denylisting protections prevent PR.PT, DE.CM

Denylisting communication with entities that use a set of
known bad certificates.

Content Filtering Content filtering protections detect the PR.PT, DE.CM, DE.DP
presence of unapproved content and facilitate
its removal or denial of access.

Authenticated Authenticated proxies require entities to PR.AC

Proxy authenticate with the proxy before making
use of it, enabling user, group, and location-
aware security controls.

Data Loss Data loss prevention technologies detect PR.DS

Prevention instances of the exfiltration, either malicious
or accidental, of agency data.

DNS-over-HTTPS DNS-over-HTTPS filtering prevents entities PR.PT, DE.CM

Filtering from using the DNS-over-HTTPS protocol,
possibly evading DNS-based protections.

RFC Compliance RFC compliant enforcement technologies PR.PT

Enforcement ensure that traffic complies with protocol
definitions.

Domain Category Domain category filtering technologies allow PR.AC, PR.IP

Filtering for classes of domains (e.g. banking,
medical) to receive a different set of security
protections.

Domain Domain reputation filtering protections are a PR.PT

Reputation Filter form of domain denylisting based on a
domain’s reputation, as defined by either the
agency or an external entity.

Vol. 3: TIC 3.0 Security Capabilities Catalog July 2020

12

Capability Description NIST CSF Mapping

Bandwidth Bandwidth control technologies allow for PR.PT

Control limiting the amount of bandwidth used by
different classes of domains.

Malicious Content Malicious content filtering protections detect PR.DS, PR.PT, DE.CM
Filtering the presence of malicious content and
facilitate its removal.

Access Control Access control technologies allow an agency PR.AC

to define policies limiting what actions may
be performed by connected users and entities.

Table 7: Policy Enforcement Point Security Capabilities for Networking

Networking PEP Security Capabilities

Capability Description NIST CSF Mapping

Access Control Access control protections prevent the ingest, PR.AC, PR.IP, DE.CM
egress, or transiting of unauthorized network
traffic.

IP Denylisting IP denylisting protections prevent the ingest PR.PT, DE.CM

or transiting of traffic received from or
destined to a denylisted IP address.

Host Containment Host containment protections enable a PR.AC, PR.IP, PR.PT

network to revoke or quarantine a host’s
access to the network.

Network Network segmentation separates a given PR.AC

Segmentation network into subnetworks, facilitating
security controls between the subnetworks,
and decreasing the attack surface of the
network.

Microsegmentation Microsegmentation divides the network, PR.AC, PR.DS, PR.IP,

either physically or virtually, according to the PR.PT
communication needs of application and data
workflows, facilitating security controls to
protect the data.

Vol. 3: TIC 3.0 Security Capabilities Catalog July 2020

13

Table 8: Policy Enforcement Point Security Capabilities for Resiliency

Resiliency PEP Security Capabilities

Capability Description NIST CSF Mapping

DDoS Protections DDoS protections mitigate the effects of PR.PT

distributed denial of service attacks.

Elastic Expansion Elastic expansion enables agencies to ID.AM, PR.DS

dynamically expand the resources available
for services as conditions require.

Regional Delivery Regional delivery technologies enable the ID.AM, PR.AC, PR.DS
deployment of agency services across
geographically diverse locations.

Table 9: Policy Enforcement Point Security Capabilities for DNS

DNS PEP Security Capabilities

Capability Description NIST CSF Mapping

DNS Sinkholing DNS sinkholing protections are a form of PR.PT

denylisting that protect clients from
accessing malicious domains by responding
to DNS queries for those domains.

DNSSEC for DNSSEC protections ensure that domain PR.PT

Agency Clients name lookups from agency clients, whether
for internal or external domains, are
validated.

DNSSEC for DNSSEC protections ensure that all agency PR.PT

Agency Domains domain names are secured using DNSSEC,
enabling external entities to validate their
resolution the domain names.

NCPS E3A DNS NCPS E3A is an intrusion prevention PR.PT

Protections capability, provided by DHS, that includes a
DNS Sinkholing security service.

Vol. 3: TIC 3.0 Security Capabilities Catalog July 2020

14

Table 10: Policy Enforcement Point Security Capabilities for Intrusion Detection

Intrusion Detection PEP Security Capabilities

Capability Description NIST CSF Mapping

Endpoint Endpoint detection and response tools DE.AE, DE.CM, RS.AN

Detection and combine endpoint and network event data to
Response aid in the detection of malicious activity.

Intrusion Intrusion protection systems detect malicious DE.AE, DE.CM,

Protection Systems activity, attempt to stop the activity, and DE.DP, RS.AN
(IPS) report the activity.

Adaptive Access Adaptive access control technologies factor PR.AC, DE.CM

Control in additional context, like security risk,
operational needs, and other heuristics, when
evaluating access control decisions.

Deception Deception platform technologies provide PR.PT, DE.AE, RS.AN

Platforms decoy environments, from individual
machines to entire networks, that can be used
to deflect attacks away from the operational
systems supporting agency missions/business
functions.

Certificate Certificate transparency log monitoring DE.CM

Transparency Log allows agencies to discover when new
Monitoring certificates are issued for agency domains.

Table 11: Policy Enforcement Point Security Capabilities for Enterprise

Enterprise PEP Security Capabilities

Capability Description NIST CSF Mapping

Security Security Orchestration, Automation, and DE.AE, DE.CM,

Orchestration, Response (SOAR) tools define, prioritize, DE.DP, RS.CO, RS.AN,
Automation, and and automate the response to security RC.RP
Response (SOAR) incidents.

Shadow IT Shadow IT detection systems detect the PR.IP, PR.MA, DE.CM

Detection presence of unauthorized software and
systems in use by an agency.

Vol. 3: TIC 3.0 Security Capabilities Catalog July 2020

15

Capability Description NIST CSF Mapping

Virtual Private Virtual private network (VPN) solutions PR.AC, PR.DS, PR.IP,
Network (VPN) provide a secure communications mechanism PR.MA, PR.PT
between networks that may traverse across
unprotected or public networks.

Table 12: Policy Enforcement Point Security Capabilities for Unified Communications and Collaboration

Unified Communications and Collaboration (UCC) PEP Security Capabilities

Capability Description NIST CSF Mapping

UCC Identity Identity verification ensures that access to the PR.AC

Verification virtual meeting is limited to appropriate
individuals. Waiting room features, where
the meeting host authorizes vetted
individuals to join the meeting can also be
utilized.

UCC Encrypted Communication between virtual meeting PR.PT, PR.DS

Communication participants and any data exchanged is
encrypted at rest and in transit. Some UCC
offerings support end-to-end encryption,
where encryption is performed on the clients
and can only be decrypted by the other
authenticated participants and cannot be
decrypted by the UCC vendor.

UCC Connection Mechanisms that ensure the meeting host can PR.AC, PR.IP, PR.AT
Termination positively control participation. These can
include inactivity timeouts, on-demand
prompts, unique access codes for each
meeting, host participant eviction, and even
meeting duration limits.

UCC Data Loss Mechanisms for controlling the sharing of PR.DS

Prevention information between UCC participants,
intentional or incidental. This may be
integrated into additional agency data loss
prevention technologies and can include
keyword matching, attachment file type or
existence prohibitions, attachment size
limitations, or even audio/visual filters.

Vol. 3: TIC 3.0 Security Capabilities Catalog July 2020

16

Table 13: Policy Enforcement Point Security Capabilities for Data Protection

Data Protection PEP Security Capabilities

Capability Description NIST CSF Mapping

Access Control Access control technologies allow an agency PR.AC, PR.IP, DE.CM
to define policies concerning the allowable
activities of users and entities to data and
resources.

Protections for Data protection at rest aims to secure data PR.DS

Data at Rest stored on any device or storage medium.

Protections for Data protection in transit, or data in motion, PR.DS

Data in Transit aims to secure data that is actively moving
from one location to another, such as across
the internet or through a private enterprise
network.

Data Loss Data loss prevention technologies detect PR.DS

Prevention instances of the exfiltration, either malicious
or accidental, of agency data.

Data Access and Identify agency sensitive data stored, ID.AM, PR.AC, PR.DS,
Use Telemetry processed, or transmitted, including those PR.PT, DE.AE, DE.CM
located at a service provider. Enforce
detailed logging for access or changes to
sensitive data.

5. Conclusion
This document lists the TIC security capabilities. TIC use cases will reference capabilities from this
catalog and will provide guidance on how to deploy these capabilities within the context of a unique use
case. TIC overlays will provide mappings from these capabilities to vendor-specific tools and services.
Over time, this catalog will be updated and will be informed by TIC pilot activities, TIC use cases,
emerging technologies, and threat insight.

Vol. 3: TIC 3.0 Security Capabilities Catalog July 2020

17

Appendix A – Glossary and Definitions

Boundary: A notional concept that describes the perimeter of a zone (e.g. mobile device services, general
support system (GSS), Software-as-a-Service (SaaS), agency, etc.) within a network architecture. The
bounded area must have an information technology (IT) utility.
Internet: The internet is discussed in two capacities throughout TIC documentation:
1. A means of data and IT traffic transport.
2. An environment used for web browsing purposes, referred to as “Web.”
Managed Trusted Internet Protocol Services (MTIPS): Services under GSA’s Enterprise
Infrastructure Solutions (EIS) contract vehicle that provide TIC solutions to government clients as a
managed security service. It is of note that the EIS contract is replacing the GSA Networx contract
vehicle that is set to close out by Fiscal Year (FY) 2023.
Management Entity (MGMT): A notional concept of an entity that oversees and controls security
capabilities. The entity can be an organization, network device, tool, service, or application. The entity
can control the collection, processing, analysis, and display of information collected from the policy
enforcement (PEPs), and it allows IT professionals to control devices on the network.
National Cyber Protection System (NCPS): An integrated system-of-systems that delivers a range of
capabilities, including intrusion detection, analytics, intrusion prevention, and information sharing
capabilities that defend the civilian Federal Government's information technology infrastructure from
cyber threats. The NCPS capabilities, operationally known as EINSTEIN, are one of several tools and
capabilities that assist in federal network defense.
Policy Enforcement Point (PEP): A security device, tool, function, or application that enforces security
policies through technical capabilities.
Policy Enforcement Point Security Capabilities: Network-level capabilities that inform technical
implementation for relevant use cases.
Reference Architecture (RA): An authoritative source of information about a specific subject area that
guides and constrains the instantiations of multiple architectures and solutions.
Risk Management: The program and supporting processes to manage information security risk to
organizational operations (including mission, functions, image, reputation), organizational assets,
individuals, other organizations, and the Nation, and includes: (i) establishing the context for risk-related
activities; (ii) assessing risk; (iii) responding to risk once determined; and (iv) monitoring risk over time.
Risk Tolerance: The level of risk or degree of uncertainty that is acceptable to organizations and is a key
element of the organizational risk frame. An organization's risk tolerance level is the amount of corporate
data and systems that can be risked to an acceptable level.
Security Capability: A combination of mutually-reinforcing security controls (i.e., safeguards and
countermeasures) implemented by technical means (i.e., functionality in hardware, software, and
firmware), physical means (i.e., physical devices and protective measures), and procedural means (i.e.,
procedures performed by individuals). Security capabilities help to define protections for information
being processed, stored, or transmitted by information systems.
Security Pattern: Description of an end-to-end data flow between two trust zones. Security patterns may
have an associated set of security capabilities or guidance to secure the data flow along with one or more
of the zones.
Seeking Service Agency (SSA): An agency that obtains TIC services through an approved Multi-Service
TICAP.

Vol. 3: TIC 3.0 Security Capabilities Catalog July 2020

18

Security Information and Event Management (SIEM): An approach to security management that
combines SIM (security information management) and SEM (security event management) functions into
one security management system.
Telemetry: Artifacts derived from security capabilities that provide visibility into security posture.
TIC: The term “TIC” is used throughout the Federal Government to denote different aspects of the TIC
initiative; including the overall TIC program, a physical TIC access point (also known as a Traditional
TIC), and a TIC Access Provider (TICAP – see below). This document refers to TIC as an adjective or as
the Trusted Internet Connections initiative.
TIC Access Point: The physical location where a federal civilian agency consolidates its external
connections and has security controls in place to secure and monitor the connections.
TIC Access Provider (TICAP): An agency or vendor that manages and hosts one or more TIC access
points. Single Service TICAPs serve as a TIC Access Provider only to their own agency. Multi-Service
TICAPs also provide TIC services to other agencies through a shared services model.
TIC Initiative: Program established to optimize and standardize the security of individual external
network connections currently in use by the Federal Government, to include connections to the internet.
Key stakeholders include CISA, OMB, and GSA.
TIC Overlay: A mapping from products and services to TIC security capabilities.
TIC Use Case: Guidance on the secure implementation and/or configuration of specific platforms,
services, and environments. A TIC use case contains a conceptual architecture, one or more security
pattern options, security capability implementation guidance, and CISA telemetry guidance for a common
agency computing scenario.
Trust Zone: A discrete computing environment designated for information processing, storage, and/or
transmission that dictates the level of security necessary to protect the traffic transiting in and out of a
zone and/or the information within the zone.
Unified Communications and Collaboration (UCC): A collection of solutions designed to facilitate
communication and collaboration, including in real-time, such as required by remote work or
collaboration between locations.
Universal Security Capabilities: Enterprise-level capabilities that outline guiding principles for TIC use
cases.
Web: An environment used for web browsing purposes. Also see Internet.
Zero Trust: A security model based on the principle of maintaining strict access controls and not trusting
anyone by default, even those already inside the network perimeter.

Vol. 3: TIC 3.0 Security Capabilities Catalog July 2020