Public comment from Cisco Systems Inc.

[GrimtHabtemariam]

Cisco appreciates the opportunity to provide comments on the Department of Homeland Security’s Trusted Internet Connection (TIC 3.0) draft guidance. We proudly support numerous Federal Agencies as they modernize their IT architectures and infrastructures for the next-generation digital world. From an overall view of the draft documents, we recommend the following considerations be addressed:

• As agencies adopt cloud environments, often leveraging multiple Cloud Service Providers and all three cloud service models; as more devices, more users and more applications are on our networks; and as the threats continue to grow: the need for an architectural approach, driven by core Zero Trust principles, with integrated, dynamic security has never been stronger. The entire extended network needs to be leveraged as an asset to provide policy, enforcement, and quality of service across branches, campuses, WANs, data centers, and clouds.
• Agencies are held accountable to an overwhelming number of programs. To simplify Agencies’ effort to meet data feed requirements of TIC, as well as that of CDM and FedRAMP, data feed requirements should be mapped and matched as close as possible.
• Threat detection and response needs to be fast, automated and as close to the edge as possible; the NCPS system will be valuable to correlate information across government but will not likely be able to react to threats as quickly as needed. It is particularly critical that TIC 3.0 efforts evolve as the increasingly rapid movement to the edge accelerates with IoT usage over the next several years.

The ideal TIC 3.0 architecture will ensure a seamless user experience across all deployment models and use cases. It must help Federal Agencies adopt modern digital architectures with effective, integrated security to more effectively fulfill their mission as AI/ML capabilities fundamentally transform the speed, scale and effectiveness of modern networked solutions. Increasing use of the cloud, soon to be supplemented by increased use of IoT edge solutions, require the continued evolution of TIC 3.0 approaches and architectures.
Federal Agencies also need to be given the flexibility to take risk-informed approaches and implement controls that allow them to have convenient access and securely run the applications they want and have access to the data they need - no matter where users, data or applications reside. Federal Agencies will increasingly deploy AI/ML-enabled tools and capabilities that work together to effectively provide the needed telemetry and threat protection. An automated IT architecture, that can leverage these technological advances, will provide the performance and security responsiveness needed to increase capabilities while lowering costs.
While implementing these evolving security capabilities may be daunting to a Federal Agency, a lack of a unified, end-to-end security approach increases risks to organizations. Taking an integrated networking and security approach ensures the right level of access to the right users and applications across the multicloud deployment models envisioned by the TIC 3.0 guidance. This same integrated security architectural approach must also be applied to edge deployment models that are increasingly enabling Federal Agencies to better support citizens and achieve greater mission and business outcomes.

Cisco applauds the goals of the TIC 3.0 program and would like to provide the following comments aligned to each document that is part of the draft guidance:

Volume 1 – Program Guide Book

• What was piloted & examined during the interagency working groups facilitated by OMB, CISA, and GSA during the policy update effort? Will this information be made public? Were these pilots used to down select the 4 use cases published in the OMB memo and seen by the working group as most common & prevalent?
• What is the TIC PMO guidance on ongoing feedback? How is industry to engage & submit? Is this to be done in conjunction with an agency pilot or is it to be done directly with the TIC PMO?
• CISA should consider an additional volume that provides further guidance and outlines a high-level example of how an agency could approach DHS’s TIC, NCPS, and CDM programs, such as, but not limited to: meeting all requirements for each (understood that there will be variance in particular with TIC due to agency risk tolerance), how each program compliments & supports the other, common capabilities that could avoid duplication of similar solutions for each solution, etc.
• How does the TIC PMO intend to maintain the Security Overlay information? Will the TIC PMO allow the list to be publicly available (similar to the CDM APL)?

Volume 2 – Reference Architecture
No comments

Volume 3 – Security Capabilities Handbook

• Agencies may find multiple vendor solutions that satisfy their security needs and mission objectives, however, industry solutions in many cases may have overlapping functions that can induce latency and duplication of controls which could affect user/system performance. An integrated architecture within a multi-vendor environment enables the tools and capabilities that are deployed to work together to provide the protections and telemetry needed while not impeding performance.
• The Universal Capabilities outlined in Table 2 are complete and look to cover all aspects of securing the systems and data of the agencies. It could be considered that the last item, Integrated Desktop, Mobile, and Remote Policies, is likely the most important. Ensuring a seamless user experience through the TIC architecture while on-site, in a branch, over VPN, or mobile will not only increase the ease of use but also decrease operational expenditures when collecting telemetry and/or diagnosing inconsistencies. This tenant should also extend across all deployments and use cases of the TIC.

Volume 4 – Use Cases Handbook

• Requirements will vary based on user, device, location, application, and risk level. The use case approach captures the diversity of these scenarios and allows for optimization of each.
• In the branch office use case, CASB could be generalized as secure internet or web gateway to cover non-cloud application scenarios.
• Branch to an Agency operated IaaS environment is shown in Figure 3 to include VPN connections, but VPNs are not listed as an enterprise service in Table 4. Using SDWAN/VPN connections from the branch to IaaS environment is a common design pattern.

Volume 5 – Service Provider Overlay Handbook

• We suggest providing further clarification when discussing overlays. Specifically, that there is most likely no 1-to-1 mapping between TIC capabilities and a vendor solution; but rather a more complex mapping. This will mean that some agency needs will require that more than one solution be integrated.
• Clarification of the term “Service Provider” in Volume 5 and throughout all Volumes is needed. This is important to ensuring that agencies know that in Volume 5 “Service Providers” can mean other providers with solutions that can be integrated to “Cloud Service Provider” capabilities.
• Under Section 3.1 the “Traditional On-Premise TIC Access Point” column appears to serve as a reference point to map new TIC Security Capabilities outlined in Volume 3 with the traditional TICAP solutions & capabilities. Is this the intention?
• The new PEP concept will introduce new enforcement points outside of the Traditional TICAP. Is there an area in the Overlay structure that CISA would like vendors to highlight where the PEP for the TIC Security Capability would or could be? (i.e. cloud delivered, on-premise, etc.)
• Section 4 outlines how the TIC PMO will select which service providers/vendors to work with to develop an overlay. Does the TIC PMO have further guidance on the process and expected timeline? May service providers/vendors reach out to the TIC PMO for consideration?
• Is the overlay established by the TIC PMO to function as an Approved Product List? I.e. Agencies would not be guided to solutions outside of the TIC PMO established overlays.

Pilot Process Handbook

• Agencies are being tasked with quite a bit with TIC 3.0 pilots, authorizing vendor FedRAMP offers, and piloting other Federal initiatives such as Zero Trust. Can there be any synergies found or identified here to help lessen the burden on agency resources?
• How does the TIC PMO intend to facilitate cross-agency collaboration? Will agencies be informed of approved pilots? Are vendors participating in pilots able to speak to other agencies about the contents with the intention of cross-agency collaboration?

NCPS Cloud Reference Architecture

• An item of consideration is the use of cloud-based security functions available from the industry today. There are current solutions that enable the capture of cloud logs and flow data to detect threats along with providing the needed telemetry.
• It may be of use to discuss the use of implementation of cloud based next generation firewalls with multi-tenancy to give the security protections along with the data and telemetry separation required. These solutions will also ingest the security insights directly without the need for redirection through the Agency.
• It is important for any cloud-based solutions leveraged to integrate with other non-cloud-based solutions for policy and security intelligence.

Thank you for the opportunity to provide comments on the Department of Homeland Security’s Trusted Internet Connection (TIC 3.0) draft guidance.

Regards,
Grimt Habtemariam
US Public Sector Strategy
Cisco Systems