The purpose of the Trusted Internet Connections (TIC) Initiative, as outlined in OMB Memorandum M-08-05 (PDF, 1 page - 28 KB), is to optimize and standardize the security of individual external network connections currently in use by federal agencies, including connections to the Internet. The initiative will improve the federal government's security posture and incident response capability through the reduction and consolidation of external connections and provide enhanced monitoring and situational awareness of external network connections.
TIC Reference Architecture 2.0
The Department of Homeland Security, in collaboration with federal agencies, developed the Trusted Internet Connections (TIC) Reference Architecture v2.0 which introduces new capabilities and clarifies existing mandatory critical capabilities. In addition to mandatory critical capabilities, the TIC Reference Architecture v2.0 includes recommended capabilities based on evolving technologies and threats.
TIC Strategic Components:
- Reduce and consolidate external access points across the federal enterprise,
- Manage the security requirements for Network and Security Operations Centers (NOC/SOC),
- Establish a compliance program to monitor department and agency adherence to TIC policy (addressed in detail below).
The TIC v2.0 Reference Architecture applies to:
- Agencies designated as TIC Access Providers (TICAPs);
- Commercial carriers designated as Managed Trusted IP Service (MTIPS) providers; and
- All federal executive civilian agencies procuring Networx MTIPS or using TICAP services.
As of September 30, 2012, all executive branch civilian departments and agencies and MTIPS vendors will be assessed on TIC v2.0 Critical Capabilities.
Please e-mail TIC@hq.dhs.gov with any questions
TIC Reference Architecture 2.2
TIC Plan of Action and Milestones
The Office of Management and Budget (OMB) Memo M-09-32 "Update on the Trusted Internet Connections Initiative" outlines agency responsibility to prepare their TIC plan of action and milestones (POA&M) and provide updated status to the Department of Homeland Security every six months. The Department of Defense, Legislative Branch entities, and Judicial Branch entities do not need to submit a TIC POA&M.
The Department of Homeland Security requested all civilian executive departments and agencies, including executive departments, independent establishments, government corporations, and the U.S. Postal Service, update their TIC POA&Ms based on current progress regarding compliance with the TIC initiative.
TIC POA&Ms are now submitted by agencies via the Cyberscope application. For any questions on the Cyberscope POA&M submittal process, please contact TIC@hq.dhs.gov
TIC Historical Information
The Network and Infrastructure Security branch directly supports the goals of the Comprehensive National Cybersecurity Initiative (CNCI). CNCI Initiative One is commonly referred to as the Trusted Internet Connections (TIC) Initiative. The TIC initiative calls for a government-wide "reduction of our external connections, including our Internet points of presence." On November 20, 2007, OMB designated the Department of Homeland Security's Office of Cybersecurity and Communications (CS&C) as the coordinator of the TIC initiative via Memorandum M-08-05 (PDF, 1 page - 28 KB). The Network and Infrastructure Security branch continues the oversight of the TIC initiative.
Milestone #1: Inventory the external connections for your agency
In accordance with M-08-05, all agencies should identify external connections. Appendix A of the "TIC Reference Architecture" clarifies the definition of external connection. This information is used to establish the starting baseline for the Initiative. All agencies should maintain up to date inventories of their external connections, including service provider, cost, location, capacity, and traffic volumes throughout the TIC Initiative.
Milestone #2: Determine your agency's capability to meet the TIC critical technical capabilities
In accordance with M-08-16, TICAP agency Chief Information Officers should determine the gap between their agency's current capabilities and the 51 capabilities identified in the Statement of Capability document. Appendix B of the TIC Reference Architecture explains the 51 critical technical capabilities. This information was used by OMB to select designated TICAP agencies and is now completed.
Milestone #3: Develop a plan to reduce and consolidate your agency's external connections through approved access points and a plan to implement the TIC critical capabilities at your agency
A Plan of Action and Milestones (POA&M) was due to the Department of Homeland Security by 8/14/09 and must be up updated every 6 months thereafter until complete.
Milestone #4: Acquire telecommunications connectivity through the Networx Contract
OMB Memo M-08-26 states that all agencies utilize the Networx Contract to acquire telecommunications connectivity. In order to improve your agency's security posture with TIC-compliant managed security services, agencies are encouraged to purchase the Managed Trusted Internet Protocol Services (MTIPS) CLIN through the Networx Contract. TICAP agencies are also encouraged to purchase the MTIPS CLIN, but may also utilize Networx services to customize their security capabilities.
Milestone #5: Implement the plan to reduce and consolidate your agency's external connections through approved access points and the plan to meet the TIC critical capabilities at your agency
In addition to the four milestones mentioned above, all agency CIOs need to sign a Memorandum of Agreement (MOA) and execute a Service Level Agreement (SLA) with the Department of Homeland Security. TICAP Agency CIOs also need to sign an Interconnection Security Agreement (ISA) and collaborate with the Department to establish their TICAP locations. The end-state of the TIC initiative is for each agency to meet the following targets: 100% compliance with the TIC critical technical capabilities and 100% of external connections routed through an approved TICAP.
Milestone #6: Collaborate with DHS to measure and validate your compliance with the TIC Initiative
The Comprehensive National Cyber Security Initiative directs the Department of Homeland Security, in partnership with OMB, to validate agency compliance with the TIC initiative. This initiative and OMB memo M-08-27 provide further guidance to agencies on the steps necessary to complete the TIC Cybersecurity Capability Validation (CCV). The Department also assesses the capabilities of the Networx TICAPs prior to the service being available.
Mark Bunn, TIC Program Manager