AWS Public Sector Blog

How US federal agencies can apply TIC 3.0 to AWS workloads

This blog post introduces Amazon Web Services (AWS) Trusted Internet Connections (TIC) 3.0 overlay artifacts. TIC is a federal cybersecurity initiative intended to enhance network and data security across the Federal Government. As part of OMB M-19-26, US federal agencies choose how they implement TIC 3.0 requirements. These overlays help customers better understand how to apply TIC-3 requirements to AWS deployments. For each scenario, we provide a brief description and a link to a TIC 3.0 overlay that provides a reference architecture and a mapping of relevant AWS services to TIC 3.0 security capabilities and objectives. Agencies can use these overlays as general guidelines for deployment of workloads in AWS.

TIC program overview

The Trusted Internet Connections (TIC) initiative, since its establishment by the Cybersecurity and Infrastructure Security Agency (CISA) in 2007, has moved the US government from a period of uncontrolled and unmonitored internet connections to a controlled state, reducing the attack surface of agency systems. While TIC 2.0 focused exclusively on securing an agency’s perimeter by funneling all incoming and outgoing agency data through a TIC access point, TIC 3.0 recognizes the need to account for multiple and diverse architectures rather than a single perimeter approach.

The TIC program lays out security objectives to guide agencies in securing their network traffic to limit the likelihood of a cybersecurity event. Agencies are granted discretion to apply the objectives at a level commensurate to the type of resources being protected. In other words, agencies now have the flexibility to evaluate and apply security capabilities for network traffic and data protection, considering agency specific requirements. Compliance is determined by the agency itself, as opposed to compliance verification provided by a third party such as CISA. This implies there are no specific architectures or implementations that are uniformly applied across all agencies and use cases. Implementations can vary widely depending on the agency and use case in question.

The TIC 3.0 program provides guidance on the type of security capabilities that each agency may need to consider during implementation. These capabilities are divided into two broad categories: universal security capabilities and policy enforcement point (PEP) security capabilities. Universal security capabilities are security capabilities that agencies can consider as guidelines for implementation at an enterprise level. PEP security capabilities are more granular network-level security capabilities that inform technical implementation for specific use cases.

TIC 3.0 Overlays for AWS Workloads

Each of the examples below speaks to a common deployment pattern AWS customers may leverage as part of a TIC use case. In working with federal customers, we found that these were some of the more common patterns used in TIC pilots. As we continue to support more customers production TIC workloads, we will update the Github portal with changes and updates.

  1. N-tier: This overlay demonstrates how TIC security capabilities are achieved in the case of an N-tier (typically a 3-tier) web application. Check out the N-tier overlay in the AWS Samples GitHub.
  2. Containerized/abstracted services: This overlay demonstrates how TIC security capabilities are achieved in the case of a containerized or abstracted (serverless) services. Check out the containerized/abstracted services overlay in the AWS Samples GitHub.
  3. Remote/virtual desktop (VDI): This overlay demonstrates how TIC security capabilities are achieved in the case of a remote/virtual desktop environment. Check out the remote/VDI overlay in the AWS Samples GitHub.
  4. Hybrid/edge computing: This overlay demonstrates how TIC security capabilities are achieved for Hybrid/Edge computing. Check out the hybrid/edge overlay in the AWS Samples GitHub.
  5. Centralized inspection: This overlay demonstrates how TIC security capabilities are achieved for centralized inspection. Check out the centralized inspection overlay in the AWS Samples GitHub.

Conclusion

In this blog, we described how AWS customers can apply TIC 3.0 to AWS workloads, and provided links to overlays for common scenarios. To learn more about how your agency can implement these reference architectures or further questions about applying TIC 3.0 guidelines, contact your AWS account team.

Brad Dispensa

Brad Dispensa

Brad is a principal security specialist solutions architect for the public sector at Amazon Web Services (AWS).

Henrik Balle

Henrik Balle

Henrik Balle is a Sr. Solutions Architect on the federal civilian team at AWS. He is passionate about helping customers achieve their mission through cloud technologies from machine learning to security and governance at scale. Prior to joining AWS, he held various roles working with customers across the Americas, Europe, and Asia-Pacific.

Sanjeev Pulapaka

Sanjeev Pulapaka

Sanjeev is a principal solutions architect on the US Federal Civilian team at Amazon Web Services (AWS). He works closely with customers in building and architecting mission-critical solutions. Sanjeev has an undergraduate degree in engineering from the Indian Institute of Technology and an MBA from the University of Notre Dame.