Trusted Internet Connections 3.0 -- Vol. 3: Policy Enforcement Point CapabilitiesPolicy Enforcement Point (PEP) Capabilities are network-level capabilities that inform technical implementation for relevant use cases. PEP Capabilities are divided into eight groups and fulfilled by applications, devices, or services identified in TIC Use Cases and TIC Overlays. The eight PEP capability groups correspond to the following security functions: • Files, • Email, • Web, • Networking, • Resiliency, • DNS, • Intrusion Detection, and • Enterprise.The PEP capability groups listing is not exhaustive. Additional groups may be developed to reflect new use cases. The following tables provide: (1) a list of PEP capabilities, (2) a description of each capability, and (3) a mapping to relevant NIST CSF categories. Cybersecurity and Infrastructure Security AgencyCISA_b6ee542c-9a4e-11ea-824e-10e01783ea00Cybersecurity Division_9d97ab60-9af1-11ea-9f5b-21a3fa82ea00To inform technical implementation of network-level capabilities_9d97acbe-9af1-11ea-9f5b-21a3fa82ea00FilesSecure files_9d97ad7c-9af1-11ea-9f5b-21a3fa82ea001Files PEP Security CapabilitiesMalwareDetect the presence of malicious code and facilitate its quarantine or removal_9d97ae1c-9af1-11ea-9f5b-21a3fa82ea001.1Anti-Malware -- Anti-malware protections detect the presence of malicious code and facilitate its quarantine or removal.Disarming & ReconstructionDetect the presence of unapproved active content and facilitates its removal_9d97aebc-9af1-11ea-9f5b-21a3fa82ea001.2Content Disarm & Reconstruction -- Content Disarm & Reconstruction technology detects the presence of unapproved active content and facilitates its removal.DetonationFacilitate the detection of malicious code through the use of protected and isolated execution environments_9d97af5c-9af1-11ea-9f5b-21a3fa82ea001.3Detonation Chambers -- Detonation Chambers facilitate the detection of malicious code through the use of protected and isolated execution environments to analyze the filesE-MailSecure E-mail_9d97affc-9af1-11ea-9f5b-21a3fa82ea002Email PEP Security CapabilitiesPhishingDetect instances of phishing and prevent users from accessing them_9d97b0ec-9af1-11ea-9f5b-21a3fa82ea002.1Anti-phishing Protections -- Anti-phishing protections detect instances of phishing and prevent users from accessing them.SPAMDetect and quarantine SPAM_9d97b1a0-9af1-11ea-9f5b-21a3fa82ea002.2Anti-SPAM Protections -- Anti-SPAM protections detect and quarantine instances of SPAM.AuthenticationAllow downstream entities to accept an intermediary’s authentication even if the email was changed_9d97b24a-9af1-11ea-9f5b-21a3fa82ea002.3Authenticated Received Chain -- Authenticated Received Chain allows for an intermediary, like a mailing list or forwarding service, to sign its own authentication of the original email, allowing downstream entities to accept the intermediary’s authentication even if the email was changed.LossDetect exfiltration of data_9d97b2ea-9af1-11ea-9f5b-21a3fa82ea002.4Data Loss Prevention -- Data Loss Prevention technologies detect instances of the exfiltration, either malicious or accidental, of agency dataIncomingAuthenticate incoming email_9d97b38a-9af1-11ea-9f5b-21a3fa82ea002.5DMARC for Incoming Email -- DMARC protections authenticate incoming email according to the DMARC email authentication protocol defined in RFC 7489.OutgoingSign emails_9d97b434-9af1-11ea-9f5b-21a3fa82ea002.6DMARC for Outgoing Email -- DMARC protections facilitate the authentication of outgoing email by signing the emails and ensuring that external parties may validate the email signatures. The DMARC email authentication protocol is defined in RFC4789.EncryptionConfigured email services to use encrypted connections_9d97b4de-9af1-11ea-9f5b-21a3fa82ea002.7Encryption for Email Transmission -- Email Services are configured to use encrypted connections, when possible, when interacting with Clients and other Email Servers.URLsDetect malicious URLs in emails and prevent users from accessing them_9d97b588-9af1-11ea-9f5b-21a3fa82ea002.8Malicious URL Protections -- Malicious URL Protections detect malicious URLs in emails and prevent users from accessing them.Click-ThroughsVerify the security of URL destinations before permitting access_9d97b63c-9af1-11ea-9f5b-21a3fa82ea002.9URL Click-Through Protection -- URL Click-Through Protections ensures that when a URL from an email is clicked, the requester is directed to a protection that verifies the security of the URL destination before permitting access.IntrusionsPrevent intrusions_9d97b6e6-9af1-11ea-9f5b-21a3fa82ea002.10NCPS E3A Protections -- NCPS E3A is an intrusion prevention capability, provided by DHS, that includes an Email Filtering security service.WebSecure Web access_9d97b79a-9af1-11ea-9f5b-21a3fa82ea003Web PEP Security CapabilitiesBreak & InspectTerminate encrypted traffic, inspect, and re-encrypt it_9d97b858-9af1-11ea-9f5b-21a3fa82ea003.1Break and Inspect -- Break-and-Inspect systems terminate encrypted traffic, logging or performing policy enforcement against the plaintext, and re-encrypting the traffic, if applicable, before transmitting to the final destination.Active ContentDetect and facilitate removal of unapproved active content_9d97b90c-9af1-11ea-9f5b-21a3fa82ea003.2Active Content Mitigation -- Active Content Mitigation protections detect the presence of unapproved active content and facilitate its removal.BlacklistingPrevent communication with entities using bad certificates_9d97b9c0-9af1-11ea-9f5b-21a3fa82ea003.3Certificate Blacklisting -- Certificate Blacklisting protections prevent communication with entities that use a set of known bad certificates.CertificatesPrevent use of inconsistent credentials_9d97ba7e-9af1-11ea-9f5b-21a3fa82ea003.4Certificate Consensus -- Certificate Consensus provides a comparison of all observed certificates in use for consistency and preventing use of inconsistent credentials.Unapproved ContentDetect and facilitate removal of unapproved content_9d97bb3c-9af1-11ea-9f5b-21a3fa82ea003.5Content Filtering -- Content Filtering protections detect the presence of unapproved content and facilitate its removal.AuthenticationRequire entities to authenticate with the proxy_9d97bbfa-9af1-11ea-9f5b-21a3fa82ea003.6Authenticated Proxy -- Authenticated Proxies require entities to authenticate with the proxy before making use of it, enabling user, group, and location-aware security controls.Data LossDetect instances of the exfiltration_9d97bcb8-9af1-11ea-9f5b-21a3fa82ea003.7Data Loss Prevention -- Data Loss Prevention technologies detect instances of the exfiltration, either malicious or accidental, of agency data.DNS-over-HTTPSPrevent usage of the DNS-over-HTTPS protocol_9d97bd80-9af1-11ea-9f5b-21a3fa82ea003.8DNS-over-HTTPS -- Filtering DNS-over-HTTPS filtering prevents entities from using the DNS-over-HTTPS protocol, possibly evading DNS-based protections. EnforcementEnsure that traffic complies with protocol definitions_9d97be3e-9af1-11ea-9f5b-21a3fa82ea003.9RFC Compliance Enforcement -- RFC Compliant Enforcement technologies ensure that traffic complies with protocol definitions.Filtering[Establish] different security protections for classes of domains_9d97bf06-9af1-11ea-9f5b-21a3fa82ea003.10Domain Category Filtering -- Domain Category Filtering technologies allow for classes of domains (e.g. banking, medical) to receive a different set of security protections.ReputationBlacklist domains based on reputation_9d97bfce-9af1-11ea-9f5b-21a3fa82ea003.11Domain Reputation Filter -- Domain Reputation Filtering protections are a form of Domain Blacklisting based on a domain’s reputation, as defined by either the agency or an external entity.BandwidthLimit the amount of bandwidth used by different classes of domains_9d97c096-9af1-11ea-9f5b-21a3fa82ea003.12Bandwidth Control -- Bandwidth Control technologies allow for limiting the amount of bandwidth used by different classes of domains.FilteringDetect and facilitate removal of malicious content_9d97c15e-9af1-11ea-9f5b-21a3fa82ea003.13Malicious Content Filtering -- Malicious Content Filtering protections detect the presence of malicious content and facilitate its removal.AccessDefine policies concerning what entities may perform_9d97c230-9af1-11ea-9f5b-21a3fa82ea003.14Access Control -- Access Control technologies allow an agency to define policies concerning what entities may perform.NetworksSecure networks_9d97c302-9af1-11ea-9f5b-21a3fa82ea004Networking PEP Security CapabilitiesAccessPrevent the ingest or transiting of unauthorized network traffic_9d97c4d8-9af1-11ea-9f5b-21a3fa82ea004.1Network Access Controls -- Network Access Control protections prevent the ingest or transiting of unauthorized network traffic.BlacklistingPrevent the ingest or transiting of traffic received from or destined to a blacklisted IP address_9d97c5c8-9af1-11ea-9f5b-21a3fa82ea004.2IP Blacklisting -- IP Blacklisting protections prevent the ingest or transiting of traffic received from or destined to a blacklisted IP address.ContainmentEnable revocation of hosts' access to networks_9d97c6a4-9af1-11ea-9f5b-21a3fa82ea004.3Host Containment -- Host Containment protections enable a network to revoke a host’s access to the network.SegmentationSeparate networks into subnetworks_9d97c7d0-9af1-11ea-9f5b-21a3fa82ea004.4Network Segmentation -- Network Segmentation separates a given network into subnetworks, facilitating security controls between the subnetworks, and decreasing the attack surface of the network.MicrosegmentationDivide networks according to the communication needs of application and data workflows_9d97c8b6-9af1-11ea-9f5b-21a3fa82ea004.5Microsegmentation -- Microsegmentation divides the network, either physically or virtually, according to the communication needs of application and data workflows, facilitating security controls to protect the data.Resiliency_9d97c992-9af1-11ea-9f5b-21a3fa82ea005Resiliency PEP Security CapabilitiesDDoSMitigate the effects of distributed denial of service attacks_9d97ca78-9af1-11ea-9f5b-21a3fa82ea005.1DDoS Protections -- DDoS protections mitigate the effects of distributed denial of service attacks.ExpansionDynamically expand the resources available for services as conditions require_9d97cc80-9af1-11ea-9f5b-21a3fa82ea005.2Elastic Expansion -- Elastic expansion enables agencies to dynamically expand the resources available for services as conditions require._9d97cde8-9af1-11ea-9f5b-21a3fa82ea005.3 Regional Delivery -- Regional Delivery technologies enable the deployment of agency services across geographically diverse locations.DNS_9d97cf5a-9af1-11ea-9f5b-21a3fa82ea006DNS PEP Security CapabilitiesBlackholingProtect clients from accessing malicious domains_9d97d0b8-9af1-11ea-9f5b-21a3fa82ea006.1DNS Blackholing -- DNS Blackholing protections are a form of blacklisting that protect clients from accessing malicious domains by responding to DNS queries for those domains.Domain ValidationEnsure that domain name lookups from agency clients validated_9d97d20c-9af1-11ea-9f5b-21a3fa82ea006.2DNSSEC for Agency Clients -- DNSSEC protections ensure that domain name lookups from agency clients, whether for internal or external domains, are validated.Agency DomainsEnsure that agency domain names are secured_9d97d388-9af1-11ea-9f5b-21a3fa82ea006.3DNSSEC for Agency Domains -- DNSSEC protections ensure that all agency domain names are secured using DNSSEC, enabling external entities to validate their resolution the domain names.Intrusions_9d97d4fa-9af1-11ea-9f5b-21a3fa82ea007Intrusion Detection PEP Security CapabilitiesEndpointsCombine endpoint and network event data to aid in the detection of malicious activity_9d97d66c-9af1-11ea-9f5b-21a3fa82ea007.1Endpoint Detection and Response -- Endpoint Detection and Response tools combine endpoint and network event data to aid in the detection of malicious activity.Malicious ActivityDetect malicious activity, attempt to stop the activity, and report the activity_9d97d7fc-9af1-11ea-9f5b-21a3fa82ea007.2Intrusion Protection Systems (IPS) -- Intrusion Protection Systems detect malicious activity, attempt to stop the activity, and report the activity.AccessEvaluate access control decisions_9d97d90a-9af1-11ea-9f5b-21a3fa82ea007.3Adaptive Access Control -- Adaptive Access Control technologies factor in additional context, like security risk, operational needs, and other heuristics, when evaluating access control decisions.DeceptionsDeflect attacks away from the operational systems_9d97da04-9af1-11ea-9f5b-21a3fa82ea007.4Deception Platforms -- Deception Platform technologies provide decoy environments, from individual machines to entire networks, that can be used to deflect attacks away from the operational systems supporting agency missions/business functions.Log MonitoringDiscover when new certificates are issued for agency domains_9d97db12-9af1-11ea-9f5b-21a3fa82ea007.5Certificate Transparency Log Monitoring -- Certificate Transparency Log Monitoring allows agencies to discover when new certificates are issued for agency domains. Enterprises_9d97dc0c-9af1-11ea-9f5b-21a3fa82ea008Enterprise PEP Security CapabilitiesSOARDefine, prioritize and automate the response to security incidents_9d97dd06-9af1-11ea-9f5b-21a3fa82ea008.1Security Orchestration, Automation, and Response (SOAR) -- Security Orchestration, Automation and Response tools define, prioritize and automate the response to security incidents.Shadow ITDetect the presence of unauthorized software and systems_9d97de14-9af1-11ea-9f5b-21a3fa82ea008.2Shadow IT Detection -- Shadow IT Detection systems detect the presence of unauthorized software and systems in use by an agency.VPNProvide a secure communications mechanism between networks_9d97df18-9af1-11ea-9f5b-21a3fa82ea008.3VPN -- Virtual Private Network solutions provide a secure communications mechanism between networks that may traverse across unprotected or public networks.2019-12-312020-01-312020-05-20https://www.cisa.gov/sites/default/files/publications/Draft%20TIC%203.0%20Vol.%203%20Security%20Capabilities%20Handbook.pdfOwenAmburOwen.Ambur@verizon.net