Trusted Internet Connections 3.0 -- Vol. 3: Security Capabilities HandbookThe Security Capabilities Handbook provides a list of deployable security controls, security capabilities,and best practices. The handbook is intended to guide secure implementation and satisfy programrequirements within discrete networking environments. The Security Capabilities Handbook offersactionable guidance for employing the principles articulated in the TIC 3.0 Program Guidebook, as wellas the secure architecture and components outlined in the TIC 3.0 Reference Architecture. Additionally,the capabilities included in this document can be aligned with service provider overlays to enabledeployment of existing and future TIC Use Cases.Universal Security Capabilities -- Universal capabilities are enterprise-level capabilities that outline guiding principles for TIC Use Casesand apply across use cases. Agencies have the discretion to determine the level of rigor necessary forapplying universal capabilities based on federal guidelines and risk tolerance. The table below provides:(1) a list of the universal security capabilities, (2) a description of each capability, and (3) a mapping ofeach capability to relevant NIST Cybersecurity Framework (CSF) categories. While universal capabilitiesare broadly applicable, certain use cases may provide unique guidance on specific capabilities wherenecessary. [In this StratML rendition, the universal capabilities are documented as objectives under the broader goals.]Cybersecurity and Infrastructure Security AgencyCISA_b6ee542c-9a4e-11ea-824e-10e01783ea00Cybersecurity Division_b6ee5580-9a4e-11ea-824e-10e01783ea00To provide a list of deployable security controls, security capabilities, and best practices. _b6ee565c-9a4e-11ea-824e-10e01783ea00ConnectionSecurityAgilityThe Security Capabilities Handbook is intended to keep pace with the evolution of policy and technology.ResponsivenessConsequently, this document will be updated periodically to assess existing TIC capabilities against changes in business mission needs, market trends, and the threat landscape. TrafficManage Traffic_b6ee577e-9a4e-11ea-824e-10e01783ea001Observe, validate, and filter data connections to align with authorized activities; least privilege and default denyConfigurationImplement a formal plan fordocumenting, and managing changes tothe environment, and monitoring fordeviations._b6ee5846-9a4e-11ea-824e-10e01783ea001.1Configuration ManagementInventoryDevelop, document, andmaintain a current inventory of allsystems, networks, and components sothat only authorized devices are givenaccess, and unauthorized and unmanageddevices are found and prevented fromgaining access._0b48c46a-9aba-11ea-96ad-8e802d83ea001.2PrivilegeDesign the security architecture suchthat each entity is granted the minimumsystem resources and authorizations thatthe entity needs to perform its function._0b48c636-9aba-11ea-96ad-8e802d83ea001.3Least PrivilegeSynchronization Coordinate clocks on all systems (e.g.servers, workstations, network devices) toenable accurate comparison of timestampsbetween systems._0b48c730-9aba-11ea-96ad-8e802d83ea001.4Time Synchronization ParityConsistently apply security protectionsand other policies, independent of theconveyance mechanism used._0b48c816-9aba-11ea-96ad-8e802d83ea001.5Policy Enforcement ParityIntegrationDefining polices such that they apply to agiven agency entity no matter its location._0b48c8fc-9aba-11ea-96ad-8e802d83ea001.6Integrated Desktop, Mobile, and Remote PoliciesConfidentialityProtect Traffic Confidentiality_583d46f6-9aa6-11ea-8379-9d1b2983ea002Ensure only authorized parties can discern the contents of data in transit;sender and receiver identification and enforcementAuthenticationVerify the identity of users, devices orother entities through rigorous means (e.g.multi-factor authentication) beforegranting access._583d47fa-9aa6-11ea-8379-9d1b2983ea002.1Strong AuthenticationIntegrityProtect Traffic Integrity_583d489a-9aa6-11ea-8379-9d1b2983ea003Prevent alteration of data in transit; detect altered data in transitAdministrationPerform administrative tasks in asecure manner, using secure protocols._583d49da-9aa6-11ea-8379-9d1b2983ea003.1Secure AdministrationVulnerabilityProactively work to discovervulnerabilities, including the use of bothactive and passive means of discovery,and taking action to mitigate discoveredvulnerabilities._0b48c9e2-9aba-11ea-96ad-8e802d83ea003.2Vulnerability AssessmentAuditing & AccountingCapture business records, includinglogs and other telemetry, and makingthem available for auditing andaccounting as required._0b48caf0-9aba-11ea-96ad-8e802d83ea003.3Situational AwarenessMaintain effective awareness, bothcurrent and historical, across allcomponents._0b48cbe0-9aba-11ea-96ad-8e802d83ea003.4ResiliencyEnsure Service Resiliency_583d4ab6-9aa6-11ea-8379-9d1b2983ea004Promote resilient application and security services for continuous operationas the technology and threat landscape evolvePerformanceEnsure that systems, services, andprotections maintain acceptableperformance under adverse conditions_583d4b42-9aa6-11ea-8379-9d1b2983ea004.1ResilienceThreatsObtain threat intelligence from privateand government sources, andimplementing mitigations for theidentified risks._0b48ccbc-9aba-11ea-96ad-8e802d83ea004.2Private SourcesGovernment SourcesEnterprise Threat IntelligenceShared ServicesEmploy shared services, whereapplicable, that can be individuallytailored, measured to independentlyvalidate service conformance, and offereffective protections for tenants againstmalicious actors, both external as well asinternal to the service provider._0b48cdac-9aba-11ea-96ad-8e802d83ea004.3Effective Use of Shared ServicesResponseEnsure Effective Response_583d4bd8-9aa6-11ea-8379-9d1b2983ea005Promote timely reaction and adapt future response to discovered threats;policies defined and implemented; simplified adoption of newcountermeasuresBackup & RecoveryKeep copies of configuration and data,as needed, to allow for the quickrestoration of service in the event ofmalicious incidents, system failures orcorruption._583d4c64-9aa6-11ea-8379-9d1b2983ea005.1LogsStore telemetry needed to discover andrespond to malicious activity in a mannerthat facilitates security analysis and datafusion._0b48ce92-9aba-11ea-96ad-8e802d83ea005.2Central Log Management with AnalysisIncidentsDocument and implement a set ofinstructions or procedures to detect,respond to, limit consequences ofmalicious cyberattacks, and restore theintegrity of the network and systems._0b48cf82-9aba-11ea-96ad-8e802d83ea005.3Incident Response Plan and Incident HandlingDiscoveryUse dynamic approaches (e.g.heuristics, baselining, etc.) to discovernew malicious activity._0b48d086-9aba-11ea-96ad-8e802d83ea005.4Dynamic Threat Discovery2019-12-312020-01-312020-05-20https://www.cisa.gov/sites/default/files/publications/Draft%20TIC%203.0%20Vol.%203%20Security%20Capabilities%20Handbook.pdfOwenAmburOwen.Ambur@verizon.net