Trusted Internet Connections 3.0 -- Vol. 3: Security Capabilities HandbookThe Security Capabilities Handbook provides a list of deployable security controls, security capabilities, and best practices. The handbook is intended to guide secure implementation and satisfy program requirements within discrete networking environments. The Security Capabilities Handbook offers actionable guidance for employing the principles articulated in the TIC 3.0 Program Guidebook, as well as the secure architecture and components outlined in the TIC 3.0 Reference Architecture. Additionally, the capabilities included in this document can be aligned with service provider overlays to enable deployment of existing and future TIC Use Cases.Universal Security Capabilities -- Universal capabilities are enterprise-level capabilities that outline guiding principles for TIC Use Cases and apply across use cases. Agencies have the discretion to determine the level of rigor necessary for applying universal capabilities based on federal guidelines and risk tolerance. The table below provides: (1) a list of the universal security capabilities, (2) a description of each capability, and (3) a mapping of each capability to relevant NIST Cybersecurity Framework (CSF) categories. While universal capabilities are broadly applicable, certain use cases may provide unique guidance on specific capabilities where necessary. [In this StratML rendition, the universal capabilities are documented as objectives under the broader goals.]Cybersecurity and Infrastructure Security AgencyCISA_b6ee542c-9a4e-11ea-824e-10e01783ea00Cybersecurity Division_b6ee5580-9a4e-11ea-824e-10e01783ea00To provide a list of deployable security controls, security capabilities, and best practices. _b6ee565c-9a4e-11ea-824e-10e01783ea00ConnectionSecurityAgilityThe Security Capabilities Handbook is intended to keep pace with the evolution of policy and technology.ResponsivenessConsequently, this document will be updated periodically to assess existing TIC capabilities against changes in business mission needs, market trends, and the threat landscape. TrafficManage Traffic_b6ee577e-9a4e-11ea-824e-10e01783ea001Observe, validate, and filter data connections to align with authorized activities; least privilege and default denyConfigurationImplement a formal plan for documenting, and managing changes to the environment, and monitoring for deviations._b6ee5846-9a4e-11ea-824e-10e01783ea001.1Configuration ManagementInventoryDevelop, document, and maintain a current inventory of all systems, networks, and components so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access._0b48c46a-9aba-11ea-96ad-8e802d83ea001.2PrivilegeDesign the security architecture such that each entity is granted the minimum system resources and authorizations that the entity needs to perform its function. _0b48c636-9aba-11ea-96ad-8e802d83ea001.3Least PrivilegeSynchronization Coordinate clocks on all systems (e.g. servers, workstations, network devices) to enable accurate comparison of timestamps between systems._0b48c730-9aba-11ea-96ad-8e802d83ea001.4Time Synchronization ParityConsistently apply security protections and other policies, independent of the conveyance mechanism used._0b48c816-9aba-11ea-96ad-8e802d83ea001.5Policy Enforcement ParityIntegrationDefining polices such that they apply to a given agency entity no matter its location._0b48c8fc-9aba-11ea-96ad-8e802d83ea001.6Integrated Desktop, Mobile, and Remote PoliciesConfidentialityProtect Traffic Confidentiality_583d46f6-9aa6-11ea-8379-9d1b2983ea002Ensure only authorized parties can discern the contents of data in transit; sender and receiver identification and enforcementAuthenticationVerify the identity of users, devices or other entities through rigorous means (e.g. multi-factor authentication) before granting access._583d47fa-9aa6-11ea-8379-9d1b2983ea002.1Strong AuthenticationIntegrityProtect Traffic Integrity_583d489a-9aa6-11ea-8379-9d1b2983ea003Prevent alteration of data in transit; detect altered data in transitAdministrationPerform administrative tasks in a secure manner, using secure protocols._583d49da-9aa6-11ea-8379-9d1b2983ea003.1Secure AdministrationVulnerabilityProactively work to discover vulnerabilities, including the use of both active and passive means of discovery, and taking action to mitigate discovered vulnerabilities._0b48c9e2-9aba-11ea-96ad-8e802d83ea003.2Vulnerability AssessmentAuditing & AccountingCapture business records, including logs and other telemetry, and making them available for auditing and accounting as required._0b48caf0-9aba-11ea-96ad-8e802d83ea003.3Situational AwarenessMaintain effective awareness, both current and historical, across all components._0b48cbe0-9aba-11ea-96ad-8e802d83ea003.4ResiliencyEnsure Service Resiliency_583d4ab6-9aa6-11ea-8379-9d1b2983ea004Promote resilient application and security services for continuous operation as the technology and threat landscape evolvePerformanceEnsure that systems, services, and protections maintain acceptable performance under adverse conditions_583d4b42-9aa6-11ea-8379-9d1b2983ea004.1ResilienceThreatsObtain threat intelligence from private and government sources, and implementing mitigations for the identified risks._0b48ccbc-9aba-11ea-96ad-8e802d83ea004.2Private SourcesGovernment SourcesEnterprise Threat IntelligenceShared ServicesEmploy shared services, where applicable, that can be individually tailored, measured to independently validate service conformance, and offer effective protections for tenants against malicious actors, both external as well as internal to the service provider._0b48cdac-9aba-11ea-96ad-8e802d83ea004.3Effective Use of Shared ServicesResponseEnsure Effective Response_583d4bd8-9aa6-11ea-8379-9d1b2983ea005Promote timely reaction and adapt future response to discovered threats; policies defined and implemented; simplified adoption of new countermeasuresBackup & RecoveryKeep copies of configuration and data, as needed, to allow for the quick restoration of service in the event of malicious incidents, system failures or corruption._583d4c64-9aa6-11ea-8379-9d1b2983ea005.1LogsStore telemetry needed to discover and respond to malicious activity in a manner that facilitates security analysis and data fusion._0b48ce92-9aba-11ea-96ad-8e802d83ea005.2Central Log Management with AnalysisIncidentsDocument and implement a set of instructions or procedures to detect, respond to, limit consequences of malicious cyberattacks, and restore the integrity of the network and systems._0b48cf82-9aba-11ea-96ad-8e802d83ea005.3Incident Response Plan and Incident HandlingDiscoveryUse dynamic approaches (e.g. heuristics, baselining, etc.) to discover new malicious activity._0b48d086-9aba-11ea-96ad-8e802d83ea005.4Dynamic Threat Discovery2019-12-312020-01-312020-05-20https://www.cisa.gov/sites/default/files/publications/Draft%20TIC%203.0%20Vol.%203%20Security%20Capabilities%20Handbook.pdfOwenAmburOwen.Ambur@verizon.net