Feb 12 2018
Security

How Agencies Can Achieve TIC Compliance in the Cloud

Here are three tips feds should follow to ensure that Trusted Internet requirements are met as applications move to the cloud.
Karen Scarfone
by

Karen Scarfone is the principal consultant for Scarfone Cybersecurity. She provides cybersecurity publication consulting services to organizations and was formerly a senior computer scientist for the National Institute of Standards and Technology (NIST). 

When the Office of Management and Budget announced the Trusted Internet Connections initiative in 2007, officials hoped to cut the number of federal internet access points to no more than 50. All traffic between an agency’s internal and external networks had to pass through an approved TIC access provider. Fewer entry points to the internet meant stronger security using available resources.

In the decade since the TIC initiative was launched, federal agencies have begun moving apps from government servers to cloud service providers. Users also have been accessing federal networks from mobile devices, circumventing TIC access providers.

To promote TIC compliance when using the cloud, agency IT professionals should follow these few important steps:

SIGN UP: Get more news from the FedTech newsletter in your inbox every two weeks!

1. Determine the Impact of Migrating Apps to the Cloud

In the precloud, premobile environment, many apps were used only on internal networks. Moving to the cloud meant that users could employ apps remotely, and that created a new access point subject to TIC requirements: a dedicated, specially secured connection between the original TIC-approved access provider and the cloud provider.

But forcing remote communication through a TIC system can cause excessive network latency, put a strain on bandwidth and decrease reliability. Agencies should consider a pilot test before fully migrating an app’s operations to the cloud.

2. Collaborate with Approved Cloud Service Providers

Version 2.0 of the TIC requirements, released in 2013, gave federal agencies the flexibility to meet requirements by using approved cloud providers. A separate program, the Federal Risk and Authorization Management Program, was established in 2011, requiring agencies to use cloud providers that have demonstrated their compliance with federal security mandates.

By collaborating with a FedRAMP-certified cloud provider, an agency may be able to design a solution that meets TIC requirements while avoiding performance issues.

3. Monitor Progress on Updates to TIC

In 2015, FedRAMP and TIC teams began coordinating to give agencies more flexibility as they move to the cloud. The FedRAMP-TIC Overlay would map TIC capabilities and requirements to FedRAMP security controls, allowing agencies to meet the requirements of both programs at once.

As FedRAMP works on the overlay, the Department of Homeland Security, which oversees the TIC initiative, is planning to update to version 3.0 in the next few years. Agencies should be ready to quickly take advantage as each becomes available.

erhui1979/Getty Images

More On

Related Stories

Close

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT

Subscribe Now