When the Office of Management and Budget announced the Trusted Internet Connections initiative in 2007, officials hoped to slash the number of federal internet access points to no more than 50 and enhance network security. The TIC serves as a secure gateway between federal networks and external network connections, including connections to the internet.
However, since then, the nature of the network perimeter has become more amorphous as more agencies have migrated applications to cloud providers. Agencies have complained that the TIC program inhibits their cloud migration efforts, and the White House and Department of Homeland Security have been working on a revamp to the TIC initiative.
Now, those efforts are starting to bear fruit. On Dec. 14, OMB issued draft guidance that updates the TIC program, giving agencies increased flexibility to maintain secure internet connections. The new policy allows agencies to use modern security capabilities and ensures that the initiative is “agile and responsive to advancements in technology and rapidly evolving threats,” according to the draft.
Once finalized, DHS will define and offer “TIC Use Cases,” which will provide agencies with information on which alternative security controls, such as endpoint and user-based protections, must be in place for specific instances where traffic is not required to flow through a physical TIC access point.
These tools may be separate from an agency’s existing network boundary solutions provided by a TIC Access Provider (TICAP) or Managed Trusted Internet Protocol Services (MTIPS).
How DHS Will Help Agencies Ensure Secure Connections
The new policy focuses on helping “us streamline agency efforts to move to multicloud environments where we need to look at a different approach to security and storage,” Federal CIO Officer Suzette Kent said Dec. 13 at an event in Washington, D.C., hosted by the Center for Strategy and International Studies, according to Nextgov. As Nextgov reports, “the draft issued Friday is less an actual policy for agencies to follow and more of a roadmap for the Homeland Security’s guidance, which is forthcoming.”
“Given the diversity of platforms and implementations across the Federal Government, the TIC Use Cases will highlight proven, secure scenarios, where agencies are not required to route traffic through a TICAP/MTIPS solution to meet the requirements for government-wide intrusion detection and prevention efforts, such as the National Cybersecurity Protection System (including the EINSTEIN suite of capabilities),” the draft guidance states.
There are three initial TIC Use Cases allowed under the new policy. One is cloud, which includes Infrastructure as a Service, Software as a Service and Email as a Service.
Another is agency branch offices, which assumes that there is a branch office of an agency, separate from the agency headquarters which utilizes the main office for the majority of their services (including generic web traffic), the guidance states, adding that this “supports agencies that want to enable Software-Defined Wide Area Network (SD-WAN) technologies.”
The final one is remote users, which is “evolution of the original FedRAMP TIC Overlay (FTO) activities” and “demonstrates how a remote user connects to the agency’s traditional network, cloud, and the Internet using government furnished equipment (GFE).”
There are several next steps and new ways of approaching TIC that the guidance outlines. The TIC Use Cases will be reviewed and updated on a continuous basis, according to the draft, and the Federal CISO Council will solicit and review use case pilots from agencies and industry, and, along with DHS, “establish the timeline for DHS to review pilot results and approve updates to TIC Use Cases and other TIC reference architecture documentation.”
OMB, DHS, the General Services Administration and the CISO Council will oversee and support agency TIC pilots, as appropriate, the guidance says. DHS, working with the GSA, will set up a process for soliciting agency and industry input on approved TIC Use Cases and other TIC reference architecture documentation, and DHS will ensure these are kept up to date as changes are approved.
Within 90 days of the release of each TIC Use Case, DHS, in coordination with the GSA, “will develop a compliance verification process to validate that agencies are implementing the security controls required by TIC Use Cases,” the guidance says.
“The goal is to shift from burdensome, point-in-time spot checks to a scalable, comprehensive, and continuous validation process,” the draft policy states.