The Office of Management and Budget cancelled several decade-old policies that required the internet traffic of federal agencies to flow through a physical Trusted Internet Connection, a long-awaited update that’s meant to increase the flexibility of agencies migrating to the cloud while maintaining their cybersecurity posture.
In a four-page memo to agency chiefs dated Sept. 12, OMB leaders said the current setup “has proven to be an obstacle to the adoption of cloud-based infrastructure.” OMB has been pushing agencies to adopt cloud technology as part of its “Cloud Smart” strategy and as part of a larger push at modernization throughout the federal government.
TIC, an initiative started in 2007, aimed to reduce internet access points across the federal government and to establish “baseline security capabilities” as a way to bolster cybersecurity, according to the federal CIO’s website.
“[The memo] still requires agencies to meet all the strict security requirements that have always been a priority and are even more of a priority now,” said Federal Chief Information Officer Suzette Kent at the Dell Technologies Forum on Sept. 12. “But it includes new pathways to take advantage of modern technology, the capabilities of software, that wasn’t even imagined when that original policy was written.”
The new memo directs the Department of Homeland Security to approve agency use cases and manage pilot programs to “promote flexibility while maintaining a focus on security outcomes.” The document is similar to the draft memo released late last year.
“TIC use case documentation will outline which alternative security controls, such as endpoint and user-based protections, must be in place for specific scenarios in which traffic may not be required to flow through a physical TIC access point,” the memo read.
The memo directs DHS to release guidance on the creation and management of such pilot programs, as well as the approval of use cases that are “proven, secure scenarios.”
The use case requirements can be separate from current network solutions such as Trusted Internet Connection Access Provider (TICAP) or Managed Trusted Internet Protocol Services (MTIPS). Ultimately, OMB wrote, the processes in the memo should lead to the development of more use cases to “account for emerging technologies and evolving cyber threats.”
OMB approved four new use cases for agencies, according to the memo. These include the “most prevalent cloud models” in government, such as infrastructure-, software-, email- and platform-as-a-service. Other approved use cases are remote users connecting to an agency network, users connecting to an agency through a branch office and the traditional use case using current network solutions.
Under the TIC policy, agencies can propose pilots within the approved use cases, which will be reviewed by the Federal Chief Information Security Officer council.
The TIC update aims to address the problems leaders at many federal agencies had with speed and latency using TIC while migrating to the cloud.
“This is a key step to help agencies move applications to the cloud much more seamlessly and also increases the user performance while reducing latency and cost,” said Stephen Kovac, vice president of global government at Zscaler, a cloud-based information security company.
The new setup will also help boost cybersecurity because updates can be pushed faster in the cloud, Kovac told Fifth Domain.
“Legacy TIC/MTIPS infrastructure can’t handle cloud smart bandwidth requirements,” Kovac said. "The flexible new guidelines encourage agencies to innovate and thankfully moves us away from a one-TIC perimeter-based solution fits all approach.”
Within one year, agencies must identify which use cases fit their organization best. OMB and DHS will track implementation through reporting required by the Federal Information Security Modernization Act of 2014.