Federal Chief Information Officer Suzette Kent says that her office is changing its approach to network security across the government.
“This is the last major policy component that we needed to update to move barriers for agencies,” she said Dec. 13. “I’m excited because we’ve heard from the vendor community and all our agencies that this needed to be updated and be a significant enhancement.”
Kent was speaking at the Advanced Technology Academic Research Center’s (ATARC) Federal Technology Modernization Summit in Washington, D.C. Her remarks came the day before her office issued new draft guidance about the Trusted Internet Connections (TIC) initiative.
Launched in 2007, TIC seeks to enhance the federal government’s network security. TIC optimizes and standardizes each external network connection agencies use, including those that utilize the internet. TIC also strives to improve the federal government’s security posture and incident response capabilities. It meets these goals by consolidating and reducing the amount of agencies’ external network connections.
Last week, Kent praised the Energy Department (DOE) and the Small Business Administration (SBA) for their work earlier this year reevaluating TIC. The two agencies participated in a 90-day pilot earlier this year aimed at meeting TIC requirements with new technologies.
“[The pilot programs] inform some of the new ways that we can use software to protect our perimeter,” Kent said about the federal government.
The new TIC guidance comes as the federal government grapples with IT modernization across its various agencies. It also addresses the many changes in network security since the initiative’s creation.
“The purpose of the TIC initiative is to enhance network security across the Federal Government,” the memorandum says. “Accordingly, this memorandum provides an enhanced approach for implementing the TIC initiative that provides agencies with increased flexibility to use modern security capabilities.”
“This memorandum also establishes a process for ensuring that the TIC initiative is agile and responsive to advancements in technology and rapidly evolving threats,” it adds.
The guidance additionally “affirms that agencies may use modern and emerging technologies to meet TIC initiative requirements.” The document also tasks the Homeland Security Department (DHS) with creating “TIC Use Cases” that determine which new tools meet the initiative’s standards.
TIC previously concerned the federal government’s physical external network connections, such as those using the internet. The program’s latest memorandum lists three new TIC use cases. These examples demonstrate how modern and emerging technologies can fulfill TIC’s requirements.
The first addition is cloud, with the new use case covering three of the technology’s most popular forms across the federal government. It states that cloud’s Infrastructure-as-a-Service (IaaS), Software-as-a-Service (SaaS) and Email-as-a-Service (EaaS) models can each reach TIC standards. All three varieties use cloud to deliver the desired service – email, infrastructure or software – using the technology’s consistency, flexibility and scalability.
The second use case concerns agency branch offices, an increasing concern in an era of increasing telework. It assumes that each branch office is separate from its agency’s headquarters but utilizes HQ for most of its services, including generic web traffic. This example additionally supports agencies that want to enable software-defined wide area network (SD-WAN) technologies, or those that allow a computer network across a large geographical distance using software.
The last TIC change concerns remote users. This use case explains how remote users can connect to their agency’s cloud, internet and traditional network using government furnished equipment (GFE).
Collectively, these examples show that an established program like TIC can evolve alongside the federal government’s cyberthreats. The landscape that agencies operate changes daily, meaning that the protections shielding them must keep pace or fall behind.
Kent added that 2018 has been a “year of action” on federal technology policies such as TIC. She then predicted that there are more changes ahead for government IT.
“I hope that you feel like a lot has been accomplished, but we have a lot more to do,” she said of this year. It’s never done. We’re always continuing to raise the bar. And we’re going to continue to keep moving forward.”
In the meantime, the Office of Management and Budget (OMB) opened the public comment period for the new TIC update Tuesday. People interested in commenting upon the new memorandum have 30 days from the publication date for doing so.