Months after the publication of the Trusted Internet Connections (TIC) 3.0 policy, users still have questions. Despite the release of broadly defined use cases, employees across large and small agencies remain uncertain about the viability of their current network connections and the future of cloud computing security models, a Thursday morning GovLoop roundtable showed.
At the roundtable, policy leaders and industry experts took turns responding to many of those concerns.
TIC 3.0 is the latest update to an initiative first designed to consolidate the number of network connections and attach defense and monitoring solutions to the security perimeter. As modern security emphasizes the protection of data rather than the perimeter, the newly released TIC 3.0 publication gives more choice to agencies and malleability for models such as cloud and the Internet of Things.
But while TIC 3.0 is a continuation of the federal government’s larger effort to encourage cloud adoption, it does not – as some feared – force agencies away from their current, effective TIC solutions. The latest TIC use cases released by the Cybersecurity and Infrastructure Security Agency (CISA) in December 2019 emphasize that security measures from previous generations of TIC still stand, in addition to more options for cloud, branch office and remote connections.
“What we’re doing is providing alternatives,” Sean Connelly, TIC Program Manager at CISA, said.
Although TIC 3.0 supersedes the 2012 TIC 2.0 guidance, the connections established in TIC 2.0 still comply. In fact, agencies are “required to continue following the Traditional TIC use case” in the absence of an alternative, the Office of Management and Budget memo states.
For agencies hoping to move to the cloud, however, the traditional TIC acquisition model is no longer current. Instead of agencies using federally established contracts for TIC – “bolt-on security,” as panelists called traditional models – agencies are given the flexibility and responsibility to acquire these solutions for themselves. The three new CISA use cases are not prescriptive but instead agency-interpreted.
Several audience members noted that without more clear use cases from CISA, they did not want to progress with a cloud project that later might contrast with agency pilots currently underway. Connelly again emphasized that the use cases are intended to be broad across the four categories – Infrastructure-as-a-Service, Software-as-a-Service, Email-as-a-Service and Platform-as-a-Service – and that CISA welcomes new pilot ideas from agencies.
CISA will expand its information regarding use cases as pilots are completed and more are developed, eventually with the target of a Zero Trust security strategy use case. The pilots will serve as templates for other agencies to follow as well.
Cloud contains the potential to change the way internet connections are monitored.
John MacKinnon, Global Telecommunications Partner Development Manager of Worldwide Public Sector for Amazon Web Services, gave the example of differentiating trusted, authenticated users from hackers and bots. “Separating meat from milk,” as he described it, would keep bad actors away from public portals and avoid situations when hackers try to overwhelm a firewall. Cloud enables this clarity, by providing more advanced metrics on web traffic.
“If you can create a zero-attack surface, then you’ve done a pretty good thing,” MacKinnon said.
Cloud will also change how agencies procure and pay for TIC solutions, said Jim Russo, Technical Director for the Enterprise Infrastructure Solutions Program in the Federal Acquisition Service. Whereas agencies always had a per-gigabyte cost, they also needed their technology portfolios to conform to the federal TIC model, as per the first two TIC iterations.
With TIC 3.0’s cloud use case, however, agencies will interpret what the best internet connection model is, along parameters of agency-determined trust zones.
“We’ve looked traditionally at providing services as commodities … We’ve come to the realization that doesn’t work in 2019, 2020, going forward,” Russo said.
The Office of Management and Budget has targeted a more agency-centric TIC program for a long time. Recognizing that neither the original TIC nor TIC 2.0 suffices for modern business needs, TIC 3.0 has been in the works for three years, Connelly said.
Cloud security companies, like Zscaler, saw agencies endeavor to meet TIC mandates while providing modern services in the meantime.
“[But] just because you say you have a security solution and you call it a TIC trial, doesn’t mean it meets the TIC,” said Stephen Kovac, Vice President of Global Government and Compliance for Zscaler.
The hope now is that agencies won’t have to bend backward to satisfy TIC. The hope is that TIC will instead be flexible enough for agencies to adopt modern solutions tailored to their needs.
“[With TIC 3.0], I can craft my own use case,” Kovac said about agencies.
This roundtable was brought to you by: