One of the biggest barriers between federal agencies and cloud computing adoption has been removed, according to the Office of Management and Budget (OMB).
OMB on Thursday announced new guidance for how agencies can adopt four popular cloud models while still meeting a major standard for federal cybersecurity governmentwide.
“The purpose of the Trusted Internet Connections (TIC) initiative is to enhance network security across the Federal Government,” Margaret Weichert, OMB’s Deputy Director for Management said in a Sept. 12 memo updating the TIC initiative. “Initially, this was done through the consolidation of external connections and the deployment of common tools at access points. While this prior work has been invaluable in securing Federal networks and information, the program must adapt to modern architectures and frameworks for government IT resource utilization.”
Launched in 2007, TIC seeks to strengthen the federal government’s network security by optimizing and standardizing each external network connection that agencies use. The external network connections that TIC covers include those that utilize the internet, making the program crucial for both federal cybersecurity and IT operations.
TIC has long tried meeting its goals by consolidating and reducing the number of agencies’ external network connections, but Thursday’s memo adds more options for protecting federal cybersecurity.
“Accordingly, this memorandum provides an enhanced approach for implementing the TIC initiative that provides agencies with increased flexibility to use modern security capabilities,” Weichert said. “This memorandum also establishes a process for ensuring the TIC initiative is agile and responsive to advancements in technology and rapidly evolving threats.”
Thursday’s announcement then admitted that prior to TIC’s third update, earlier versions of the program had made it harder for agencies to embrace cloud.
“These previous OMB memoranda required agency traffic to flow through a physical TIC access point, which has proven to be an obstacle to the adoption of cloud-based infrastructure,” the memo states.
TIC 3.0 then provides three new use cases for agencies looking to use federal networks without sacrificing their security.
“The collaborative and iterative process described in this memorandum should result in the continuous improvement and development of additional TIC Use Cases that account for emerging technologies and evolving cyber threats,” the memo reads.
The first addition to TIC’s use cases covers four cloud computing models: Infrastructure-as-a-Service (IaaS), Software-as-a-Service (SaaS), E-mail-as-a-Service (EaaS) and Platform-as-a-Service.
IaaS gives agencies the underlying network infrastructure for cloud services, while SaaS clouds let agencies use these services on a subscription basis through centrally-hosted software. EaaS clouds, meanwhile, host e-email services in cloud, and PaaS gives agencies a platform for managing and delivering cloud services.
After permitting certain cloud use cases, TIC 3.0 also authorizes agencies to use two other configurations for IT services. The first concerns agency branch offices which are separate from the organization’s main headquarters (HQ). TIC’s new use case lets branch offices access most of their IT services – including their generic web traffic – from HQ by using Software-Defined Wide Area Network (SD-WAN) technologies.
SD-WANs simplify the management and operations of computing and telecommunications edge networks. Unlike traditional wide area networks (WANs), SD-WANs separate the networking hardware and the mechanism for controlling it across the vast physical space between them.
TIC’s last new use case, for its part, demonstrates how remote users can securely connect to an agency’s traditional network, cloud or internet using government furnished equipment (GFE).
The three new use cases join TIC’s default use case, which covers all physical network connections that meet the program’s standards and Homeland Security Department (DHS) approval.
Thursday’s memo lastly vows that DHS, OMB and the Federal Chief Information Security Officer (CISO) Council will establish a new process for TIC use cases in the next 60 days. The process will guide initiating and managing TIC pilots, approving new use cases, acquiring TIC-ready IT services and collecting feedback for future changes.
After TIC use cases have existed for 90 days, DHS will create standards for complying with them with the General Services Administration (GSA) and the National Institute of Standards and Technology (NIST).
OMB’s update to TIC follows a draft version of Thursday’s memo that contained many of the same changes when it emerged in December 2018.
President Trump’s administration has made modernizing federal IT one of its top priorities, a transformation that can only get easier for agencies after TIC’s most recent upgrade.