Why TIC and cloud don't mix

connections into the cloud 

The Department of Homeland Security's top cyber official told Congress that changes to two IT security programs will help reconcile the government's desire to modernize in the cloud and accommodate remote employees while still shoring up protections for federal networks and systems.

The Trusted Internet Connection program was launched in 2007 to reduce the federal government's attack surface by cutting internet access points. That initiative pre-dated the "cloud-first" policy launched in 2010, and the two programs have struggled to sync up ever since.

Christopher Krebs, director of the Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security, acknowledged that the goal of reducing access points fit the old-school, IT-ownership model that cloud is replacing.

"In the traditional or historic on-premise environment of having a server room or having a data center where you know where the equipment is and you can sit on the pipes and focus them down, TIC was important," Krebs told the House Appropriations Committee in a March 13 hearing. "Going forward -- particularly as we shift through IT modernization to cloud, because cloud is efficient, its scalable, it's flexible to meet modern workforce demands -- TIC won't work."

The federal government relies on more than 228 different cloud providers, and the White House has repeatedly emphasized cloud adoption as a central pillar of its IT modernization efforts. Last year, the Trump administration ordered agencies to update their TIC policies to remove any barriers impeding further cloud adoption, while DHS rolled out a revamped policy that is designed to reconcile the cloud vs. security contradiction inherent in previous versions.

Krebs laid out a model that he claimed would able to better take advantage of the cloud but also push certain security requirements onto vendors and providers.

"The alternative model -- which in the end will actually be more efficient and save the taxpayer money because we're not owning the infrastructure -- is we are setting a set of security outcomes and requirements for the cloud providers, saying, 'This is the kind of information we need, you need to send it back to us' and then we can analyze it," said Krebs.

Rep. Dutch Ruppersberger (D-Md.) pointed out that TIC policy also inhibited teleworking.

"Counter to the idea of reducing connections to the internet, the federal workforce is actually moving in the opposite direction with more and more employees working remotely," he said.

The Government Accountability Office has consistently tracked significant year-over-year increases in the number of federal employees who telework. According to data from the Office of Personnel Management, 34 percent of federal employees in 2016 reported working remotely, while 54 percent said they don't only because some type of obstacle prevents them from doing so. Only 12 percent reported that they do not work remotely by choice.

Krebs said DHS is relying on another revamped cybersecurity program, Continuous Diagnostics and Mitigation, to help change out older systems and technology at federal agencies and build in more capabilities to accommodate cloud and remote employees while, again, relying on private sector "agility" to ensure certain security requirements are maintained.

"We are ultimately going to shift from a model where we own the infrastructure, we own the sensors, and instead we're putting out a baseline policy and a series of outcomes that we're looking to achieve so we have everybody playing by our rules rather than we're doing the operations and maintenance on equipment," said Krebs.

About the Author

Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.

Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.

Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at, or follow him on Twitter @derekdoestech.

Click here for previous articles by Johnson.


  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.