How TIC pilots can help clarify federal cloud policy
- By Derek B. Johnson
- May 13, 2020
The lead official overseeing the Trusted Internet Connection (TIC) program at the Department of Homeland Security said he believes a series of pilots taking place within federal agencies will help further flesh out roles and responsibilities for safely navigating government cloud programs.
"We hope [that clarity] comes out of those type of pilots and those use cases that we'll be moving forward with," said Sean Connolly, TIC's Program Manager at the Cybersecurity and Infrastructure Security Agency during a May 12 web event hosted by Government Executive Media Group.
In December 2019 CISA released five volumes of updated guidance for TIC, including a framework for conducting pilots that, if successful, could eventually be adopted as use cases for other federal agencies to follow. Connolly said the draft document was the product of years of effort and collaboration by more than 50 federal agencies, cloud providers, security vendors and companies attached to major government contacts like the $50 billion Enterprise Infrastructure Solutions vehicle.
That guidance had both explicit and implicit goals. The explicit goals were to ensure network consolidation across federal agencies, standardizing security and provide CISA with a platform to deploy sensors and gain situational awareness. The implicit goal was to give agency CIOs and CISOs a "hammer" to shape their own internal security missions and, by extension, serve CISA's larger goal of making federal networks harder to break into.
Along the way it has also helped to align TIC with other cloud security programs, like the Federal Risk and Authorization Management Program (FedRAMP). That has provided agencies and vendors with some additional clarity, but Connolly said there remains overlap that needs to be addressed.
"I think this is an evolving discussion, certainly between the vendors and agencies themselves. That level of trust is maturing, that level of roles, who is doing what has been clarified to a greater extent with each new FedRAMP package that comes out," he said. "At the same time, there is that concern…about where the delineations are between the two programs."
Each use case will go through a rigorous review process, with CISA, the General Services Administration, Office of Management and Budget, and vendors all having their say before they're formally approved by the Federal CISO Council. Stakeholders for two other DHS cybersecurity programs – EINSTEIN and Continuous Diagnostics and Mitigation – will also provide input to ensure the pilots are supporting their efforts.
Thus far, the Departments of Justice, Energy and State as well as the Small Business Administration have been publicly identified as agencies conducting pilots under TIC. Connolly said there are others, but declined to name them this early in the process.
"For sensitivity reasons we don't promote the pilots unless the agencies themselves [do]," he said.
Even before the coronavirus pandemic hit, the federal government has been putting its foot on the accelerator to migrate systems and IT infrastructure to the cloud. Along the way DHS has tweaked programs like TIC to ensure that cloud connections to the internet are secure without inhibiting agencies from taking advantage of the increasingly dominant computing technology.
The possibility that many feds could continue to work from home and require access to agency systems might end up increasingly cloud adoption.
At the same event Tom Suder, founder and president of the Advanced Technology Academic Research Center, said that even as organizations have been gradually moving their IT systems and infrastructure to the cloud over the past decade, the pandemic has injected a new sense of urgency to expand and hasten those plans.
"Any kind of new capability should automatically be in the cloud. You can have microservices, you can even have your old legacy system for a while, but everything new has got to be in the cloud," Suder said.
Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.
Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.
Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at [email protected], or follow him on Twitter @derekdoestech.
Click here for previous articles by Johnson.