What TIC 3.0 means for federal digital transformation

Cloud adoption is driving innovation across government, laying the foundation for emerging technology, shared services and the ability to meet the expectations of a federal workforce that wants simple, seamless access to applications and data.

As agencies pursue digital transformation goals and deploy more cloud-based applications, many federal IT leaders recognize that the Trusted Internet Connection program, launched more than a decade ago to keep federal web traffic secure, can't keep up.

"In the traditional or historic on-premise environment of having a server room or having a data center where you know where the equipment is and you can sit on the pipes and focus them down, TIC was important," Christopher Krebs, director of the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, said at a March 13 House Appropriations Committee hearing. "Going forward -- particularly as we shift through IT modernization to cloud, because cloud is efficient, it's scalable, it's flexible to meet modern workforce demands -- TIC won't work."

The full story

Today, government traffic runs through an open internet connection and a virtual private network client. It then travels back through the agency data center and a stack of on-prem security devices, and out through the TIC, where it traverses another stack of security appliances to its final destination -- sites in the open internet

The challenge is that VPNs expose federal networks to vulnerabilities. Underscoring the issue, DHS just issued a warning that some VPN packages may improperly secure tokens and cookies, giving bad actors an opening and opportunity to control an end user's system. The DHS warning follows a recent alert from Carnegie Mellon's CERT that multiple VPN applications store the authentication and/or session cookies insecurely in memory and/or log files.

Taking a step in the right direction, the Office of Management and Budget released draft TIC 3.0 guidelines. Rather than prescribing a specific, rigid approach, OMB provided a set of requirements and security controls, then invited agencies to present their own solutions. The goal is to advance the Cloud Smart initiative and empower agencies to be more creative in their solutions as they move to the cloud.

Learning from use cases

As agencies develop TIC 3.0 solutions, it is vital they share them, ideally in a centralized, government-managed repository. Agencies must be able to compare their security requirements to those in the repository, to review the most viable options. The repository is a catalog of services where the full community can see what has worked and what hasn't -- a "comparison shop" where agencies can find providers that meet their needs and avoid repeating mistakes.

All cloud solution providers should meet requirements of the Federal Risk and Authorization Management Program at the moderate and high baseline and be able to seamlessly scale to meet the bandwidth that agencies will push to the cloud.

Not a lift and shift solution

One important note is that virtualizing a physical TIC isn't the same as providing a cloud-based virtual TIC.

If agencies try to lift and shift (as some in industry advocate), they simply move their challenge from the data center to the cloud and miss the opportunity to improve security and user experience. Virtualizing a physical TIC ultimately makes the problem worse.

Agencies need a multitenant, born and bred in the cloud security stack that's built to scale up and down to meet their needs. A cloud-based virtualized TIC can be managed and scaled horizontally -- the stack can connect multiple hardware or software entities, such as servers, so that they work as a single logical unit. This can and should be accomplished so seamlessly that the user is unaware.

Certify once, use many

Final thoughts: We must all push hard for a TIC 3.0 solution certification process.

There needs to be an authoring process to confirm solutions meet the requirements of the TIC 3.0 policy. The process should be shared among agency CIOs so that what one agency approves should be available to others. It is important to store these approved concepts in a catalog of use cases so they can be used across multiple agencies, ultimately creating a better TIC solution with reduced cost and improved customer experience for users across government.

As Ashley Mahan, FedRAMP director at the General Services Administration, and Matt Goodrich, assistant commissioner for the Office of Products and Programs at GSA, say, we need to "certify once and use many."