Latest TIC guidance helps fuel EIS

The next-generation secure internet connection model will help fire up the modernization potential of the General Services Administration's $50 billion, 15-year next-generation telecommunications contract, according to GSA and federal cybersecurity officials.

"TIC 3.0 [Trusted Internet Connection 3.0] provides the agility that we need to move forward," said Allen Hill, director of the Office of Telecommunications Services in GSA's Federal Acquisition Services, during a public meeting on the agency's Enterprise Infrastructure Solutions (EIS) contract in mid-November.

"The way TIC 2.0 worked doesn't adjust for modernization efforts," he said, particularly for federal agencies accelerating their plans to move to the cloud.

The TIC effort, which aims to keep federal web traffic secure, began more than a decade ago, when agencies secured traffic with its scores of dedicated data centers, security devices and virtual private networks. Since then, federal agencies have pivoted to cloud technology with its more efficient, scalable and remote data transmission methods that render those older protections obsolete.

In September, the Office of Management and Budget released its first guidance update to its secure internet connection policy in over a decade. TIC 3.0 gives agencies more flexibility in how they connect to the net.

Incorporating TIC 3.0 into GSA's more-agile, next-generation EIS contract is critical, as the agency's older telecommunications contracts' TIC protections are showing their age, said experts at GSA and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) at the meeting.

"TIC 2.0 had been one-size-fits-all security for internet connections," said Jim Russo, EIS Technical Director at GSA, "and that was [Managed Trusted Internet Protocol Service]."

The MTIPS solution for TIC compliance, although offered under EIS, is not sufficient for agencies' modernization efforts, particularly cloud services, according to Russo. "[It] was designed to solve a problem that a lot of agencies have," he said, but its current application is limited. "Once the network boundary has expanded from all premises-based network where an agency can easily tell where it begins and where it ends, to a more cloud-based, hybrid-based network," he said, TIC 2.0 can't adapt well.

EIS incorporates software-defined network services that dramatically expand network parameters as well. With an SDN, said Russo, TIC 2.0 "defeats the purpose."

TIC 2.0 won't allow SDN's diverse routing around network bottlenecks, and it constrains routes that can be used, he said. "TIC 3.0 will give you a lot of versatility and a lot more flexibility," he said.

"As cloud became key to modernization efforts," TIC 2.0 "became a limitation," said John Simms, deputy branch chief of the Cybersecurity Assurance Branch in CISA's Federal Network Resilience Division.

Simms said his agency is looking to see how TIC 3.0 can secure cloud environments. "We don't only have to think about the network perimeter, or the network traffic, but about the applications themselves and how we can be smart about employing technologies to secure those application stacks and data and monitoring."

CISA, GSA and the Chief Information Security Officer Council are developing TIC 3.0 pilot programs and use cases for specific applications, said Shawn Connelly, TIC program manager and senior cybersecurity architect at CISA. The current use cases cover infrastructure-as-a-service (IaaS), software-as-a-service (SaaS), email-as-a-service (EaaS) and platform-as-a-service as well as branch office applications, but, according to Connelly, agencies can suggest more.

"TIC 3.0 gives agencies room to get on pilots for new interpretations" for use cases, he said. CISA will work with the agency during the pilot period to develop best practices, make the application interpretation more vendor-agnostic and see how it might be used across the federal government.

CISA, said Connelly, is currently talking to agencies about a zero-trust use case and a partner-collaboration use case.

"The model for the data center being the center of the universe is quickly going away," he said.