TIC still tripping up agencies' cloud modernization efforts

The federal government is pushing to modernize its IT infrastructure of several fronts, but agencies are still struggling with conflicting goals like cloud adoption, telework policies and Trusted Internet Connection compliance.

At a March 15 event hosted by CA Technologies, a White House official said the Trump administration expects the push for IT modernization to last at least a decade, and indicated the current team would spend its time in office setting up foundational pillars before handing the torch to another administration.

“It’s going to be time consuming, it’s going to outlast an administration, so we need to make sure we have the foundation in place so you can build upon that,” said Danielle Metz, senior policy advisor at the Office of Science and Technology Policy. “It’s not going to be a three-year plan, it’s going to be something significant, a decade or more.”

With that knowledge, the administration is attempting to ensure there is cohesion between long-term goals like cloud migration and cybersecurity, particularly the Trusted Internet Connection.

Federal officials are hoping the newest model, TIC 3.0, addresses that problem, but even a revamped policy will face some daunting challenges. The federal government relies on a dizzying number of cloud providers -- approximately 228 in all, according to DHS.

The administration’s IT modernization plan seeks to consolidate and improve acquisition of network services, including reducing the number of Internet access points. Previous versions of TIC were not designed with the cloud in mind, and the administration’s plan calls for agencies to implement rapid updates to their TIC policies to facilitate greater cloud migration by June 30.

Stephen Kovac, vice president of global government compliance at Zscaler, told FCW that while the government needs trusted internet access points, the TIC framework predates the federal government’s 2010 “cloud-first” policy and was developed at a time when policymakers had no idea how prevalent the cloud would be in the public sector.

“When we first talked about TIC, people would have laughed at you if you said government was going to put their data in the cloud, much less process it in the cloud or where we are today,” said Kovac. “There were no issues with latency, nobody talked about the Trombone Effect.”

The federal government’s increasing reliance on remote employees also presents a challenge. The 2010 Telework Enhancement Act required all executive agencies to establish telework policies and train agency leaders on how to manage a remote workforce. A 2017 audit by the Government Accountability Office found that the number of federal employees participating telework programs grew from 300,372 in 2012 to 427,450 in 2015. While Congress is asking questions about teleworkers' efficiency and supervision, those numbers are expected to keep rising as the federal government and private sector continue to virtualize their operations. The circuitous route their data must flow under current TIC policies is a case study in how TIC and cloud conflict.

“If you look at agencies today, most of these people are carrying around laptops and tablets,” Kovac said. “They’re not sitting at their desks.”

Today, cloud migration is an essential component of most agency modernization plans. So the contradiction between the government dramatically reducing the number of internet access points while also ramping up cloud adoption -- which in part relies on leveraging many access points for efficiency and speed -- has left IT leaders at some agencies scratching their heads. Rod Turk, chief information security officer and acting CIO at the Department of Commerce, said the push for cloud adoption and compliance with previous versions of TIC was causing tension among agency CIOs. As an example, he pointed to data compiled by Census workers using electronic handheld devices.

“When you have all this traffic moving back and forth, how do you run it through a Trusted Internet Connection? Because we’re using a cloud-based solution to gather data,” said Turk.

The Department of Homeland Security is overseeing compliance with TIC 3.0. At a March 15 meeting of the Information Security and Privacy Advisory Board, DHS officials said they were still processing feedback from a series of agency pilots identifying cloud solutions that were running into hurdles based on TIC policy. Those pilots wrapped up on March 2, and DHS is now sorting those projects into low-, medium- and high-risk categories to inform agency decision making.

As a potential workaround, DHS is exploring other ways to monitor connections from cloud-based systems. Sean Connelly, cybersecurity architect at DHS, indicated that in certain areas, cybersecurity programs like EINSTEIN and Continuous Diagnostics and Mitigation may be better suited for monitoring cloud-based traffic.

“How TIC evolves and where there is data that is going to be architected in the cloud, there’s expectations that the CDM program would be able to monitor that data…probably better than TIC can at this point,” said Connelly.

Editor's note: This article was changed April 3 to correct the spelling of Stephen Kovac's name.