White House updates Trusted Internet Connection policy
Federal CIO Suzette Kent announced the final release of a TIC update designed to accommodate cloud and managed services.
The White House released a new Trusted Internet Connection policy Sept. 12 to bring the rules governing how federal agencies connect to the internet in line with current cloud and managed services technology.
The new policy "includes pathways to take advantage of modern technology and capabilities and software that wasn't even imagined with that original policy was written," Federal CIO Suzette Kent said at a FedScoop event. The TIC policy, she said, was the final major technology policy rewrite of rules that were more than five years old.
Under the new guidance, agencies are expected to have updates to their network policies completed within one year.
The traditional TIC policy was designed to reduce and consolidate agency connections to the internet and manage connections emanating from a single building or office. As a practical matter, this policy set up a series of checks and blocks that introduce latencies that work against the speed and scale of cloud.
"Today, government traffic runs through an open internet connection and a virtual private network client," Stephen Kovac, vice president of global government and compliance at Zscaler, wrote in an April 2019 op-ed in FCW. "It then travels back through the agency data center and a stack of on-prem security devices, and out through the TIC, where it traverses another stack of security appliances to its final destination -- sites in the open internet."
The new policy adds three new uses cases to the traditional TIC. The cloud use case supports managed services in infrastructure, software, email and platform. A use case to support agency branch offices is designed to accommodate the use of Software-Defined Wide Area Network technology. The third is designed to support telework and advances how individual users outside a network perimeter connect to their agency's network and cloud.
Activity on the revised TIC policy will proceed along multiple lines. The Federal Chief Information Security Officer Council will put out a solicitation to industry for TIC pilots to put more detail and documentation on the individual use cases. The Department of Homeland Security, the General Services Administration and the CISO Council will manage those pilots. GSA will update key contracting vehicles to include new TIC policies.
Essentially, the move is way to put managed services providers that service government agencies on the hook for collecting and managing security data.
"We are setting a set of outcomes—security outcomes and requirements for the cloud provider," Cybersecurity and Infrastructure Security Agency Director Chris Krebs said at a March 2019 House hearing. "[We're] saying, 'This is the kind of information we need. You guys need to send it back to us and then we can analyze it.'"
Krebs added: "We are ultimately going to shift from a model where we own the infrastructure, we own the sensors and instead, we're putting out a baseline policy in a series of outcomes that we're looking to achieve and so we have everybody playing by our rules rather than we're doing the operations and maintenance on equipment…. Ultimately I think we're going to be more effective, I think we're going to be able to do it faster and I think we're going to be able to use the private sectors agility to get better security."