They must report to OMB plans for cutting external connections.
Agencies must by April 15 detail for the Office of Management and Budget their final road map to fewer external connections to access the Internet under the Trusted Internet Connections (TIC) initiative.
Agencies then will provide a statement of their capabilities and updated plans and actions to reduce the number of external connections, said Wendy Liberante, OMB’s program officer for the TIC initiative. By May 1, agencies that need more access will submit their justification for more access points than the recommended two or three.
OMB outlined in November the need for fewer external connections to the Internet to protect agency data. OMB plans to limit agencies to a total of 50 gateway connections from the more than 1,000 now in use. Agencies have a target date of June 30 to consolidate and reduce the number of connections. OMB is working with agencies, Liberante said April 1 at the 2008 FOSE event sponsored by FCW’s parent, 1105 Government Information Group.
“It’s going to be a back-and-forth conversation with OMB,” she said. “It’s a holistic view that we’re asking agencies to take,” she said, about incorporating other security and privacy directives mandated by OMB.
To protect sensitive data from flexible adversaries, agencies can’t have an unlimited number of external pathways to the Internet, said Randy Vickers, associate deputy director of the U.S. Computer Emergency Readiness Team (US-CERT) in the Homeland Security Department. Instead, agencies can channel or re-direct connections through a smaller set of portals. Users should not be aware of the reduced number of portals, he said.
“To watch a network, you have to control it,” Vickers said. With fewer external connections, agencies will be better able to watch and analyze traffic in and out of their networks.
The Health and Human Services Department previously reduced its external connections from more than 40 to 16, said Michael Carleton, HHS chief information officer.
“It was a success because nobody knew,” Carleton said. It will be harder to decrease those external connections from 16 to two or three.
However, the TIC initiative presents decisions for agencies to make that also influence other policies they must adopt, Carleton said. He plans to use HHS’ move to the General Services Administration’s Networx telecommunications contract to implement the architecture for fewer Internet gateways. Under the Networx option, HHS will go live with its Trusted Internet Connection in April 2009, he said.
Networx vendors qualify as TIC providers. HHS could implement TIC faster under the current but expiring FTS-2001 telecommunications contract, but Networx will provide more capabilities, Carleton said.
In relation to TIC and Networx, HHS will incorporate the mandate to use IPv6 on backbone networks and infrastructure optimization under OMB’s Information Technology Infrastructure Line of Business.
“Here is a way to integrate these and put them on a schedule,” he said.
The TIC requirement may provide security controls for agencies just by consolidating the number of external connections, Carleton said.
“TIC serves as a set of controls that wasn’t there before," Carleton said. "They allow them to either reduce residual risk that we’re accepting already or rely on the TIC as a control in place of those controls for which they used to spend more time on than they will have to on the TIC. There are still judgments to be made on how much you’ll be able to rely on it.”