The Office of Management and Budget (OMB) recently released the finalized Trusted Internet Connections (TIC 3.0) guidance, removing a significant barrier to agency modernization.
The original intent of the TIC policy, launched more than a decade ago, was to standardize security of external connections to government networks. The policy requires all federal internet traffic to run through a TIC with a standard set of firewalls for agency security.
But, as agencies have moved more applications and infrastructure to the cloud and leveraged data from IoT, AI, and other emerging technologies, TIC and MTIPS infrastructures have had difficulty managing the increased bandwidth requirements. Often, these issues have resulted in latency, connection problems, and reduced efficiency and productivity for federal missions.
Now, the finalized TIC policy provides a more flexible approach, inviting agencies to present their own solutions that take full advantage of cloud and modern technologies while meeting the original spirit and intent of the TIC requirements.
“It still requires agencies to meet all the security requirements that have always been a priority and are even more of a priority now,” Suzette Kent, Federal CIO, OMB, said at an event on Sept. 13. “But it includes new pathways to take advantage of modern technology, the capabilities of software that wasn’t even imagined when that original policy was written.”
Unique Solutions from Use Cases
An important addition to the policy is the inclusion of three use cases that go beyond the traditional TIC and address the unique security and performance requirements of agencies – including cloud, agency branch offices, and remote users.
This is a step forward for agencies to be able to address problems in their current TIC environments and begin developing alternative security and network access controls for TIC 3.0.
Government will need to continue to develop this centralized catalog of use cases, so agencies can review results for environments with security requirements similar to their own. The new use cases should help agencies eliminate costly appliances, reduce latency, provide opportunities to strengthen cybersecurity, and improve user experience and productivity.
The Cloud Effect
Cloud service providers that operate multi-tenant clouds can offer agencies an important benefit – the cloud effect – which allows these providers to globally push hundreds or thousands of patches a day with security updates and protections to every cloud customer and user.
As industry comes forward with different TIC solutions, we need to be wary of lift-and-shift approaches to cloud. Agencies that move a physical TIC to the cloud will find they’re simply moving their current challenges in their data center to the cloud.
Instead, solutions should move TIC functions away from perimeter-based, single-tenant appliances to a multi-tenant cloud security stack that can scale to meet the needs of the agency.
Agencies should also consider how their updated TIC 3.0 solution can provide an opportunity to modernize security and access controls. Security models like FedRAMP-certified zero-trust solutions provide secure access by only granting authorized users access to data and systems. This can protect critical data while meeting the requirements of the TIC guidance.
A Final Policy Push
Going forward, the Federal Chief Information Security Officer (CISO) Council will review TIC pilot proposals. And, the Department of Homeland Security (DHS) and OMB will review pilot results for TIC use cases through Federal Information Security Modernization Act (FISMA) reporting.
Agencies have a one-year target to update network and system boundary policies for TIC 3.0. This process will be critical to confirm that solutions meet the requirements of the TIC 3.0 policy as agencies implement new ways to reduce IT costs and improve customer experience for users across government.
TIC 3.0 isn’t a silver bullet to fix every cloud challenge. But it opens the door to progress by expanding cloud security options and encouraging agencies to share use cases for improved transparency into what does and does not work.