60.6 F
Washington D.C.
Tuesday, September 26, 2023

TIC 3.0 Opens Door to Agency Modernization Opportunities

The Office of Management and Budget (OMB) recently released the finalized Trusted Internet Connections (TIC 3.0) guidance, removing a significant barrier to agency modernization.

The original intent of the TIC policy, launched more than a decade ago, was to standardize security of external connections to government networks. The policy requires all federal internet traffic to run through a TIC with a standard set of firewalls for agency security.

But, as agencies have moved more applications and infrastructure to the cloud and leveraged data from IoT, AI, and other emerging technologies, TIC and MTIPS infrastructures have had difficulty managing the increased bandwidth requirements. Often, these issues have resulted in latency, connection problems, and reduced efficiency and productivity for federal missions.

Now, the finalized TIC policy provides a more flexible approach, inviting agencies to present their own solutions that take full advantage of cloud and modern technologies while meeting the original spirit and intent of the TIC requirements.

“It still requires agencies to meet all the security requirements that have always been a priority and are even more of a priority now,” Suzette Kent, Federal CIO, OMB, said at an event on Sept. 13. “But it includes new pathways to take advantage of modern technology, the capabilities of software that wasn’t even imagined when that original policy was written.”

Unique Solutions from Use Cases

An important addition to the policy is the inclusion of three use cases that go beyond the traditional TIC and address the unique security and performance requirements of agencies – including cloud, agency branch offices, and remote users.

This is a step forward for agencies to be able to address problems in their current TIC environments and begin developing alternative security and network access controls for TIC 3.0.

Government will need to continue to develop this centralized catalog of use cases, so agencies can review results for environments with security requirements similar to their own. The new use cases should help agencies eliminate costly appliances, reduce latency, provide opportunities to strengthen cybersecurity, and improve user experience and productivity.

The Cloud Effect

Cloud service providers that operate multi-tenant clouds can offer agencies an important benefit – the cloud effect – which allows these providers to globally push hundreds or thousands of patches a day with security updates and protections to every cloud customer and user.

As industry comes forward with different TIC solutions, we need to be wary of lift-and-shift approaches to cloud. Agencies that move a physical TIC to the cloud will find they’re simply moving their current challenges in their data center to the cloud.

Instead, solutions should move TIC functions away from perimeter-based, single-tenant appliances to a multi-tenant cloud security stack that can scale to meet the needs of the agency.

Agencies should also consider how their updated TIC 3.0 solution can provide an opportunity to modernize security and access controls. Security models like FedRAMP-certified zero-trust solutions provide secure access by only granting authorized users access to data and systems. This can protect critical data while meeting the requirements of the TIC guidance.

A Final Policy Push

Going forward, the Federal Chief Information Security Officer (CISO) Council will review TIC pilot proposals. And, the Department of Homeland Security (DHS) and OMB will review pilot results for TIC use cases through Federal Information Security Modernization Act (FISMA) reporting.

Agencies have a one-year target to update network and system boundary policies for TIC 3.0. This process will be critical to confirm that solutions meet the requirements of the TIC 3.0 policy as agencies implement new ways to reduce IT costs and improve customer experience for users across government.

TIC 3.0 isn’t a silver bullet to fix every cloud challenge. But it opens the door to progress by expanding cloud security options and encouraging agencies to share use cases for improved transparency into what does and does not work.

Stephen Kovac
Stephen Kovac is Vice President, Global Government, Head of Corporate Compliance at Zscaler, Inc. Stephen has responsibility for overall strategy, productizing, and certification of the Zscaler platform across all global governments. He also runs the global compliance efforts for all of Zscaler. His primary focus over the last years is FedRAMP, TIC/MTIP Policies, and ZTN for Federal. Under Stephen’s leadership, Zscaler became the first FedRAMP certified ZTN Platform and Secure Web Gateway. He is a 27-year veteran of the information technology and security industry with extensive experience in public sector and compliance. Prior to Zscaler, Stephen served as EVP of Strategy and Public Sector for VAZATA, a FedRAMP certified cloud provider. He also served as VP/CSO for BT Security, Vice President at Terremark Federal, a Verizon Company, and as Vice President of Verizon Public Sector. Mr. Kovac is a frequent speaker on the federal circuit, blogger, and highly quoted author on federal security and certifications.

Related Articles

- Advertisement -

Latest Articles