“[T]his memorandum provides an enhanced approach for implementing the TIC initiative that provides agencies with increased flexibility to use modern security capabilities,” states the memo from Margaret Weichert, OMB’s deputy director for management. “This memorandum also establishes a process for ensuring the TIC initiative is agile and responsive to advancements in technology and rapidly evolving threats.”
OMB issued the first TIC policy in 2007 in an attempt to reduce the number of internet connections agencies have and put more security in between federal networks and the public internet.
Over time, however, TIC became an obstacle for agencies to use cloud services.
“TIC 3.0 is an important step forward. Legacy TIC/ Managed Trusted Internet Protocol Services (MTIPS) infrastructure can’t handle cloud smart bandwidth requirements,” said Stephen Kovac, the vice president of global government and compliance at Zscaler, in a statement to Federal News Network. “The flexible new guidelines encourage agencies to innovate and thankfully moves us away from a one-TIC perimeter-based solution fits all approach.”
In the new memo, OMB rescinded four TIC memos dating back to 2007 and detailed the new approach based on four use cases.
“TIC use case documentation will outline which alternative security controls, such as endpoint and user-based protections, must be in place for specific scenarios in which traffic may not be required to flow through a physical TIC access point,” the memo states. “To promote flexibility while maintaining a focus on security outcomes, the capabilities used to meet TIC use case requirements may be separate from an agency’s existing network boundary solutions provided by a Trusted Internet Connection Access Provider (TICAP) or MTIPS. Given the diversity of platforms and implementations across the federal government, TIC Use Cases will highlight proven, secure scenarios, where agencies have met requirements for governmentwide intrusion detection and prevention efforts, such as the National Cybersecurity Protection System (including the EINSTEIN suite), without being required to route traffic through a TICAP/MTIPS solution.”
Cloud: Infrastructure-, email-, platform- and software-as-a-service.
Agency branch office: Where the office is outside of headquarters, but uses the main site for IT services. This use case supports agencies that want to enable Software-Defined Wide Area Network (SD-WAN) technologies.
Remote users: For users connecting to the agency’s traditional network, cloud and the internet-using government-furnished equipment from outside the traditional boundary. This use case is an evolution of the original FedRAMP TIC Overlay (FTO) activities.
Traditional TIC: This use case is for instances not covered in other Department of Homeland Security examples and agencies are required to continue following the traditional TIC use case, which may include agency use of TICAP and MTIPS providers.
“This has been a long time in coming and a document that has been needed and asked for by agencies so they can modernize the way they protect their networks. It allows for the acquisition and use of new technologies that enable more rapid cloud adoption,” said Ross Nodurft, a former OMB unit chief for the cyber and national security unit and now senior director for cybersecurity services at Venable. “What this does is alleviate risks for agencies because not only does it rescind old guidance, but OMB also authorizes the flexibility to implement some of the technology out there that agencies have been wanting to implement and have been piloting.”
Nodurft said the new policy creates a less risky environment and is a strong signal from OMB to move to the cloud in a more meaningful way that doesn’t have to be based on a specific architecture.
“It gives agencies the ability to innovate smartly as they move to new network architectures,” he said. “This memo opens up the aperture to do that.”
Zscaler’s Kovac added the memo also is a signal to industry to come up with different options for how to deliver these security services.
“Be wary of lift-and-shift approaches. You don’t want to move your challenge from the data center to the cloud and miss the opportunity to improve security and user experience,” he said. “Simply virtualizing a physical TIC ultimately makes the problem worse — agencies need multitenant cloud security stacks built to scale up and down on demand. Agencies must take advantage of the ‘cloud effect’ which allows cloud service providers to globally update hundreds of patches a day with lessons learned from their cloud platforms across the globe.”
For some agencies, it may take a few months to begin to feel the impact of the new policy.
OMB laid out five milestones it wants to accomplish over the next 60 days and one more with a 90-day timeline.
Among the 60-day deadlines are:
The Federal Chief Information Security Officer (CISO) Council shall solicit and review agency and industry TIC pilot proposals on an ongoing basis, participate in the approval process for updates to TIC use cases and other TIC reference architecture documentation, and establish the timeline for DHS to review pilot results and approve updates to TIC use cases and other TIC documentation.
GSA shall update governmentwide procurement vehicles, as appropriate, within 6 months of the approval of new TIC use case requirements and other TIC reference architecture documentation.
Additionally, OMB is giving agencies a year to update their own network and system boundary policies to reflect TIC 3.0 and identify use cases that they will use.
“OMB and DHS will track agency implementation through Federal Information Security Modernization Act of 2014 (FISMA) reporting,” the memo states. “In order for TIC program updates to achieve the goal of diversifying technology options for agencies while retaining strong protections for Federal systems and information, OMB, DHS and the agencies themselves, need to have details of the technologies and defenses deployed across federal networks. As such, agency chief information officers shall maintain an accurate inventory of agency network connections, including details on the service provider, cost, capacity, traffic volume, logical/physical configurations, and topological data for each connection in the event OMB, DHS or others request this information to assist with governmentwide cybersecurity incident response or other cybersecurity matters.”