SBA, Justice, Energy innovate to deal with a 10-year-old cyber policy

Few would argue that among the most frustrating of all the cybersecurity requirements agencies must adhere to is the Trusted Internet Connections (TIC) initiative.

While maybe some vendors will tell agency chief information officers meeting the requirements under TIC isn’t difficult, it would be hard to find an agency CIO who agrees.

This is why so many CIOs are waiting with bated breath for the Office of Management and Budget to finalize new TIC policy and requirements.

Be sure it’s coming as Federal CIO Suzette Kent said the TIC policy is one of several updates expected in the coming weeks.

Federal CIO Suzette Kent

Before we jump into what this new policy may look like, let’s go back in time. OMB launched TIC in 2007 around the concept of reducing the number of internet access points and then putting advanced software tools to monitor traffic coming in to and going out of agency networks.

But a lot has changed in federal technology over the past 11 years and many say the old policy is causing more problems than it’s solving, including making the full adoption of cloud services much more difficult than it needs to be.

“The goal of TI was simple, but it was about network as the boundary,” said Susie Adams, CTO of Microsoft federal, in an interview. “Now the network isn’t the boundary anymore so what are you trying to protect against? Clearly there are legacy systems that need to be protected against threats on the internet, but when it comes to cloud the edge really moves. There is no edge anymore. If you connect to multiple clouds like most are today, how will they manage that environment? That is the real problem and TIC wasn’t built to address that problem.”

Adams said as TIC merges into the Homeland Security Department’s continuous diagnostics and mitigation (CDM) program, agencies are struggling to follow best practices where they focus on the application layer and use machine learning and artificial intelligence to monitor potential and real threats.

DHS and OMB recognized this problem and kicked off several pilots for how TIC could be upgraded.

SBA pilots new approach to TIC

The Small Business Administration was one of those agencies and recently finished its test and sent the results to OMB.

Sanjay Gupta, the SBA CTO, said at a recent cyber event sponsored by FCW, that the 90-day pilot fully integrated with CDM tools to meet the requirements of the policy but without the challenges that usually come with TIC, such as latency and complexity.

“We have out of the box functionality and when we demonstrate it to DHS, they were impressed that we have full visibility into our network,” Gupta said. “Our goal was to improve the cyber posture of SBA. We have one set of tools that oversee our entire IT environment.”

Advertisement

Guy Cavallo, the SBA deputy CIO, said the agency took cloud security tools to look at on premise and cloud network services.

“We are not matching control by control of the current on-premise TIC or CDM requirements,” he said. “We are getting alerts when people sign in from weird places or other potential threats.”

Cavallo said SBA also has to manage fewer tools, which means fewer things to patch and using 100 percent of the functionality of each tool instead of 5 percent-to-10 percent functionality of 30 tools.

Gupta said SBA has provided details of its TIC pilot to about 30 agencies where 300-to-400 people have seen their demonstrations.

While Cavallo and Gupta couldn’t offer to many more details about SBA pilot as they are waiting for OMB’s final comments, Microsoft issued a blog in June that captures more than enough basics to understand the pilot.

“SBA is using modern tools through the Azure security center. These are cloud tools to gather analytics that look at the metadata. We can tell if a user’s identity has been compromised, we can flag it and the ask administrator to look at it. They can then ask the person to reset their password,” Adams said. “There are modern ways to look at the hygiene of systems, making sure they are patched and looking at it from digital state perspective. This is true if you are managing across multiple clouds. SBA is using modern technology to get more in-depth telemetry. The current TIC is only looking at net flow data, but through the pilot SBA has all kinds of data. It takes a lot more than TIC to manage on-premise and cloud assets. SBA took a real different approach to doing that.”

Energy, Justice find alternate approaches

Along with SBA, the Energy and Justice departments are taking on the challenge of the current TIC requirements.

Like SBA, Energy was a pilot agency. Max Everett, the Energy CIO, said he has been working with OMB and DHS to improve the TIC process especially as it relates to cloud services.

“We just wrapped up the first round of a pilot for cloud email where we were  looking at different options,” he said at the recent Tech Trends conference sponsored by the Professional Services Council. “We need security, but need to move forward with cloud and mobility so the TIC model and architecture has to change.”

Joe Klimavicz, the Justice CIO, said his agency moved to two TIC stacks and identical configurations for cloud services, one for Azure and one for Amazon Web Services.

“We have deployed a unique solution so our cloud is optimized under TIC. We go through the complete security stack and create a super highway to get to Internet providers,” Klimavicz said at the Tech Trends event. “We have a limited stack of security controls if we go to Azure or AWS where we know solutions are secure on the other end. There is no latency and you get some visibility into the traffic, which is great, but you don’t create any bottlenecks.”

Klimavicz said Justice is making it as fast and convenient as possible to get to the cloud services.

“The thing that a lot of folks are thinking about is having the cloud providers pick up a lot of the security controls,” he said. “It works great for the bigger players like Google, Amazon and Microsoft. But we want to be sure we can get to all the cloud service provider. We have over two dozen cloud service partners in Justice, and for the smaller ones, it’s a big burden to ask them to provide the security services. We like where we are right now.”

Beyond the new OMB policy that is expected “soon,” the work by SBA, Energy, Justice and others are changing how security experts think about cloud services.

Jim Quinn, the lead system engineer for the CDM program at DHS, said at the FCW event, the SBA’s success shifted their mindset around how to integrate cloud and CDM.

“Under TIC, we are trying to figure out how we are providing a shared network service as we face challenge of dealing with cloud. We became much less prescriptive with the DEFEND task orders,” he said.

Microsoft’s Adams said she expects the new TIC policy to be less prescriptive than the previous policy, and for OMB to rely more on the tools from CDM.

Now that Kent said the policy is imminent, relief from TIC for agencies can only be good news.

Read more of the Reporter’s Notebook