How OMB’s new cyber policy will lift the albatross off of the cloud

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

The cloud — it has been held up by two administrations and contractors now for eight years with promises of first cost savings, then more capabilities for the same amount of money, then better cybersecurity and now all of the above.

No one argued in 2007 that the Trusted Internet Connections (TIC) initiative wasn’t a good one when the Office of Management and Budget issued it. Agencies were in the dark about how many internet gateways existed and where.

Advertisement

But TIC and the cloud are like oil and water. TIC and the cloud are like pizza and pineapple. TIC and the cloud are like — well, you get what I’m saying, they don’t work well together.

TIC has been the albatross hanging around the cloud’s neck for much of the past eight years.

That is all about to change. OMB issued the updated draft TIC policy Friday to remove the real or imagined barriers the 11 year old policy created that many said made it harder for agencies to move to the cloud.

“This memorandum affirms that agencies may use modern and emerging technologies to meet TIC initiative requirements,” OMB writes in the draft policy. “The Department of Homeland Security (DHS) will define TIC initiative requirements in documentation called TIC Use Cases. The TIC Use Case documentation will outline which alternative security controls, such as endpoint and user-based protections, must be in place for specific instances where traffic is not required to flow through a physical TIC access point. The capabilities used to meet TIC Use Case requirements may be separate from an agency’s existing network boundary solutions provided by a Trusted Internet Connection Access Provider (TICAP) or Managed Trusted Internet Protocol Services (MTIPS).”

The proposal outlines four possible use cases:

  • Cloud—infrastructure-, email- and software-as-a-service.
  • Agency branch office—Where the office is outside of headquarters, but uses the main office for IT services. This use case supports agencies that want to enable Software-Defined Wide Area Network (SD-WAN) technologies.
  • Remote users—For users connecting to the agency’s traditional network, cloud and the internet-using government-furnished equipment from outside the traditional boundary.
  • Traditional TIC—This use case is for instances not covered in other DHS examples and agencies are required to continue following the traditional TIC use case, which may include agency use of TICAP and MTIPS providers.

“The expectation is that the process described … in this memorandum results in the continuous improvement and development of updated TIC Use Cases that account for emerging technologies and evolving cyber threats,” the draft memo states. “Given the diversity of platforms and implementations across the federal government, the TIC Use Cases will highlight proven, secure scenarios, where agencies are not required to route traffic through a TICAP/MTIPS solution to meet the requirements for governmentwide intrusion detection and prevention efforts, such as the National Cybersecurity Protection System (including the EINSTEIN suite of capabilities).”

The use cases particularly for cloud services came from pilots conducted by the Small Business Administration and the departments of Energy and Justice.

Agencies would have a year from when the policy is final to move to the new TIC requirements. DHS and GSA also will develop a compliance verification process for each use case.

Expanding what are high valued assets

At the same time, OMB updated another policy—this one in final form—for how agencies should protect high value assets going forward.

The HVA policy, signed by OMB Director Mick Mulvaney on Dec. 10, expands the concept of what “crown jewels” agencies should consider protecting first and foremost. The guidance requires more governance that includes mission owners and other non C-level executives and lets agencies use private sector experts to assess protections of the HVAs and report back to DHS.

“On the first pass, we identified some data sets but we didn’t include all agencies, only the CFO Act agencies,” said Suzette Kent, the federal chief information officer, at the Center for Strategic and International Studies (CSIS) on Dec. 12. “And when we said value, we didn’t look at value in a full comprehensive manner. That is what the new policy actually does.”

The HVA memo also requires agencies to have remediation plans should the data or systems have vulnerabilities. These plans have to have support not only from DHS, but the agency’s resource management officer at OMB and should be coordinated using a risk-based approach across other agency leadership.

“With the dynamic adversarial threat to the security and resilience of HVAs, it is essential that the initiative evolve to take a more comprehensive view of the risk to the federal enterprise and the measures available to mitigate those risks,” the policy states.

The HVA and TIC policies are the final two of the four OMB sought to modernize in 2018, and in many ways are the lynchpin to more progress in 2019 and beyond.

“Modern technology requires modern policy. Over the last 10 months we’ve had our own set of policy sprints,” Kent said at the ATARC IT modernization summit. “In reflection, 2018 was a year of action. Part of my challenge of being here over the last 10 months was to build a relationship and roadmap for partnering with the agencies to deliver on those lofty expectations that we were given in the technology community both by the administration and by Congress.”

Two policies still in draft

Kent highlighted these and other successes last week in sort of a celebration of all that OMB, the CIO Council and agencies accomplished in 2018.

There still is a lot that remains. OMB must finalize three of the four policies that it issued in draft earlier this year. Kent said OMB received more than 500 comments on the identity management policy it released in April.

“What we are looking at doing is emphasizing identity-centric perspective for how we manage devices and person and non-person devices. That’s really important as we think about how we go forward with using automated technologies,” Kent said at the ATARC event. “Your comments back also helped us recognize we need to be more definitive about roles and responsibilities between NIST, GSA, OPM and DHS. That is what we have been spending our time doing and making it clear who owns what in the identity equation.”

The cloud smart draft policy from September received 41 comments. Kent said the goal of the draft policy was to link all the pieces together, workforce, procurement, cybersecurity and how agencies get authorities to operate.

“We are strongly encouraging agencies to complete an application rationalization,” Kent said. “If you haven’t looked at your whole landscape and know where you are going, then you aren’t going to be making the best long-term strategic decisions.”

And Kent is far from done once those policies are finalized. She said a new policy is coming around robotics to make sure agencies have some guidelines for how to use automated technologies.

If many considered 2018 a foundational year for many aspects of IT modernization, then 2019 is shaping up as a year of implementation.

Read more of the Reporter’s Notebook