In the government’s move to the cloud over the last five years, one outlying cybersecurity question no one has been able to answer well is: How does the Federal Risk Authorization and Management Program integrate with the Trusted Internet Connections (TIC) initiative?
This challenge became greater as mobile devices quickly rose in prominence in the day-to-day lives of nearly every federal worker.
The default approach required federal workers to go through their agency’s secure Internet gateway or TIC to get to cloud services.
That approach was clunky to say the least and reduced the major benefit of cloud computing — easy access to data and apps.
But now the Homeland Security Department and the FedRAMP program management office have an idea on how to fix the problem.
“This new approach uses the FedRAMP framework to allow cloud service providers (CSPs) to demonstrate their ability to provide the TIC required controls, which enables agencies to enforce the TIC capabilities,” said a draft TIC-FedRAMP overlay document released April 2. “To do this, the TIC capabilities have been mapped to the FedRAMP security controls through a DRAFT FedRAMP-TIC Overlay. CSPs will be able to use this overlay during a FedRAMP security assessment to prove they can provide agencies with the ability to enforce TIC capabilities for mobile users.”
FedRAMP and DHS, which runs the TIC program, detailed the draft process by which cloud service providers can demonstrate they are “TIC ready.”
DHS and FedRAMP want comments on the proposal no later than May 2.
The overlay crosswalks the TIC 2.0 requirements with the FedRAMP standards, and adds new ones where appropriate.
DHS and FedRAMP say cloud service providers will need to be able to:
Document how the cloud security requirements are met
Document how TIC capabilities are met coming from federal network and an alternative approach for mobile users
Demonstrate compliance with both FedRAMP and TIC through one combined assessment
Receive approval from a third-party assessment organization (3PAO) for the combined TIC/FedRAMP compliance
Receive an authority to operate by the Joint Authorization Board or from an agency authorizing official
Have DHS deem the cloud service “TIC ready” based on the 3PAO review.
“The release of this DRAFT overlay is the first step in providing finalized guidance for the ultimate completion of a FedRAMP-TIC overlay,” the document stated. “The TIC Initiative will be working concurrently with federal departments and agencies through the Information Security and Identity Management Committee under the CIO Council to vet these requirements and make any necessary updates to the TIC Reference Architecture v2.0 over the coming months.”
The need to integrate TIC and FedRAMP is one of several ways the program management office is answering the growing demand for secure cloud services.
The PMO announced late last year that it was developing a Federal Information Security Management Act (FISMA) “high” baseline. The PMO released the draft high baseline for comment in January.
Additionally, FedRAMP relaunched and updated its website and added new training to better educate users and vendors alike on the cloud security authorization process.
As for TIC, it has been one of the most successful cybersecurity programs. In its latest FISMA report to Congress, the Office of Management and Budget reported that in fiscal 2014 agencies passed 95 percent of their traffic through a TIC or an equivalent Managed Trusted Internet Protocol Services (MTIPS) provider. Additionally, OMB says 92 percent of all agencies implemented TIC 2.0 capabilities, up from 87 percent in 2013.
“The coordination of these two programs will provide for the security of data within cloud environments and the security of the network connections between agency networks and cloud services,” the draft document stated. “This DRAFT overlay is the first step in updating TIC’s current reference architecture to allow agencies greater flexibility as they move to securely adopt cloud solutions. It is the first overlay the FedRAMP PMO is releasing as part of FedRAMP Forward.”