Agencies and their chief information officers have been saying for years now that the Trusted Internet Connections requirement, first instated in 2007, is a major obstacle in their efforts to move to the cloud.
After the American Technology Council’s 2017 Report to the President on Federal IT Modernization called for TIC to be updated to support cloud migration and other new technologies, the Department of Homeland Security got to work on doing just that. Now it’s almost ready to reveal the fruits of its labors.
Mark Bunn, DHS’ TIC program manager, described some of the changes agencies can expect to see in TIC 3.0 during a Nov. 27 FCW webcast.
“One of the biggest changes we’ll be making is instead of having one large guidance document set that we call the TIC reference architecture, we’re actually going to divide up into multiple documents,” Bunn said. “This actually makes it easier to implement. So the most operational document piece of that is what we’re calling Use Cases and Overlays. At level, that’s where agencies will be working with us directly on a day-to-day basis. And that will present an example that has gone through a pilot at an agency. And it displays ‘this is how to implement this type of technology in a new way, and this is how to maintain your situational awareness for this type of technology.’”
For example, it will specifically discuss maintaining situational awareness in email as a service and infrastructure as a service environments.
“Most agencies talk about using one or two cloud service providers. In reality, that’s just not the case. On average, agencies utilize eight cloud service providers,” Bunn said. “Most of the time, they don’t realize ‘Oh, I’m using Salesforce,’ or something else. That is a cloud service. So there’s a lot of surprises when it comes down to how many cloud services an agency is actually using.”
In fiscal 2016, DHS identified 228 different cloud service providers being used by agencies, two-thirds of which are software as a service (SaaS). Those create a lot of challenges for network security, situational awareness and visibility, so SaaS became a major focus for TIC 3.0.
Specifically, Bunn said big changes in TIC 3.0 will align with the National Institute of Standards and Technologies cyber framework and risk management framework.
It will also maintain one big list of security capabilities, and a process where each use case will have its own capabilities, since not every use case will require the full list. For example, agencies using email in the cloud won’t need to worry about using Managed Trusted Internet Protocol Services (MTIPS) email filtering; that’s already handled in the cloud by the cloud provider.
DHS is also striving for more flexibility in TIC 3.0, Bunn said, since that’s been one of the main complaints he’s heard from agencies. So there will be capabilities agencies can implement in order to support new technologies like microsegmentation and software-defined networks. The new guidance will include use-cases for how to do that.
“You’ll hear us use terms like trust zones. That’s really to support the new technologies in a way that still allows a traditional TIC implementation,” Bunn said. “So that way you can still be fully TIC compliant as part of your network going through an MTIPS provider, another part using a software-defined WAN or LAN technology, maybe another part using a zero-trust network or microsegmentation. We’ve really streamlined to hopefully make it simpler to implement new technologies rather than more complicated.”
And the General Services Administration’s Enterprise Infrastructure Solutions (EIS) contract will support these, from intrusion prevention services to expansions to managed security services, such as managed prevention, vulnerability scanning and incident response.
“One of the most exciting pieces of EIS for us is that it does allow the flexibility to add new capabilities in the future, as new technologies come out,” Bunn said. “Those can be added to the contract, and providers can start to provide those in a more uniform way.”
Bunn also said the TIC reference architecture will operate at a much higher level than the current reference architecture.
“One of the key things there is you’ll see patterns based on level of trust instead of connection classes,” he said. “Instead of having things like interagency connections and intra-agency connections, these will be much simpler in that you’ll see connections from a high trust environment to a medium trust environment.”
The overall goal of TIC 3.0 is to prepare for future iterations, so that DHS, the Office of Management and Budget and other stakeholders will be better positioned to drop current or add new capabilities as the technology environment changes and evolves.
“The last thing that we want to do is make assumptions on what’s going to happen in the future, because technology is constantly changing,” Bunn said in January. “Our environments are constantly changing. How we operate is also constantly changing.”