Karen Evans | The straight story on OMB's Internet connection policy
GCN Interview: OMB's administrator for e-government and IT clarifies the goals of the Trusted Internet Connections initiative
- By Joab Jackson, Jason Miller
- Jan 03, 2008
In November, the Office of Management and Budget announced a plan to cut federal agencies' external connectivity points from about 1,000 to 50, including Internet connections (GCN.com/888). In the first half of this year, agencies must work together to establish a select number of shared-services nodes.
Karen Evans, OMB's administrator for e-government and information technology
By reducing the number of gateways, the government could better protect against security threats. But like any sweeping plan, the Trusted Internet Connections initiative has spawned misunderstanding. Some employees thought OMB wanted to cut their Internet access or take agency Web sites off-line. Karen Evans, OMB's administrator for e-government and information technology, met with editors from GCN and its affiliate publication, Federal Computer Week, to clarify TIC's goals.
GCN: THERE ARE LOTS OF MISPERCEPTIONS OUT THERE. HOW WILL THE INITIATIVE AFFECT AGENCIES AND THEIR EMPLOYEES?Evans:
You shouldn't notice it. Folks who are managing these services ' not the telecommunications services, but the online services like Web sites ' should not notice any difference. Most of this work will be done behind the scenes, and it could be as simple as changing an entry in a table to reroute traffic to a different place.
Where this really comes into play is how the department delivers its telecommunications services. Say, for example, the department has a very decentralized approach ' it is only managing Washington, D.C., telecommunications.
It may have 10 or 15 regional offices and allow those regional offices to do their own telecommunications. That's where this initiative is going to impact the department, because we're going to rely on the department to know its inventory and to decide how it will manage it. They will have to come up with a plan for how they are going to either collapse [their network] or partner with another agency. So this initiative is saying you have to know what you own in order to manage the risk to an acceptable level.
Everybody is focused on the 50, asking if 50 is enough. We know that 1,000 is too many, but we haven't necessarily said that 50 is the cutoff. What we're figuring is, at a minimum, it is probably around 50. Even if you did two per department it comes to around 50.
So what the Department of Homeland Security has done, and what most departmental CIOs have done, is [establish] the corporate wide-area network and let the component organizations and program organizations connect up, [but require that] they meet a certain threshold in order to connect.
So every department has to work out what are the corporate services and what will be the local services.GCN: WHAT DO YOU MEAN BY EXTERNAL CONNECTIONS? DO YOU MEAN A CONNECTION TO THE INTERNET?Evans:
Anything that is not internal. If you're an agency that is doing something that connects to another agency, that is an external connection. Now that may mean [after the consolidation] it may no longer be an external connection because now it is part of the internal [system]. If we work as one enterprise, then an agency-to-agency connection may be viewed as internal. You still have to meet certain rules of the road, but it is not the same as an external connection.
These 50 points of presence actually become the perimeter of the federal government.
Everything inside would be zoned. Say department A is getting service from department B, so department B will be looking at department A as a local-area network connection.
They would connect the same way you would make your component organization hook up [to the departmental WAN], except it would be bigger from that perspective. They are connecting up to a service provider. In this particular case, you are going through the agency as a service provider.
It may well be that everyone would say they really do have a legitimate business need [for more connections] and we agree that they probably should have these connections. But if you're going to have an external connection, the configuration has to be the same as everyone else's. It has to be monitored and managed in the same way.
We will still have to work out some of these governance processes. We would have [agencies] compete as in any other line of business to be a service provider for the gateway. Just like we did for the Federal Information Security Management Act reporting, agencies would compete against a known set of criteria.GCN: THE DEADLINE FOR ESTABLISHING THE GATEWAYS IS JUNE 2008 ' AROUND THE SAME TIME FOR HAVING IPV6 ON NETWORK BACKBONES AND MEETING HOMELAND SECURITY PRESIDENTIAL DIRECTIVE 12, AND A FEW MONTHS AFTER HAVING DESKTOP COMPUTERS MEET THE SPECIFICATIONS FOR THE FEDERAL DESKTOP CORE CONFIGURATION. HOW DO YOU SEE ALL THESE SECURITY INITIATIVES CONVERGING IN 2008?Evans:
The June 2008 date is not just haphazardly throwing another initiative on top of everyone. When you are looking at meeting that requirement, you don't want to do this in a vacuum. You have to have IPv6 running on your backbone networks as of June 2008, which allows you to do a lot of different things like addressing and [improved] security measures. And then you have HSPD-12, which [requires] two-factor authentication for coming into a network. Everyone will start using their cards to access their services, so you want to build that into your solution. And then people are buying equipment, so you want to make sure that is built into the plan.
So we sent out additional guidance to the agencies that gives some specificity of tying these things together through their enterprise architecture, making sure you are taking all these things into consideration and doing these things together and not separately.GCN: WILL THE GATEWAYS BE DISTRIBUTED BY GEOGRAPHIC REGIONS?Evans:
That is part of what needs to be determined by the [interagency working] groups. The big thing is that each agency doesn't have to do it on its own. It is not really about geographic location. You have to look at the network and network use. It's not like we're saying, 'Let's put 25 east of the Mississippi and 25 west of the Mississippi.' It's not what we are doing.GCN: WILL SOME AGENCIES WORK AS SHARED-SERVICES PROVIDERS?Evans:
They could. Small agencies could come in and connect through large agencies. I don't want to say this is the way it will work, but it could work. That is why we are working with the CIO Council to do that analysis.GCN: WHAT ABOUT OVERSEAS SITES? Evans:
That will have to be decided on an agency-by-agency basis. We have agencies that provide services overseas, and we have telecommunications services and rules on how that works. The State Department has been the lead on a right-sizing initiative for a while. That was part of the President's Management Agenda.GCN: WILL THERE BE FUNDING FOR THE INITIATIVE?Evans:
There will be more than enough money for this effort. This is not an unfunded mandate. What this will require agencies to do is to look at their priorities. So, say you run decentralized, you may want to start to look at the cost of how that decentralization works. If you look at what has been submitted in the president's budget for fiscal 2008, you would see that where we break out telecommunications infrastructure, there is $20 billion there.
There is more than enough money to do this. You just have to redirect your priorities.GCN: WHEN THE INITIATIVES ARE COMPLETED, WHAT WILL THE GOVERNMENT IT LANDSCAPE LOOK LIKE?Evans:
[Government employees] would be authenticating for services on a network through two-factor authentication. We would know who they were and they would be accessing things as approved. We would be managing our risk to an acceptable level while we will be continuing to see improvements to our citizen services. What we are trying to do is build public trust in our online services and improve how we do operations on the back end for our internal services