cloud environment

Is TIC necessary for FedRAMP-approved apps?

Agencies shouldn’t have to use a trusted internet connection for accessing cloud environments that already have been approved by the Federal Risk and Authorization Management Program, according to International Trade Administration CIO Joe Paiva.

Connecting to cloud services like Amazon, Salesforce or Office 365 is no different than a teleworker accessing the office network or agencies connecting to data centers, Paiva told a crowd at the ATARC Federal Cloud & Data Center Summit on Aug. 3.

“The definition of what’s ‘my network’ has changed,” he said.

Users in the office are using transport layer security when they connect to the agency's Amazon cloud, he told GCN. Their data is "never passing through the untamed wild.” The applications that have been FedRAMP approved and have full authority to operate "run in my environment, they’re not external,” he added.

All of the traffic to the public internet will still go through the TIC, he said.

The Office of Management and Budget has mandated the use of TIC since 2007 to reduce the number of connections to the outside internet. When asked if this setup was ignoring the mandate, Paiva said it was not.

“I just interpret it the way I think it makes sense to be interpreted,” he said.

Acting Federal CIO Margie Graves recently said that the federal TIC policy is in the process of being modified to address latency issues caused by TIC architecture in hybrid environments.

Paiva, however, said his concerns with TIC aren’t with latency, but rather with cost.

TIC offers little if any added value in these instances, he said. If there is, it is “at best, some miniscule, marginal, unnoticable portion,” he said.

And that limited value comes at a big cost, he added:  “If you don’t know this, TIC is egregiously expensive.”

About the Author

Matt Leonard is a reporter/producer at GCN.

Before joining GCN, Leonard worked as a local reporter for The Smithfield Times in southeastern Virginia. In his time there he wrote about town council meetings, local crime and what to do if a beaver dam floods your back yard. Over the last few years, he has spent time at The Commonwealth Times, The Denver Post and WTVR-CBS 6. He is a graduate of Virginia Commonwealth University, where he received the faculty award for print and online journalism.

Leonard can be contacted at or follow him on Twitter @Matt_Lnrd.

Click here for previous articles by Leonard.

inside gcn

  • Google Map of free sandbags in Los Angeles

    When simple is best: Google Maps for disaster prep

Reader Comments

Tue, Aug 29, 2017 Fred

I think the issue of cost is valid. For example, federal agency A has a web server hosted in AWS. A request from the public can't go directly to AWS, but must pass through agency A, then to AWS, then back to A, then back to the requestor. So network traffic is at least doubled. It would be more efficient to allow traffic directly from the public to AWS. But this would require AWS being a TIC.

Mon, Aug 7, 2017 Badger

I think the critical item to note as part of this article is the use of business interconnect technologies. If you using AWS Direct Connect, Azure Express route and similar technologies for your cloud interconnects you CAN bypass TIC.

Sat, Aug 5, 2017 Jack

Mr. Paiva should reconsider his position. TIC is alive and well. Often it is the only frontline of edge monitoring many federal organizations have due to financial cuts. DHS monitoring is some of the best in the world and by not using TIC or MTIPS Mr. Paiva has opted out of this important level of protection. Every cloud provider who has achieved fedRAMP must provide the capability to enforce TIC through the TIC 2.0 reference architecture. The fact Mr. Paiva doesn't understand this value and approach leads one to consider he may not be using a sound security architecture to begin with.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group