Cloud Smart strategy updates TIC policy
- By Derek B. Johnson
- Jun 25, 2019
The finalized Cloud Smart strategy doesn't offer much new over the draft released for comment in September 2018, but the Office of Management and Budget wants to retool security to provide flexibility for cloud access.
One big push is to update the Trusted Internet Connection policy that governs outbound agency network traffic. For years the federal government has looked for ways to harmonize its seemingly contradictory TIC and cloud policies, seeking the organizational security benefits of limiting internet access points while also migrating IT infrastructure to the cloud, which leverages multiple access points.
The "once useful" TIC is now "inflexible and incompatible with many agencies' requirements," the cloud smart strategy says, and the maturity of the private cloud market as well as an expected increase in telework means the model originally laid out in 2007 will soon become obsolete to federal IT operations.
TIC has undergone a number of revisions, and officials at Department of Homeland Security who run the program have told Congress that setting security requirements and outcomes for cloud providers, rather than routing traffic through prescribed access points, is a better policy moving forward. According to the cloud smart strategy, DHS is piloting "newer, less rigid approaches" with a number of agencies that comply with this policy and could make it easier for programs like EINSTEIN to use the added computing power to detect and prevent intrusions.
An update to the policy, including alternative models to the TIC architecture, is due from DHS within six months.
A longer version of this article was first posted to FCW, a sibling site to GCN.
Derek B. Johnson is a former senior staff writer at FCW.