cloud-based security (Omelchenko/

How TIC 3.0 enables modernization

The latest generation of the Trusted Internet Connection (TIC 3.0) will make it easier for agencies to modernize as they move to the General Services Administration's Enterprise Infrastructure Solutions telecommunications contract, according to GSA and federal cybersecurity officials.

The next-generation secure internet connection model will help fire up the modernization potential of the General Services Administration's $50 billion, 15-year next-generation telecommunications contract,

"TIC 3.0 provides the agility that we need to move forward," said Allen Hill, director of the Office of Telecommunications Services in GSA's Federal Acquisition Services, during mid-November public meeting on the agency's $50 billion, 15-year Enterprise Infrastructure Solutions (EIS) contract.

The TIC effort, which aims to keep federal web traffic secure, began more than a decade ago, when agencies secured traffic with its scores of dedicated data centers, security devices and virtual private networks. Since then, federal agencies have pivoted to cloud technology with its more efficient, scalable and remote data transmission methods that render those older protections obsolete.

"The way TIC 2.0 worked doesn't adjust for modernization efforts," Hill said, particularly for federal agencies accelerating their plans to move to the cloud.

In September, the Office of Management and Budget released its first guidance update to its secure internet connection policy in over a decade. TIC 3.0 gives agencies more flexibility in how they connect to the net.

Incorporating TIC 3.0 into GSA's more-agile, next-generation EIS contract is critical, as the agency's older telecommunications contracts' TIC protections are showing their age, experts from GSA and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) said at the meeting.

"TIC 2.0 had been one-size-fits-all security for internet connections," said Jim Russo, EIS Technical Director at GSA, "and that was [Managed Trusted Internet Protocol Service]."

The MTIPS solution for TIC compliance, although offered under EIS, is not sufficient for agencies' modernization efforts, particularly cloud services, according to Russo. "[It] was designed to solve a problem that a lot of agencies have," he said, but its current application is limited. "Once the network boundary has expanded from all premises-based network where an agency can easily tell where it begins and where it ends, to a more cloud-based, hybrid-based network," he said, TIC 2.0 can't adapt well.

EIS incorporates software-defined network services that dramatically expand network parameters as well. With an SDN, said Russo, TIC 2.0 "defeats the purpose."

TIC 2.0 won't allow SDN's diverse routing around network bottlenecks, and it constrains routes that can be used, he said. "TIC 3.0 will give you a lot of versatility and a lot more flexibility," he said.

"As cloud became key to modernization efforts," TIC 2.0 "became a limitation," said John Simms, deputy branch chief of the Cybersecurity Assurance Branch in CISA's Federal Network Resilience Division.

Simms said his agency is looking to see how TIC 3.0 can secure cloud environments. "We don't only have to think about the network perimeter, or the network traffic, but about the applications themselves and how we can be smart about employing technologies to secure those application stacks and data and monitoring."

CISA, GSA and the Chief Information Security Officer Council are developing TIC 3.0 pilot programs and use cases for specific applications, said Shawn Connelly, TIC program manager and senior cybersecurity architect at CISA. The current use cases cover infrastructure-as-a-service (IaaS), software-as-a-service (SaaS), email-as-a-service (EaaS) and platform-as-a-service as well as branch office applications, but, according to Connelly, agencies can suggest more.

"TIC 3.0 gives agencies room to get on pilots for new interpretations" for use cases, he said. CISA will work with the agency during the pilot period to develop best practices, make the application interpretation more vendor-agnostic and see how it might be used across the federal government.

CISA, said Connelly, is currently talking to agencies about a zero-trust use case and a partner-collaboration use case.

"The model for the data center being the center of the universe is quickly going away," he said.

This article was first posted to FCW, a sibling site to GCN.

About the Author

Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.

Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, magazine and Wireless Week.

Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.

Click here for previous articles by Rockwell. Contact him at [email protected] or follow him on Twitter at @MRockwell4.


  • senior center (vuqarali/

    Bmore Responsive: Home-grown emergency response coordination

    Working with the local Code for America brigade, Baltimore’s Health Department built a new contact management system that saves hundreds of hours when checking in on senior care centers during emergencies.

  • man checking phone in the dark (Maridav/

    AI-based ‘listening’ helps VA monitor vets’ mental health

    To better monitor veterans’ mental health, especially during the pandemic, the Department of Veterans Affairs is relying on data and artificial intelligence-based analytics.

Stay Connected