TIC pilots help solidify cloud policy
- By Derek B. Johnson
- May 15, 2020
The Trusted Internet Connection (TIC) pilots taking place within federal agencies will better flesh out roles and responsibilities for safely navigating government cloud programs, according to Cybersecurity and Infrastructure Security Agency TIC Program Manager Sean Connolly.
"We hope [that clarity] comes out of those type of pilots and those use cases that we'll be moving forward with," Connolly said during a May 12 web event hosted by Government Executive Media Group.
In December 2019, CISA released five volumes of updated guidance for TIC, including a framework for conducting pilots that, if successful, could eventually be adopted as use cases for other federal agencies to follow.
That guidance had both explicit and implicit goals. The explicit goals were ensuring network consolidation across federal agencies, standardizing security and providing CISA with a platform to deploy sensors and gain situational awareness. The implicit goal was to give agency CIOs and CISOs a "hammer" to shape their own internal security missions and, by extension, serve CISA's larger goal of making federal networks harder to break into.
Along the way it has also helped to align TIC with other cloud security programs, like the Federal Risk and Authorization Management Program (FedRAMP). That move has provided agencies and vendors with some additional clarity, but Connolly said, overlap issues must still be addressed.
"I think this is an evolving discussion, certainly between the vendors and agencies themselves. That level of trust is maturing, that level of roles, who is doing what has been clarified to a greater extent with each new FedRAMP package that comes out," he said. "At the same time, there is that concern … about where the delineations are between the two programs."
Thus far, the Departments of Justice, Energy and State as well as the Small Business Administration have been publicly identified as agencies conducting pilots under TIC. Connolly said there are others, but declined to name them this early in the process. "For sensitivity reasons, we don't promote the pilots unless the agencies themselves [do]," he said.
The use cases will go through a rigorous review process, with CISA, the General Services Administration, Office of Management and Budget and vendors all having their say before they're formally approved by the Federal CISO Council.
Along the way the Department of Homeland Security has tweaked programs like TIC to ensure that cloud connections to the internet are secure without inhibiting agencies from taking advantage of the increasingly dominant cloud computing technology.
The possibility that many feds could continue to work from home and require remote access to agency systems might end up increasing cloud adoption.
At the same event, Tom Suder, founder and president of the Advanced Technology Academic Research Center, said that even as organizations have been gradually moving their IT systems and infrastructure to the cloud over the past decade, the pandemic has injected a new sense of urgency to expand and hasten those plans.
"Any kind of new capability should automatically be in the cloud. You can have microservices, you can even have your old legacy system for a while, but everything new has got to be in the cloud," Suder said.
This article was first posted to FCW, a sibling site to GCN.
Derek B. Johnson is a former senior staff writer at FCW.