COVID-19 and the resulting surge in government telework is forcing agencies to reevaluate their network security architectures and make adjustments to their task orders under the $50 billion Enterprise Infrastructure Solutions contract.
The program team overseeing government’s sweeping telecommunications and network modernization effort is working closely with those authorizing cloud services and securing external connections to federal networks during the pandemic.
Agencies’ shifting cybersecurity needs require regular communication between the EIS program team and the Federal Risk and Authorization Management Program (FedRAMP) and Trusted Internet Connections (TIC) program management offices (PMOs).
“What’s encouraging to us now is a number of companies are coming to us, and they are telling us how they can provide solutions that meet both the FedRAMP and TIC requirements,” said Jim Russo, EIS technical lead at the General Services Administration, during an SNG Live event produced by FedScoop.
GSA doubled its network capacity when nearly all of its workforce moved to telework. Other agencies that did the same will need to make decisions about the percentage of their employees that need remote access when the pandemic ends and rearchitect their networks accordingly using EIS, Russo said.
FedRAMP and TIC both give agencies flexibility in determining the amount of risk they’re willing to accept when designing their networks. TIC 3.0 allows for distributed policy enforcement points for internet traffic, rather than one at headquarters, but agencies should “seriously consider” FedRAMP-authorized, cloud-based security services in addition to such solution sets, Russo said.
The Department of Homeland Security worked with FedRAMP to create an overlay in 2015 integrating TIC into the latter’s cloud security requirements. But the resulting pilots didn’t provide the “jump start” GSA was hoping for in allowing remote used direct access to the cloud while adhering to TIC requirements, Russo said.
So the EIS program team maintained “constant communications” with the FedRAMP PMO while designing the replacement for the Networx contract expiring in May 2023, he said. TIC has since shifted from DHS’s purview to that of its Cybersecurity and Infrastructure Security Agency, and the PMO is in the loop.
“One of the things that we did immediately when we were putting together EIS was to ensure that any cloud service that was provided, either as a TIC solution or any other solution for that matter, had to be FedRAMP certified,” Russo said.
TIC controls for boundary protection and secure connections were baselined into FedRAMP, and companies progressing toward authorization can still be considered by agencies modernizing their network architecture.
Don’t expect an immediate merger of FedRAMP and TIC within GSA however, as both programs serve slightly different constituencies. What matters is that FedRAMP’s “do once, use many” approach to authorities to operate is taken to heart by agencies, Russo said.
Vendors have until Sept. 30, 2022, to execute EIS task order requirements, though that’s still proving tricky with agencies updating agreements to address network issues that have arisen from pandemic telework. Agencies have been setting up mobile call centers, managing web conferencing, upgrading wireless capabilities, and connecting first responders nationwide.
“Agencies are encouraged to examine any gaps in their network infrastructures and ensure they make appropriate adjustments to their EIS task orders to provide needed capabilities,” Allen Hill executive director of telecom services in the Office of IT Category at GSA, told FedScoop back in May. “Modern IT demands modern infrastructure.”
“A few” task order awards were delayed, but most remained within the projected timeframes provided by agencies, Hill said then.
The Government Accountability Office surveyed 19 agencies spending the most on EIS and found all planned to transition by May 2023, when legacy contracts are set to expire. But 11 expected to miss GSA’s more aggressive Sept. 30, 2022 deadline as of October 2019.
GSA officials encouraged agencies to share information on how the pandemic was affecting their EIS transitions, saying they would work those that had already awarded task orders on a case-by-case basis to address delays. Based on agency feedback, GSA would consider providing additional, broad guidance or assistance.
“Not all agencies have been impacted,” Hill said. “GSA is in constant communication with agencies’ transition teams to ensure agencies are able to continue making progress.”
This story is part of a FedScoop special report on the Network and Telecom Modernization. Read the rest of the report.