Federal CIO Suzette Kent issued draft guidance Friday to give agencies more flexibility when allowing external network access through the Trusted Internet Connections initiative.
The update, once finalized, will provide agencies what the Office of Management and Budget is calling TIC Use Cases — essentially alternative approved tools that are separate from a TIC Access Provider (TICAP) or Managed Trusted Internet Protocol Services (MTIPS) but proven to be secure in connecting agency networks to the internet.
The idea is to establish “a process for ensuring the TIC initiative is agile and responsive to advancements in technology and rapidly evolving threats,” the document says.
“Given the diversity of platforms and implementations across the Federal Government, the TIC Use Cases will highlight proven, secure scenarios, where agencies are not required to route traffic through a TICAP/MTIPS solution to meet the requirements for government-wide intrusion detection and prevention efforts, such as the National Cybersecurity Protection System (including the EINSTEIN suite of capabilities),” says the draft guidance.
Right out of the gate, there are three TIC Use Cases approved as alternatives to using a TIC: cloud, agency branch offices and remote users.
The agency branch office use case “assumes that there is a branch office of an agency, separate from the agency headquarters (HQ), which utilizes HQ for the majority of their services (including generic web traffic). This case supports agencies that want to enable Software-Defined Wide Area Network (SD-WAN) technologies.”
For the remote-users use case, the idea is an evolution of the FedRAMP TIC Overlay, which allows remote users to leverage the cloud to connect to their agency’s network on a government device.
TIC Use Cases will be reviewed and updated on a continuous basis, according to the guidance. The Federal CISO Council will lead the charge, soliciting use case pilots from agencies and industry, and, along with the Department of Homeland Security, review pilots and approve updates to the accepted TIC Use Cases. The General Services Administration will also play a role in supporting TIC Use Case pilots and updating acquisition vehicles to reflect any new use cases.
Finally, the guidance tasks DHS with creating an automated verification process to ensure that agencies are adhering to the TIC or one of the alternative use cases. “The goal is to shift from burdensome, point-in-time spot checks to a scalable, comprehensive, and continuous validation process,” the proposed policy says.
Agencies have a year from the issuance of any final guidance to reflect these changes, maintaining “an accurate inventory of agency network connections, including details on the service provider, cost, capacity, traffic volume, logical/physical configurations, and topological data for each connection in the event OMB, DHS, or others request this information to assist with government-wide cybersecurity incident response or other cybersecurity matters,” the guidance says.