Advances in cloud computing, encryption and mobility prompted the Office of Management and Budget to release TIC 3.0 guidance in September approving cloud, agency branch office and remote user use cases.
Now, the Cybersecurity and Infrastructure Security Agency is working with the State Department and several other agencies accessing the cloud from branch offices, with current plans to incorporate lessons learned into that particular use case, said Sean Connelly, TIC program manager at CISA.
“We had a pretty tight pilot at the State Department, but then the pandemic happened and we had to slow down some stuff,” Connelly said on an Advanced Technology Academic Research Center webinar Thursday. “We recognize that, so not all pilots are going to end at the same point.”
The State Department’s proof of concept was meant to run 90 days, but employees at the embassy are teleworking due to coronavirus precautions.
Still, the department has seen improved performance on the ground, said Gerald Caron, director of its Enterprise Network Management Office.
“The site seems to be happy with the performance,” Caron said. “So I think it might be a good thing for agencies like us, that are very geographically dispersed, rather than having to backhaul everything to one place.”
Caron’s office is working to ensure the pilot has the same security telemetry as the department’s static TIC, as well as the telemetry CISA needs. Once the pilot ends, the office will scale it to other posts and assess other solutions, Caron said.
The TIC program office is working with every pilot agency to measure bandwidth and latency, user experience and services.
“Each agency has a different way to monitor quote-unquote success, and we’ve been distilling those into some templates that we’re about to release later on,” Connelly said. “It’s not part of our guidance.”
An impromptu poll conducted by ATARC during the webinar revealed 15% of agencies implementing telework solutions during the pandemic useed TIC 3.0, and 13% relied on CISA’s interim telework guidance released in early April. The poll’s sample size wasn’t immediately clear.
Both draft guidance CISA released in December introducing additional TIC 3.0 use cases and the interim telework guidance are recent, which could explain why 72% of respondents followed different standards.
“The guidance that we released is draft, so I think some agencies are waiting until there’s more formalized guidance out there,” Connelly said. “And also, to implement something takes a long time.”