The release last week of the Trusted Internet Connections 3.0 policy may usher in a new, more nimble era of policymaking for IT, federal leaders said Wednesday.
The Office of Management and Budget’s updated and more flexible guidance for how agencies connect to the greater internet is a major victory in that it was the first update in a dozen years. But it also provided a new model for how OMB can revamp policy to be more iterative and in rhythm with the rapid evolution of technology.
OMB is moving from a “slow” process of issuing policy updates that typically requires long studies and years between any refreshes to “actually challenging ourselves to have a deeper connection to exactly what’s happening and create ongoing ways that we keep things current,” U.S. CIO Suzette Kent said at the Cybersecurity and Infrastructure Security Agency‘s National Cybersecurity Summit.
In the case of TIC 3.0, though it’s the first update to TIC policy since 2007, it was developed in an agile, responsive manner so that when agencies evolve the way they connect to the internet, such as through the cloud, OMB won’t be far behind with policy to reflect it. The new policy includes pilots and use cases — led by agencies who have creative new approaches to using the government’s Trusted Internet Connections — that it says “ensure they remain relevant” as they must be “reviewed and updated on a continuous basis.” The result, the policy explains, is a “process for ensuring the TIC initiative is agile and responsive to advancements in technology and rapidly evolving threats.”
OMG has enlisted the Department of Homeland Security as the cybersecurity experts at the helm to continuously decide what new TIC use cases to approve and which ones to cycle out as they’re no longer needed.
“From the OMB side, the goal…is to more focus on intended outcomes and expectations, not the detailed specifics, and partner with the experts in any specific space to drive the details that are appropriate at that point in time for that specific agency mission and bring the depth of subject matter knowledge in to match with the infrastructure that we’ve put in place to manage across our entire enterprise,” Kent said.
Kent explained that “our environment is changing so quickly” requiring new methods and approaches to creating policy. Methods, she said, could be “as simple as a timer: I’m going to reexamine this every six months, every one year, and evaluate if this is still effective.” On the approach side, it was as simple as partnering with DHS’s CISA and trusting the agency to lead the way.
“What we are doing is creating a pathway to ask the question, ‘Is there a better way?’” Kent said. “And make that happen very quickly versus a decade, or a long study. And that’s the kind of agility and nimbleness that we have to have in this space because cybersecurity is a perpetual state of hypervigilance. We have to constantly be evaluating what are we seeing, how do we act, what’s the next step?”
OMB looked at that “across all of the policies over the past 18 months — we’ve updated all of the major pieces,” Kent said.
Jack Wilmer, CISO for the Department of Defense, gave “big kudos” to OMB and DHS for their work on TIC 3.0 and developing a new, more-iterative way to think about policy. He agrees with Kent about letting bright minds around government lead the way.
“Let’s get the right group of people together to assess the risk of what that is, to look at the results, to look at how it works, and then if it seems like it worked well and is a good approach, let’s go ahead and modify the policy to say now any other federal agency can use that model,” Wilmer said of agile policy. “And similarly, the intent is that as the threat evolves and we find out ‘OK we were letting people do this but now we understand that that probably is not a good idea,’ we should be able to rapidly evolve our policy so that no new connections use that model that we know now to be not the right approach.”
He hopes to use it at the Pentagon for its internal tech policies.
“Instead of doing a two-year-long study and trying to come out with the answer and saying, ‘OK this is the next version of how we’re going to do X,’ it’s looking at more of an agile approach to policy development,” Wilmer said.
“I am absolutely trying to figure out how do I bring that into the Department of Defense so that the policies that I write, that we update, are things that we can evolve in a more agile manner,” he said.