The Office of Management and Budget (OMB) has finalized its update to the Trusted Internet Connections (TIC) initiative in a memo released today. The final version of the policy opens the door for new approaches to network security, and retains most elements of the draft framework released in December 2018.
The new policy, commonly called TIC 3.0, establishes TIC Use Cases, which will allow agencies to take a network security approach outside of the traditional Trusted Internet Connection Access Provider (TICAP) or Managed Trusted Internet Protocol Services (MTIPS) solutions. In creating these new TIC Use Cases, OMB is aiming to encourage the adoption of new technologies that had been held back by security requirements that mismatch.
“One of the Administration’s top priorities is the modernization of Federal IT and promoting policies that adapt to the plethora of technology solutions available to agencies is essential to effectuating that goal. However, a high level of security must still be in place to protect networks from malicious actors,” the memo states.
Federal agencies and industry can suggest pilots for new use cases to the Federal CISO Council, with the Department of Homeland Security (DHS) overseeing the performance of pilots, approving new use cases, and collecting feedback on use cases. TIC 3.0 currently has four Use Cases established, with security architectures in place and pilots completed:
- Traditional TIC;
- Cloud;
- Agency Branch Office, and;
- Remote Users.
The final version of the policy made few changes from the draft version released in December 2018. The main change in the final policy is the shift in how it approaches compliance. While the draft version tasked DHS with developing a process to streamline and automate compliance validation, the final version makes no mention of any shift towards automation. Instead, the final policy tasks DHS – in coordination with the General Services Administration and the National Institute of Standards and Technology – with developing a compliance verification process, without mentioning automation.
The release of TIC 3.0 finalizes the policy sprint that OMB undertook at the beginning of 2018, making updates and changes to a variety of policies, like Cloud Smart, the Data Center Optimization Initiative, and first stages of the Federal Data Strategy.
Industry reacted positively to the news of the finalization.
“TIC 3.0 is an important step forward. Legacy TIC/MTIPS infrastructure can’t handle Cloud Smart bandwidth requirements. The flexible new guidelines encourage agencies to innovate and thankfully moves us away from a one-TIC perimeter-based solution fits all approach,” said Stephen Kovac, Vice President, Global Government and Compliance, Zscaler.
“This said, given TIC 3.0’s more flexible approach, agencies need more support. They need access to TIC use cases (successful and otherwise) so they can review results for environments with security requirements similar to their own. They can learn from others in a centralized catalog of TIC 3.0 use cases as they develop their own solutions, while still keeping the original intent of the TIC mandate,” Kovac said.
“Industry will come forward with many different options. Be wary of lift-and-shift approaches. You don’t want to move your challenge from the data center to the cloud and miss the opportunity to improve security and user experience. Simply virtualizing a physical TIC ultimately makes the problem worse – agencies need multitenant cloud security stacks built to scale up and down on demand. Agencies must take advantage of the ‘cloud effect’ which allows CSPs to globally update hundreds of patches a day with lessons learned from their cloud platforms across the globe,” Kovac added.