The Office of Management and Budget (OMB) released a draft of its Trusted Internet Connections (TIC) policy late Friday, with the goals of removing barriers to cloud and modern technology adoption, ensuring that the TIC initiative remains agile, and streamlining and automating verification processes.
At the heart of the update is the addition of new TIC Use Cases, which allows for the Federal government to add new ways for agencies to connect outside of the traditional methods of a Trusted Internet Connection Access Provider (TICAP) or Managed Trusted Internet Protocol Services (MTIPS).
“Given the diversity of platforms and implementations across the Federal Government, the TIC Use Cases will highlight proven, secure scenarios, where agencies are not required to route traffic through a TICAP/MTIPS solution to meet the requirements for government-wide intrusion detection and prevention efforts,” the draft states.
OMB said Use Cases will be “reviewed and updated on a continuous basis,” with pilot proposals being handled along four lines: 1) proposals going to the CISO Council for approval; 2) DHS, OMB, CISO Council, and the General Services Administration (GSA) overseeing and assisting with pilot programs; 3) DHS reviewing pilot results and soliciting feedback; and 4) GSA updating acquisition rules to support new TIC Use Cases.
Among the initial TIC Use Cases are cloud, support for software-defined wide-area networks (SD-WAN) technology at agency branch offices, and remote users connecting with government furnished equipment.
The draft also calls on DHS to “streamline and automate processes to validate agency compliance with TIC Use Cases,” requiring DHS to develop a compliance verification process for each new Use Case within 90 days of its release.
“The goal is to shift from burdensome, point-in-time spot checks to a scalable, comprehensive, and continuous validation process,” the draft states.
The TIC draft also tasks agency CIOs with maintaining an accurate inventory of their agency network connections, in case the information is needed to assist with a government-wide cybersecurity incident response. The inventory includes “details on the service provider, cost, capacity, traffic volume, logical/physical configurations, and topological data for each connection.”
The draft policy is scheduled to be published in n the Federal Register on Tuesday, Dec. 18, and will remain open for comment until January 17.
Separately, cloud security provider Zscaler announced today that its Zscaler Internet Access-Government service has received Authorization to Operate at the Moderate Impact level under the Federal Risk and Authorization Management Program (FedRAMP). The company said its service is the “first secure internet and web gateway solution to earn FedRAMP certification and to meet the guidance” of the TIC 3.0 draft policy.