TIC compliance complicates agency cloud plans
- By Derek B. Johnson
As agencies push to modernize their IT infrastructure, they are also working through conflicting goals like cloud adoption, telework policies and Trusted Internet Connection compliance.
The Trump administration expects the push for IT modernization to last at least a decade, a White House official said at a March 15 event hosted by CA Technologies.
“It’s going to outlast an administration, so we need to make sure we have the foundation in place so you can build upon that,” said Danielle Metz, senior policy advisor at the Office of Science and Technology Policy. “It’s not going to be a three-year plan, it’s going to be something significant, a decade or more.”
Knowing agencies are in for a long haul, the administration wants to ensure cohesion between long-term goals like cloud migration and cybersecurity, particularly the Trusted Internet Connection.
Federal officials are hoping the newest model, TIC 3.0, addresses that problem, but even a revamped policy will face some daunting challenges. The federal government relies on a dizzying number of cloud providers -- approximately 228 in all, according to the Department of Homeland Security.
The administration’s IT modernization plan seeks to consolidate and improve acquisition of network services, including reducing the number of internet access points. Previous versions of TIC were not designed with the cloud in mind, and the administration’s plan calls for agencies to implement rapid updates to their TIC policies by June 30 to facilitate greater cloud migration.
Stephen Kovac, vice president of global government compliance at Zscaler, told FCW that while the government needs trusted internet access points, the TIC framework predates the federal government’s 2010 “cloud-first” policy and was developed at a time when policymakers had no idea how prevalent the cloud would be in the public sector.
“When we first talked about TIC, people would have laughed at you if you said government was going to put their data in the cloud, much less process it in the cloud,” said Kovac.
The federal government’s increasing reliance on remote workers also presents a challenge. The 2010 Telework Enhancement Act required all executive agencies to establish telework policies and train agency leaders on how to manage a remote workforce. A 2017 audit by the Government Accountability Office found that the number of federal employees participating telework programs grew from 300,372 in 2012 to 427,450 in 2015. While Congress is asking questions about teleworkers' efficiency and supervision, those numbers are expected to keep rising as the federal government and private sector continue to virtualize their operations. The circuitous route their data must flow under current TIC policies is a case study in how TIC and the cloud conflict.
“If you look at agencies today, most of these people are carrying around laptops and tablets,” Kovac said. “They’re not sitting at their desks.”
Today, cloud migration is an essential component of most agency modernization plans. So the contradiction between the government dramatically reducing the number of internet access points while also ramping up cloud adoption -- which in part relies on leveraging many access points for efficiency and speed -- has left IT leaders at some agencies scratching their heads.
Rod Turk, chief information security officer and acting CIO at the Department of Commerce, said the push for cloud adoption and compliance with previous versions of TIC was causing tension among agency CIOs. As an example, he pointed to data compiled by Census workers using electronic handheld devices.
“When you have all this traffic moving back and forth, how do you run it through a Trusted Internet Connection? Because we’re using a cloud-based solution to gather data,” said Turk.
DHS is overseeing compliance with TIC 3.0. At a March 15 meeting of the Information Security and Privacy Advisory Board, DHS officials said they were still processing feedback from a series of agency pilots identifying cloud solutions that were running into hurdles based on TIC policy. Those pilots wrapped up on March 2, and DHS is now sorting those projects into low-, medium- and high-risk categories to inform agency decision making.
As a potential workaround, DHS is exploring other ways to monitor connections from cloud-based systems. Sean Connelly, cybersecurity architect at DHS, indicated that in certain areas, cybersecurity programs like EINSTEIN and Continuous Diagnostics and Mitigation may be better suited for monitoring cloud-based traffic.
“How TIC evolves and where there is data that is going to be architected in the cloud, there’s expectations that the CDM program would be able to monitor that data … probably better than TIC can at this point,” said Connelly.
Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.
Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.
Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at firstname.lastname@example.org, or follow him on Twitter @derekdoestech.
Click here for previous articles by Johnson.