Sean Connelly, senior cybersecurity architect at the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA), said today that the official version of the Trusted Internet Connections (TIC) 3.0 policy to be issued later this year by the Office of Management and Budget (OMB) won’t be much different than the draft version released by OMB in late December 2018.
“Everyone’s asking when the policy is coming out,” Connelly said today at MeriTalk’s Cloud Computing Brainstorm event during a session moderated by Stephen Kovac, VP of Global Government and Compliance at Zscaler.
The draft version of the policy “is pretty much how” the official version is going to be, Connelly said.
The draft policy aims to remove barriers to cloud and modernized technology adoption by Federal agencies, ensure that the TIC initiative remains agile, and streamline and automate verification processes.
At the heart of the updated policy is the addition of new TIC use cases which will allow for the Federal government to add new ways for agencies to connect outside of the traditional methods of a Trusted Internet Connection Access Provider (TICAP) or Managed Trusted Internet Protocol Services (MTIPS). OMB said when it issued the draft policy that the TIC use case documentation will outline which alternative security controls, such as endpoint and user-based protections, must be in place for specific instances where traffic is not required to flow through physical TIC access points.
Connolly said today that the final policy will result in a “catalog approach to use cases.” Federal agencies, he said, want the new policy to “get the TIC out of the way” and not have it stand in the way of agencies adopting cloud services.
Asked about requirements for reference architecture documentation, Connolly said more information will be provided “pretty close to when the policy drops.” Asked by Kovac about reference architecture requirements, Connelly said they will be less prescriptive than previously, and more concerned with “cloud objectives.”
Connelly explained the origins of the TIC policy when the Federal government in 2007 sought to catalog how many external connections were being used by Federal networks, and said the result “was eye-opening” as to the larger number of external connections that were discovered, and the varying degrees of security that accompanied those. The original policy required external connections to be brought to TIC “points of presence” with standard security firewalls.
Connelly replied it will enable “flexibility and choice” by allowing CIOs to use three different “trust zones” depending on the external connections they are dealing with.
“We will help agencies make those decisions,” Connelly said, but won’t make the decisions for them.
Currently, Kovac said, “agencies think of TIC as the barrier” that can either prevent or block them from connecting to cloud services. Connelly replied that the new policy will aim to dispel that notion by giving agencies more options to connect to cloud services.