The Homeland Security Department is beginning a complete redesign of the Trusted Internet Connection (TIC) program for the future — whatever the future might look like.
The end goal is to prepare TIC for future iterations, so that DHS, the Office of Management and Budget and other stakeholders will be better positioned to drop current or add new capabilities as the technology environment changes and evolves.
“The last thing that we want to do is make assumptions on what’s going to happen in the future, because technology is constantly changing,” Mark Bunn, program manager within DHS’ Federal Network Resilience Division, said Tuesday at an 1105 Media Group cloud security summit in Washington. “Our environments are constantly changing. How we operate is also constantly changing.”
Specifically, DHS will split TIC’s reference architecture from its capabilities document, in an effort to make any future changes to the Trusted Internet Connection policy more quickly.
“Reference architectures will be completely separate from the capabilities, which means we can update one without updating the other,” Bunn said. “We can go through a much more streamlined process to update one than it would take to update a big, huge, giant document.”
Past pilots, such as the TIC 2.2 effort, taught the Federal Network Resilience Division just how long incremental policy changes to the trusted connection program would take. Bunn described those small changes as moving “at the speed of government.”
TIC 3.0 will also focus more on helping agencies make risk-based decisions — and understand which TIC capabilities can help specific organizations lower certain levels of risk, Bunn said.
“Are we giving you the information you need to make a risk-based decision? We definitely understand that if you’re at a micro-agency or perhaps if you have data that’s not that sensitive, you may not have to apply all the capabilities,” he said. “If you don’t have email in this environment whatsoever, why would you need to implement the email capabilities in that environment? You wouldn’t.”
The goal, Bunn added, is to give agencies the tools they need to be more flexible and adapt to their own circumstances. For example, agencies who add a TIC capability in the cloud but not at a network gateway shouldn’t be penalized, he said.
“Are we enabling you to make the decisions that you need to make? Are we giving you the right tools to then enforce those policies that you’re coming up with? Are we giving you the right education to understand what these capabilities are providing and to clearly know what the level of risk that you’re accepting is?” Bunn said. “At the end of the day, that’s what we want our focus to be on … at the agency level.”
The charge for TIC modernization is among the many recommendations in the “Report to the President on Federal IT Modernization,” which the American Technology Council finalized and released late last year.
Meanwhile, DHS and the Federal Network Resilience Division is still looking at the FEDRAMP TIC Overlay, which lets agencies use their mobile devices to connect to a software-as-a-service email provider.
“That’s one specific use case,” Bunn said. “Because of that, we are looking at additional overlays that we can have. As we discover the most common use-cases, we’ll certainty look at creating overlays for those use-cases, at least until we get to TIC Version 3.”
Agencies are conducting pilot sessions to further flesh out the TIC overlay, and DHS hopes that the overlay will eventually serve as the official standard for agencies, Bunn said.
In addition to the TIC redesign, DHS will take a close look at other governmentwide cybersecurity programs, such as FEDRAMP and continuous diagnostics and mitigation (CDM) to help agencies remove barriers to cloud migration and improve network protections at the same time.
“We really want to make sure that we’re perfectly aligned with what those programs are doing, that we don’t have anything that’s duplicative,” Bunn said. “We can help that program, [and] that program can help us.”
Bunn’s division worked closely with the ATC and Office of Management and Budget throughout the report’s draft process. Now, the groups meet twice a week to discuss TIC changes, he said.
The report outlines a rough timeline for TIC modernization. Within 30 days of the IT plan’s release, the Office of Management and Budget has been instructed to take an inventory of cloud migration projects pending or in progress within all agencies.
Within the next 60 days, OMB is expected to give a “preliminary update to TIC policy that introduces a 90-day sprint during which projects approved by OMB will pilot proposed changes in TIC requirements,” the IT modernization report said.
Finally, OMB, DHS and the General Services Administration will use information they’ve gathered from the 90-day pilots to make “rapid updates” to TIC policy.