Why DHS is changing the way agencies connect to the internet

The federal government is currently in the process of revamping its policies around Trusted Internet Connection, with a focus on encouraging greater cloud adoption – a major IT modernization goal.

One of the main goals of the upgrade, called TIC 3.0, is to develop viable use cases and guidance for agencies as they continue to rely on a more mobile workforce and move more legacy applications to the cloud.

At a Jan. 30 FCW event on cloud security, Mark Bunn from the Federal Network Resilience Division at the Department of Homeland Security said the push to refresh TIC is a reaction to the explosion of the popularity of cloud computing as well as the emergence of new cybersecurity programs, like Continuous Diagnostics and Mitigation, that are not accounted for in current policy.

The White House IT modernization plan, released in December 2017, explicitly calls for an update to the TIC to facilitate cloud adoption.

Bunn said the average agency currently uses eight different cloud service providers, and federal agencies as a whole use 228. Two-thirds of those instances are for Software-as-a-Service.

"We've definitely had some agencies that were very frank and outspoken. It's wonderful they were able to articulate just how bad things are at that level, to say this is causing me pain and…these are real problems for us," Bunn told FCW in an interview after his presentation.

DHS is looking to address in "the trombone effect" -- the latency issues that occur when agencies attempt to access government data that is hosted off-premise. Users complain they have to triple bandwidth to support cloud applications, Bunn said. It's one of the most frequent complaints he hears from agencies.

The original TIC was developed in 2007 under the Bush administration, out of a desire to limit the number of access points from government networks out to the public internet.

Ari Schwartz, former senior director for cybersecurity on the National Security Council under the Obama administration, told FCW that the original TIC architecture was not designed to serve a modern, cloud-based enterprise. The updated framework will likely take the TIC "in a much different direction," pushing more reliance on cloud and shared services as a way to bring agencies into compliance.

"If you think of shared services as being inside the agency wall, then [TIC 3.0] actually cuts down on the number of connections," said Schwartz. "It's a way of having extra added protection before you get to an individual user, certainly before you can steal a credential."

Bunn told reporters after his speech that DHS is basing its timeframes for TIC 3.0 around the deadlines established in the White House IT modernization plan. That document directs OMB to issue a preliminary update for the TIC policy, establish a comprehensive strategy for cloud email and collaboration and test out new requirements through a series of pilot projects by March 2, 2018. It also calls for OMB, DHS and the General Services Administration to deliver "rapid draft updates to the TIC policy" by June 30, 2018.