Quick Hits

*** As expected, the Office of Management and Budget put out a draft of proposed revisions to the Trusted Internet Connection policy. The move rescinds policy guidance dating back to 2007 that tried to corral the proliferation of unmonitored and undefended federal agency online connections, with an eye to limiting the total number of such connections to as few as 50. The policy is ill-suited for a cloud-based environment, and OMB is seeking alternative use-cases to support managed services, cloud email, connections from agency branch offices and remote users, as well as cases in which a traditional TIC policy is still needed.

OMB is seeking comments on the new policy. Additionally, the federal Chief Information Security Officer Council will review pilot proposals from agencies and have an ongoing role in approving use cases. Agencies have a year from the issuance of the final policy to update their networks and their own boundary policies.

*** A security think tank is pushing back against the wisdom of a cabinet-level cybersecurity agency, calling it "a bad idea" that would set back the government in its quest to better protect the nation from cyber threats.

In a paper for the Center for Strategic and International Studies, Suzanne Spaulding, former undersecretary of what is now the Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security, and Mieke Eoyang, vice president of Third Way, argue that a standalone agency focused on cybersecurity will "create a technology stovepipe" that would take power away from other federal agencies like the Departments of Energy, Treasury and Homeland Security, who have the expertise to deal with many of the non-IT implications that arise from cybersecurity policy.

DHS has sufficient authority to set federal baseline standards of security by issuing Binding Operation Directives [BOD] that are enforced by the Office of Management and Budget, according to Spaulding and Eoyang. 

Jeanette Manfra, assistant director at the Cybersecurity and Infrastructure Security Agency at DHS, expressed doubt in January about whether such directives had any real teeth to force non-compliant agencies into line.

"It says [BOD's are] binding, I'm not exactly sure what sort of enforcement mechanism I have in place to make it binding," said Manfra, adding "We don't have the authority to slap some fine on, and we're not going to kick some federal agency off the Internet."

*** Air Force PEO Digital plans to move a collection of weather programs to the cloud in 2019. PEO Digital Program Executive Officer Steven Wert told FCW that several weather programs responsible for collecting data used for aircraft and other systems are in the midst of cloud migrations, including the Air Force's main weather predictor model that helps with mission planning, supercomputer-powered Numerical Weather Prediction model out of Offutt Air Force Base in Nebraska. The programs will be rehosted at Oak Ridge National Lab with a plan to complete migration in 2019. 

PEO Digital is also moving Mobility Air Force suites, mission planning programs to the agile model. Wert told FCW that Digital’s mission is to help the Air Force change the way it does business via agile software development by sharing the PEO's learned lessons with the rest of the program executive offices. 

"My role isn't policy or to own the cloud or own the network. It's really showing other program teams how to do software in this way," Wert told FCW, saying many of the Air Force's programs will have hybrid cloud solutions, where parts of the system will have dedicated infrastructure and others on cloud, such as the weather system. 

"Programs don't need to be cloud hosted to get to a more rapid release cadence, work more directly with end users, or leverage automated testing," he said. "These things can be done through a lot of different development environments and methods. Where it makes sense, leveraging the cloud allows continuous delivery."