Updated Cybersecurity Policy Paves Way for Cloud Migrations

Published: September 26, 2019

Cloud ComputingCybersecurityPolicy and Legislation

The White House revises decade-old cybersecurity policy to give federal agencies the flexibility they need to shift to secure cloud computing models.

Initiated by the Office of Management and Budget (OMB) in November 2007 the goal of the Trusted Internet Connections (TIC) initiative has been to enhance the network security of agencies across the federal government, initially through consolidating external Internet connections and by deploying common tools like EINSTEIN at these access points. While these efforts to enhance agency security have shown some real benefits, the evolving technological landscape and the maturation of cloud computing models have led some to argue that TIC was too restrictive. Further, updates to TIC policy to enable greater cloud use has been a priority in the White House’s IT modernization and cybersecurity improvement efforts since 2017.

To that end, OMB recently released a finalized update to the TIC initiative that both rescinds outdated directives and paves the way for greater cloud migrations.

In the memorandum OMB identified the following initial set TIC Use Cases for agencies:

  • Cloud: A set of TIC Use Cases that cover the most prevalent cloud models – Infrastructure, Software, Email and Platform as a Service.
  • Remote Users: For users that connect to the agency's traditional network, cloud, and the Internet using government furnished equipment (GFE).
  • Agency Branch Office: For a branch office of an agency which utilizes its separate headquarters for the majority of their services, including generic web traffic. Software-Defined Wide Area Network (SD-WAN) technologies are in scope.
  • Traditional TIC: For instances not covered above agencies default to continue following the traditional TIC use case, leveraging agency TICAP and MTIPS providers.

OMB envisions the forthcoming collaborative and iterative process should result in the continuous improvement and development of additional TIC Use Cases that account for emerging technologies and evolving cyber threats.

Path Forward

By mid-November, 2019 DHS with coordinate with OMB, GSA and the Federal Chief Information Security Officer (CISO) Council to set the processes for the following:

  • Initiate and Manage Agency Pilots: Solicit and review agency and industry TIC pilot proposals, approve updates to TIC Use Cases and other TIC documentation, and oversee and support agency TIC pilots.
  • Approve and Maintain Agency Use Cases: Review pilot results, collect agency and industry feedback and approve updates to TIC Use Cases and other TIC reference architecture documentation to maintain currency.
  • Acquisitions Updates: Update government-wide procurement vehicles within 6 months of the approval of new TIC Use Case requirements, etc.

For their part agencies have one year to update their network and system boundary policies, including guidance on potential pilots, and designate its authorized TIC Use Case. Agency Chief Information Officers will need to maintain a detailed inventory of agency network connections, including the service provider, cost, capacity, traffic volume, logical/physical configurations, and topological data for each connection.