Coronavirus-related telework is hastening agencies’ adherence to the new Trusted Internet Connections (TIC) 3.0 guidelines, but industry experts are urging the government to lock-in that progress with further investment in IT.
Advances in cloud computing, encryption and mobility inspired the White House’s TIC 3.0 guidance, and additional interim telework guidance released in April encouraged agencies to run with the remote and telecommunications solutions they already were testing. The goal of TIC 3.0 was to update the rules for how federal agencies secure their networks, using what it calls “a multi-boundary” approach that accounts for advancements in cybersecurity since TIC 2.0 was released in 2007.
The digital research company Global Workplace Analytics estimates 25% to 30% of the U.S. workforce will continue to work remotely multiple days a week, post-pandemic. Government agencies won’t have even have that option unless they fully evolve to modern network architectures that support those solutions, said Zain Ahmed, vice president of civilian and law enforcement sales at CenturyLink, during a virtual talk May 7.
“Eventually the pilots have to prove out and be capable of also passing along threat data to [the Department of Homeland Security] and others to consume,” Ahmed said. “So you can’t have one without the other.”
An impromptu poll conducted by the Advanced Technology Academic Research Center during a webinar last month found 15% of agencies implemented TIC 3.0 while adding remote and telecom solutions for their workforce during the pandemic. Another 13% said they used the interim telework guidance as a guide. The poll’s sample size wasn’t clear.
Agencies can’t just use any cloud service to deliver remote access security, though. Providers must be able to send telemetry data to the National Cybersecurity Protection System’s EINSTEIN team within the Cybersecurity and Infrastructure Security Agency, according to the interim guidance.
“Architecting, designing, procuring, implementing, migrating, and securing modern architectures can be complex,” a spokesperson for CISA, which sits within DHS, told FedScoop. “CISA continues to work with a number of agencies and vendors toward improving the federal enterprise environment, including to enhance everyone’s situational awareness.”
Previously only vendors that went through the Networx telecom contract’s validation process received an authority to operate (ATO) from the General Services Administration allowing them to provide Managed Trusted Internet Protocol Services — the TIC-compliant cybersecurity services. Under TIC 3.0, many chief information security officers wield the ATO.
Ultimately it will fall to every agency to secure its own data, but industry can lend its networking and security expertise, said Campbell Palmer, solutions architects manager for public sector at CenturyLink.
“There’s some education involved,” Palmer said. “And what we need to do is make sure we’re helping these agencies recognize that we can help develop their [open network architecture] plans with their TIC 3.0 environment to allow for that adoption and taking on that ATO.”