TIC 3.0 Pilots, Implementation Continue During Pandemic

TIC 3.0 Pilots, Implementation Continue During Pandemic

CISA official says current practices are likely to become part of long-term guidance.

While the COVID-19 pandemic has altered the timeline for some IT modernization projects, TIC 3.0 continues to move forward from draft recommendations to finalized guidance, and some early adopters are finding that the recommendations eased transitions to telework.

Late last year, the Cybersecurity and Infrastructure Security Agency (CISA) and Office of Management and Budget (OMB) announced the long-awaited update to the federal government’s trusted internet connection (TIC) guidance. Technology and cybersecurity leaders have lauded TIC 3.0 as a crucial factor in bolstering IT modernization, laying the groundwork for a variety of use cases surrounding mobile device management, network security, and secure access to government data.

Reacting to the mass shift to telework that came with the government’s response to COVID-19, CISA issued short-term, interim guidance for TIC 3.0 for remote workers. TIC Program Manager Sean Connelly stressed that the guidance was an immediate solution to a pressing need and that his office at CISA is currently collaborating with the Office of Management and Budget (OMB) and General Services Administration (GSA) to build out telework use cases to inform long-term guidelines.

In the meantime, CISA is still working with partner agencies on use cases for TIC 3.0 to develop lessons learned and best practices for TIC applications across the federal space. In one pilot program, the State Department was “actively piloting” a use case for connecting onsite to individual offices, rather than backhauling the connection to headquarters, said Gerald Karon, the State Department’s acting enterprise network management officer.

During the initial 90-day pilot, which the State Department ran as a proof of concept at an unnamed embassy, Karon said the staff reported a notable increase in performance. Although the pilot is currently on hold while embassy staff work remotely, Karon expects that the pilot program will be a success.

Piloting TIC 3.0 applications in the cloud put the State Department in a strong position to move to telework, and the agency was able to transition relatively smoothly to mass telework when it was necessary, Karon noted. That early pilot combined with recent efforts may also serve as the foundation for future pilots, such as a connection “tethered straight to the cloud” rather than an onsite server, a pilot that is already in testing.

Monitoring the interim guidance’s applications for remote work may prove to be an important component of TIC’s final guidance, both Karon and Connelly said. As a network manager, Karon is working on how to monitor home network security for State employees without having the same level of visibility that he has into agency networks. Connelly is monitoring how agencies use remote services and applications during this time.

“Traditional data centers are going away,” Connelly said, “[There’s] still relevance for TIC itself … but networks are being abstracted away from services.”

There are other pilot programs in agencies at various stages, Connolly said. Many of these involve performance and telemetry for security data, but CISA will not publicly discuss or promote any pilot until the agency conducting it does.

These pilot programs underpin the understanding that there is not a single solution for any use case, said Jim Russo, enterprise infrastructure solutions (EIS) technical lead at GSA. Long-term guidance is designed to match tools to agency needs, based both on the pilot programs and proposals from industry for solutions on TIC and EIS.

“Industry and agencies [are] asking the pertinent questions,” Russo said of his interactions with leaders in both sectors on TIC use cases.

CISA is currently focusing on validating solutions for TIC, though it does not endorse any one solution or overlay, Connelly said. The intent is to understand how solutions are “fitting TIC into [agencies’] risk management posture,” he said.

Standard