History/Background of TIC
The Trusted Internet Connection (TIC) Initiative was designed to reduce the number of United States Federal Government network boundary connections, including Internet points of presence (POPs), in order to optimize federal network services, and improve cyber protection, detection, and response capabilities. In the face of an ever-increasing body of laws and regulations related to information assurance, Government customers interested in moving to the cloud are confronted with security policies, guidelines, and frameworks that assume on-premise infrastructure that do not align with cloud design principles.
Federal Government agencies must route connections for the increasing number of mobile users accessing cloud services via smartphones and tablets through their agency network. In alignment with this trend toward mobile use, Federal Government employees and contractors now want the ability to access cloud-based content anytime, anywhere, and with any device. Agencies want to leverage compliant cloud service providers (CSPs) for agile development and rapid delivery of modern, scalable, and cost-optimized applications without compromising their information assurance posture or the capabilities of the cloud.
The three goals of the TIC Initiative are as follows:
Reducing and consolidating external access points across the federal enterprise,
Managing the security requirements for Network and Security Operations Centers (NOC/SOC) for incident response capabilities, and
Establishing a compliance program to monitor department and agency adherence to TIC policy.
Agencies must reduce the number of external connections to their networks and ensure all external connections enforce TIC capabilities at the perimeter of their networks to monitor and provide for the security of Federal data. Currently, DHS verifies these capabilities at the external network perimeter for agencies at external network perimeters in one of three ways:
An agency can implement the capabilities on their own perimeter of external connections and become an agency designated as TIC Access Provider (TICAP);
Procure external network connections and security of their network perimeter through commercial carriers designated as Managed Trusted IP Service (MTIPS) providers through the GSA Networx Contract; or
Work with another agency designated as a TICAP to leverage their external connections perimeter security.
In its current form, a TIC-compliant architecture precludes direct access to applications running in the cloud. Users are required to access their compliant CSPs through an agency TIC connection, either a TIC Access Provider (TICAP) or a Managed Trusted IP Service (MTIPS) provider. This architecture often results in application latency and might strain existing government infrastructure. In response to these challenges, the TIC program recently proposed a Draft Federal Risk and Authorization Management Program (FedRAMP)–TIC Overlay that provides a mapping of National Institute of Standards and Technology (NIST) 800-53 security controls to the required TIC capabilities (see image below for basic visual of proposed TIC Overlay infrastructure).
TIC Overlay & FedRAMP Forward
As it is now, government systems must comply with security requirements covered in NIST 800-53, however, they must also be TIC compliant. The DHS TIC guidance demonstrates how agencies can ensure that cloud services can meet NIST 800-53 requirements and have all capabilities needed for agencies to meet the TIC Initiative. The DRAFT overlay (depicted in figure 1) is the first step in updating TIC’s current reference architecture to allow agencies greater flexibility as they move to securely adopt cloud solutions The TIC overlay will maintain the security of data within cloud environments and the security of the network connections between agency networks and cloud services.
These goals address the network strain caused by many a mobile user. The methods described in the TIC Reference Architecture v2.0 provides one of three actions to be taken by agencies at their external network perimeter:
An agency can implement the capabilities on their own perimeter of external connections and become an agency designated TIC Access Provider (TICAP)
Procure external network connections and security of their network perimeter through commercial carriers designated as Managed Trusted IP Service (MTIPS) through the GSA Networx Contracto
Work with another agency designated as a TICAP to leverage their external connections perimeter safety.
About JHC Technology, Inc.
JHC Technology is a Service-Disabled, Veteran-Owned Small Business headquartered outside Washington, DC. JHC has been a leader in Amazon Web Services cloud solutions since 2010, supporting the Federal Government, Local Government, Non-Profits, and the Private Sector, as well as a Fortune 50 company. We provide intelligent engineering and development services focused on disruptive technologies with core capabilities in cloud, virtualization, mobility, and collaboration. We deliver high performing subject matter experts to support clients in multiple industries, including defense, international trade, financial services, grant administration, science, and retail. JHC is an AWS Advanced Consulting Partner, Authorized Government Partner, and Channel and Government Reseller.