With the benefit of increased flexibility and quick updates, Federal officials praised their ability to respond to the COVID-19 pandemic under the Trusted Internet Connections (TIC) 3.0 policy during a panel session at MeriTalk’s TIC Talks event today.
Officials from the Department of Veterans Affairs (VA) and the Department of State described the benefits of TIC 3.0 – finalized by the Cybersecurity and Infrastructure Security Agency (CISA) in July – in handling the quick scale-up of telework and remote access at a time where traditional network perimeter defense did not suffice.
“Having the TIC 3.0 guidance allowed us to really aggressively push the envelope and do what we called the impossible,” said Royce Allen, director of enterprise security architecture at VA. “We went from probably 150 to 200 simultaneous, to up to 500,000 simultaneous users,” she shared, highlighting how new capabilities allowed the agency to let non-VA doctors use their facilities when local healthcare capacities were strained
“With TIC 3.0, the flexibility is definitely an enabler,” said Gerald Caron, director of enterprise network management at the Bureau of Information Resources at the Department of State. “Last year, we would probably say ‘Oh, we’ll never be able to do that,’ but I think with COVID happening it has showed us how much we’re able to do, and it’s allowed us to focus on what truly is our risk tolerance now.”
Looking at TIC 3.0 as a complementary policy to the Enterprise Infrastructure Solutions (EIS) contract, officials from the General Services Administration (GSA) highlighted how TIC 3.0’s increased flexibility can be used to support increased telework into the future, better fit agency needs, and improve security.
“The TIC 3.0 guidance is going to allow agencies to move from that investment in the network infrastructure and architecture to allow them to be more conducive to how we work today. TIC 3.0 will benefit the small and medium agencies especially, as it allows them to move away from those costly, one-size-fits-all type of TIC 2.0 solutions to something that’s the right size for their agencies,” said Allen Hill, acting deputy assistant commissioner for category management at GSA.
“It comes back to the way the network is architected, but I would say there are definitely positions to strengthen network security … especially as you move more towards endpoint interrogation,” added Justin Morgan, solutions architect at GSA.
Hill and Morgan both noted that the EIS contract is currently being modified to allow agencies to take more advantage of solutions that move from the traditional use case to the new and emerging use cases. Both also noted the importance of agencies keeping enough flexibility in their EIS contracts to meet the evolving use cases of TIC 3.0.
Stephen Kovac, Vice President of Global Government and Head of Corporate Compliance at Zscaler, emphasized the importance of vendors fully understanding the TIC 3.0 guidance, with panelists holding up Zscaler as a model of how to map solutions to TIC 3.0’s security capabilities.
“Make sure you read the CISA policy front to back, because if you pick pieces out, it’s so open to interpretation. If you read it all in order, it makes very clear sense,” he said.
Looking to the future, panelists noted that the guidance is still evolving, but shared how they expect and hope it will evolve.
“There’s been a lot of talk on evolving the remote user use case into a zero trust architecture use case. It would be nice to see that formally happen,” said Morgan.