A closer look at TIC telework guidance reveals not all cloud providers are eligible
The recent Trusted Internet Connections (TIC) 3.0 interim telework guidance not only addressed agencies’ remote access security amid the coronavirus pandemic but also specified the type of cloud service providers (CSPs) they can use.
Released by the Cybersecurity and Infrastructure Security Agency on April 8, the guidance says teleworkers can access cloud services directly using transport layer security, a virtual private network (VPN) or virtual desktop infrastructure.
But reading between the lines, the guidance also says providers must be able to send telemetry data to the National Cybersecurity Protection System’s EINSTEIN team, says Stephen Kovac, a vice president at cybersecurity company Zscaler. This allows agencies to work with nontraditional CSPs, so long as they can deliver that data.
Historically, only providers that have gone through the existing Networx contract’s validation process could provide Managed Trusted Internet Protocol Services (MTIPS) — TIC-compliant cybersecurity services.
“We still need to make sure that the agencies’ new providers are accountable,” Kovac told FedScoop. “This is going to be an opportunity for people to come after the current TIC providers under the Networx contract, the service providers that provide MTIPS, but they still must meet this requirement for telemetry data.” Telemetry data contains the who, what, when, where and how of remote transactions— and people tend to miss that requirement, Kovac said.
Three access providers were authorized under the Networx contract to provide TIC-compliant cybersecurity services: AT&T, CenturyLink and Verizon. MTIPS contracts were additionally awarded to some of the primes — Core Technologies, Granite Telecommunications and MetTel — on Networx’s $50 billion successor contract, Enterprise Infrastructure Solutions.
What new CSPs agencies choose to work with remain to be seen but they’ll likely offer telework services like Zoom videoconferencing or data handling, storage and use.
FedRAMP is in there (even if you don’t see it)
Nowhere in the TIC guidance is the Federal Risk and Authorization Management Program (FedRAMP) program — established to authorize and continuously monitor CSP offerings governmentwide — mentioned by name. But that doesn’t mean it’s absent.
All the National Institute of Standards and Technology critical controls that makeup FedRAMP are included in the guidance.
FedRAMP should be named explicitly because it’s a government requirement, Kovac said, but this was TIC guidance and not FedRAMP guidance issued out of the General Services Administration.
Moving forward TIC and FedRAMP should become one or else work hand-in-hand, Kovac said.
Not referencing FedRAMP directly might allow agencies leeway to work with CSPs close to achieving FedRAMP authorization but not quite there yet.
“I think the agencies have to be careful because they’re supposed to buy only FedRAMP-ready clouds,” Kovac said. “So it’ll be interesting to see how that plays out.”
Less conspicuous in the TIC guidance are mentions of mobile security.
The guidance does call for mobile device compliance with agency policies and instructs agencies to assume end devices are compromised.
“Everybody is beginning to recognize that organizations need better visibility into what’s going on on the mobile device,” said Tim LeMaster, director of systems engineering at mobile security company Lookout. “And so I was a little surprised that this document didn’t focus a little more on that.”
Conditional access tools allow agencies to validate an end device’s state before allowing access, but there isn’t much discussion of using mobile as a protection enforcement point in the guidance, LeMaster said.
Mobile devices are far more vulnerable to phishing lures, he added.
The requirements for mobile devices shouldn’t be treated differently than any others under the remote use case, Kovac said.
“The policy is a trusted internet policy,” he said. “Not a mobile endpoint policy.”
A CISA spokesperson referred FedScoop to the initial press release on the new guidance when asked about its limits to CSPs, the absence of FedRAMP, and the limited references to mobile security.
