Federal Cloud Computing Strategy [Draft for Public Comment]

From: Cloud.CIO.gov


Trusted Internet Connections

In 2007, M-08-05 Implementation of Trusted Internet Connections (TIC)3 was released, with the purpose of standardizing the security of external network connections used by Federal agencies while reducing the number of those external network connections. The Trusted Internet Connections policy was established when agencies maintained the majority of their systems within their agency-owned and operated networks, and when networking was constrained by physical limitations. Since then, the technology landscape has changed dramatically with the proliferation of private-sector cloud offerings, the emergence of software-defined networks, and an increase in the mobile workforce. Improvements to security are now driven by standards and secured connections instead of limited physical connections.

In the current landscape, requiring all agency network traffic to flow through a limited number of Trusted Internet Connections is no longer feasible as a one-size-fits-all strategy. This design choice has hampered agencies’ ability to acquire new technologies including commercial cloud solutions, which use a distributed network model and use virtual, rather than physical, controls of data. In addition, these infrastructure designs have reduced agencies’ ability to take advantage of new paradigms such as the ability to create zero trust networks not bound by traditional firewalls.

As a result of these constraints, various agencies have worked with the Department of Homeland Security to establish agency-specific solutions to alleviate related performance degradation issues. The result of this work will be shared in a manner to reinforce alternative approaches to meeting Trusted Internet Connection objectives, including updating the Trusted Internet Connections Reference Architectures to demonstrate use cases where program objectives can be met without the requirement to route all traffic through a limited number of physical access points. In use cases where traffic is not required to be routed through a Trusted Internet Connection, agencies must implement DHS-designated controls required to ensure an appropriate baseline level of security across the Federal enterprise. Given the variety of platforms and implementations across the Federal enterprise, the Trusted Internet Connection Reference Architectures will also demonstrate how different use cases that do not require traffic to be routed through a Trusted Internet Connection can address the requirements for government-wide intrusion detection and prevention efforts, such as the EINSTEIN Program.4

Continuous Data Protection and Awareness

Migrating to a cloud-based environment changes the dynamic of network visibility and data protection that an agency might already be supporting. As data transits various networks and comes to rest in various locations, such as an end user’s device, Identity and Credential, and Access Management (ICAM) and encryption become increasingly important.

An agency is the custodian of its data on behalf of the public. As such, each agency should determine its own governance model for cloud-hosted data that aligns with their identity and credential management systems. Additionally, where a cloud solution is deployed by a vendor, a Service Level Agreement (SLA) should be in place that provides the agency with continuous awareness of the confidentiality, security, and availability of its data.

Furthermore, agencies should be made aware if their data resides on third-party information systems, provided with access to log data, and notified promptly if a cyber-incident or other adverse event occurs. Agencies should consider having an agreement with all providers, be they Federal or commercial, regarding access to and use of log data for their information security operations.

Agencies and their partners should regularly engage in reciprocal information sharing in an effort to combat malicious cyber behavior. Cybersecurity requires public-private collaboration, and as more Federal entities adopt commercial cloud solutions, customers and providers should work together to protect information. Furthermore, DHS’s Continuous Diagnostics and Mitigation (CDM) program5 must continue to evolve in order to equip agencies with the monitoring tools and capabilities they need to understand their cyber risk in the cloud.

Read Complete Draft Strategy

Leave a Reply

Please Answer: *