“The recent Trusted Internet Connections (TIC) 3.0 interim telework guidance not only addressed agencies’ remote access security amid the coronavirus pandemic but also specified the type of cloud service providers (CSPs) they can use.”
“Released by the Cybersecurity and Infrastructure Security Agency on April 8, the guidance says teleworkers can access cloud services directly using transport layer security, a virtual private network (VPN) or virtual desktop infrastructure.”
“But reading between the lines, the guidance also says providers must be able to send telemetry data to the National Cybersecurity Protection System’s EINSTEIN team, says Stephen Kovac, a vice president at cybersecurity company Zscaler. This allows agencies to work with nontraditional CSPs, so long as they can deliver that data.”
“Historically, only providers that have gone through the existing Networx contract’s validation process could provide Managed Trusted Internet Protocol Services (MTIPS) — TIC-compliant cybersecurity services.”
“’We still need to make sure that the agencies’ new providers are accountable,’ Kovac told FedScoop. ‘This is going to be an opportunity for people to come after the current TIC providers under the Networx contract, the service providers that provide MTIPS, but they still must meet this requirement for telemetry data.’ Telemetry data contains the who, what, when, where and how of remote transactions— and people tend to miss that requirement, Kovac said.”
“Three access providers were authorized under the Networx contract to provide TIC-compliant cybersecurity services: AT&T, CenturyLink and Verizon. MTIPS contracts were additionally awarded to some of the primes — Core Technologies, Granite Telecommunications and MetTel — on Networx’s $50 billion successor contract, Enterprise Infrastructure Solutions.”
“What new CSPs agencies choose to work with remain to be seen but they’ll likely offer telework services like Zoom videoconferencing or data handling, storage and use.”FedRAMP is in there (even if you don’t see it)
Nowhere in the TIC guidance is the Federal Risk and Authorization Management Program (FedRAMP) program — established to authorize and continuously monitor CSP offerings governmentwide — mentioned by name. But that doesn’t mean it’s absent…” Read the full article here.
Source: A closer look at TIC telework guidance reveals not all cloud providers are eligible – By Dave Nyczepir, April 16, 2020. FedScoop.