Trusted Internet Connection (TIC) Letter to OMB

Download Full Letter

August 14, 2019

Ms. Suzette Kent
Federal Chief Information Officer
Office of Management and Budget
725 17th Street N.W.
Washington, DC 20503

Dear Ms. Kent:

We are writing on behalf of the Alliance for Digital Innovation (ADI), a cloud-forward group of companies focused on the efficient deployment of commercial innovation into the federal government, to urge your office to accelerate release of the final version of the Trusted Internet Connection (TIC) 3.0 Final Policy on behalf of the Office of Management and Budget (OMB).

Our members include large, medium, and small companies dedicated to solving the most intractable problems of modernizing government IT.  We possess a deep technical bench transcending existing legacy IT challenges and our membership embodies the leading edge of nontraditional government partners. Our members’ solutions and support offerings are rooted in cloud technologies and provide new business models specifically designed to modernize IT.

When it was initially released, we heralded the draft TIC policy because of its focus upon removing barriers to cloud and modern technology adoption by ensuring that the TIC initiative remains agile while streamlining and automating verification processes.

We also applaud the placement of new TIC 3.0 Use Cases at the center of the new Cloud Smart policy, because it allows for the federal government to add new ways for agencies to connect outside of the traditional methods of a Trusted Internet Connection Access Provider (TICAP) or Managed Trusted Internet Protocol Services (MTIPS).[1]

In the draft policy, OMB said these new Use Cases will be “reviewed and updated on a continuous basis,” with pilot proposals being handled along four lines: 1) proposals going to the CISO Council for approval; 2) DHS, OMB, CISO Council, and the General Services Administration (GSA) overseeing and assisting with pilot programs; 3) DHS reviewing pilot results and soliciting feedback; and 4) GSA updating acquisition rules to support new TIC 3.0 Use Cases. We support these channels for issuance of best practices governing the TIC going forward.

The draft also calls on DHS to “streamline and automate processes to validate agency compliance with TIC Use Cases,” requiring DHS to develop a compliance verification process for each new Use Case within 90 days of its release. We believe that automation is a critical component to an effective TIC implementation.

ADI believes these attributes are useful and necessary steps to meeting the critical role of the TIC. Because the TIC draft also tasks agency CIOs with maintaining an accurate inventory of their agency network connections, in case the information is needed to assist with a government-wide cybersecurity incident response, we do not believe that any further delay on issuing the final policy is in the public interest. ADI members (and our partners) have heard from several agency leadership teams that agency budgets have “bench marked” dollars for TIC 3.0 pilots and orders in their end of year spending. However, these same teams cannot move forward on critical pilots without having the policy finalized.  Their concerns are that without the finalized policy, agency funding might be allocated to older, TIC/MTIPS solutions – none of which are relevant to a “Cloud Smart” agency program plan or any agency truly wanting IT Modernization.  

Accordingly, we urge OMB to complete the process of issuing the final version of the TIC policy to assist government in meeting the objectives of the Cloud Smart policy and to further secure our vital infrastructure needs.

We welcome the opportunity for further engagement with your Office and laud the work your team has been doing to address these critical requirements.

Very Truly yours:

Richard Beutel
Alliance for Digital Innovation

[1] “Given the diversity of platforms and implementations across the Federal Government, the TIC Use Cases will highlight proven, secure scenarios, where agencies are not required to route traffic through a TICAP/MTIPS solution to meet the requirements for government-wide intrusion detection and prevention efforts,” the draft states.