Agencies frustrated with unclear guidance on reducing external network connections

ATLANTA -- Failure by the Office of Management and Budget to communicate clear, consistent expectations to agencies on how they should reduce network connections to the Internet has muddled compliance efforts, said federal technology leaders at a conference on Wednesday.

Under the 2007 Trusted Internet Connections initiative, agencies are required to propose their existing or planned capability to act as TIC access providers, offering centralized gateway monitoring of external network connections either for their own department or for multiple agencies. Agencies then developed comprehensive plans of action and milestones with guidance from OMB and the Homeland Security Department.

"There was an expectation [from OMB], but there wasn't any understanding of the reality of the situation," said Betsy Edwards, project executive of the NASA integrated services network, during a session at the GFirst Conference, hosted by the Homeland Security Department's U.S. Computer Emergency Readiness Team.

NASA submitted a proposal in 2008 to be a single TIC access provider, meaning it was responsible only for its own network connections.

Edwards said, "On our side we were left asking, 'What really are they expecting of us?' "

The goal of TIC is to reduce the number of external Internet connections in the federal government to fewer than 100 in 2009. An exact deadline has not been announced yet. Agencies decreased the number of connections to 2,758 at the start of May 2008; no figures after that date have been released.

Edwards pointed to lack of clarity in the number of initiatives that OMB approved for NASA. Agencies identified as TIC access providers are authorized two locations to provide managed TIC services, but NASA submitted justification in mid-2008 for five TICs to support current mission requirements. OMB voiced no objection until a conference call in January 2009. "They said, 'No, we're sorry; you have two,' " Edwards said. "There was nothing ever [provided] in writing."

NASA since has begun to develop a business plan with different options for how to implement only two TICs, but is hoping to eventually earn approval for five to prevent degradation of network operations for locations stretching from California to Texas, Florida and the Washington metropolitan area.

"I'm willing to go to OMB and say, 'Two TICs are not going to work and here's why,' " Edwards said. "We're hopeful we can convince the new administration; it helps there's a new administration."

Randy Reynolds, the technical point of contact for the Treasury Department's Trusted Internet Connection initiative, said OMB requested the department's plans of action and milestones three times, but never provided feedback.

"In each one, we put down that we expect to have five to seven TICs," Reynolds said. "We showed exactly bureau by bureau where those TICs would be. OMB never responded.... We're under the opinion that as long as we have a plan of action that is in agreement between us and DHS, we're in compliance."

NASA also discovered additional requirements for approval as a single TIC access provider that Edwards said were not previously noted. For example, IT systems that support TICs need to be in a secure, enclosed area known as a sensitive compartmented information facility. Edwards said she found out about this requirement during the compliance validation process that NASA completed this month to test whether the TICs meet a set of 51 critical technical capabilities. She still is unclear on which type of SCIF qualifies.

"So now we're trying to comply with new requirements being levied on us that we hadn't known about before, in addition to [adjusting] to two TIC locations instead of five," Edwards said. "We're making forward steps to get to a position of TIC compliance, but -- oh, by the way -- we don't have money for this."

Also cause for concern for some agencies is a requirement for TIC access providers to turn over all computer system log files for review by US-CERT.

"They're asking for all firewall logs, Internet transactions -- all the way down to the endpoints," said one Treasury official who attended the panel discussion. "We're in the financial market; I can't turn over all the logs, because there's taxpayer data in there."

Sean Donelan, the program manager for network and infrastructure protection at DHS, said agencies can contest requirements included in service-level agreements with Homeland Security to have them changed if necessary.

"TIC turns out to be a bigger task than people initially think," said Frank Tiller, director of service development at network services programs at the General Services Administration. "There's a lot to do to be ready to use a TIC service, or build your own to operate."