GSA unveils plan to allow TIC compliance for FedRAMP services

Draft "overlay" would give agencies and cloud service providers a new path to secure cloud connections.

FedRAMP logo. (Update 2014)

The General Services Administration rolled out a draft template on April 2 aimed at giving commercial cloud providers a faster way to deliver secure Internet connections to federal agencies.

The Department of Homeland Security, collaborating with GSA's Federal Risk Authorization Management Program, released a draft overlay for the Trusted Internet Connection (TIC) that meets FedRAMP requirements. The draft, said GSA, is the initial step to update the TIC reference architecture to give agencies more choices in adopting cloud services from commercial providers.

"This overlay is the result of more than 18 months of collaboration between the TIC Initiative and the FedRAMP [Program Management Office] to find alternative solutions to enable federal agencies to more easily and effectively comply with both FedRAMP and TIC," FedRAMP Director Matthew Goodrich wrote in an email to FCW. "This draft overlay is an exciting development not only in that it creates a new alternative to meeting the TIC Initiative for cloud providers, but it also combines the assessment process for both programs eliminating duplication in effort for agencies and cloud providers."

The Office of Management and Budget set up the TIC Initiative in 2008 to standardize how the federal government secures external network connections, including Internet links.

Currently, agencies must use a TIC to connect to cloud services, and can establish that connection via three paths. The first is to implement their own external connections and become designated as a TIC Access Provider (TICAP). The second is to go through GSA's Networx telecommunications services contract to buy external network connections and network perimeter security through commercial carriers that have been designated as Managed Trusted IP Service providers. The third is to work with another agency already designated as a TICAP, and "leverage their external connections perimeter security."

That network-level compliance, however, means federal users must access their cloud services only through a TIC-compliant agency network -- an approach that is increasingly unwieldy for mobile access.

Once finalized, GSA said, the overlay will allow federal agencies to ensure the cloud services themselves meet TIC as well as FedRAMP requirements. The coordination of the two programs will provide for data security in the cloud environments and the security of the network connections between agency networks and cloud services. 

The overlay is the first that the FedRAMP PMO is releasing as part of its FedRAMP Forward initiative. Comments on the overlay are due May 2, emailed to info@fedramp.gov, with the subject line: "FedRAMP-TIC Overlay Feedback."