Evaluating the promise of the Cybersecurity and Infrastructure Security Agency’s (CISA) TIC 3.0 initiative might seem daunting given the fundamental changes in security thinking that it portends, but at least one Federal agency wrapped up that process in less than 90 days as part of a broader effort to consider the impact of IT modernization.
That was the message from Small Business Administration (SBA) Chief Technology Officer Sanjay Gupta, who spoke about the agency’s Trusted Internet Connections (TIC) 3.0 pilot in 2018 at MeriTalk’s TIC Talks online event on Oct. 15.
According to Gupta, SBA didn’t set out specifically to pilot the TIC 3.0 initiative, but ran headlong into it as part of a larger evaluation of IT modernization after the agency undertook extensive cloud service adoption in 2017. The busy hurricane season that year, and SBA’s response to it using cloud services, surfaced “the relevant constraint of the TIC 2.0 architecture” as it related to cloud service adoption, the CTO said.
Because of tech constraints in the agency’s ability to ramp up for disaster response challenges, and the need to get waivers to undertake emergency response in 2017, SBA began a 90-day modernization pilot that looked at network security broadly, with the goal of protecting all of SBA’s IT assets.
“We were looking at a singular, centralized way to manage and secure and monitor all IT assets at SBA,” Gupta said, regardless of whether they involved on-prem, cloud, data center, as-a-service, or mobile, and including security tools deployed in the cloud. Because of SBA’s early move to the cloud, the agency uncovered cloud-relevant challenges in the TIC 2.0 policy, which Gupta said did not “figure in what the cloud would do.”
“This allowed us to look at trusted interconnection in a way that most other agencies were not able to look at it,” he said. “There was no doubt in my mind that the TIC policy had good intent, but it was time for it to be upgraded,” he said.
During the 90-day modernization pilot, and working with partners at CISA, Gupta said “we were able to meet the overall intent and goal” of what the TIC 3.0 update would call for.
“We were able to see that we had an improved cybersecurity posture” because we had visibility into all of our IT assets, said Gupta, who called that “a major departure” from what the agency had previously. “That was a huge step up from where we were.” He added, “we were able to get situational awareness” greater than required by TIC 2.0, and better performance. “Frankly, TIC 2.0 was a constraint on our ability to adopt cloud technology in a faster manner,” he said.
Among the bottom lines of the effort: a simpler cybersecurity posture, results that informed the subsequent TIC 3.0 update, and recognition from then-Federal CIO Suzette Kent that SBA’s experience was a “model to update and revise” Office of Management and Budget policy, Gupta said.
As for the 90-day timeline for the modernization pilot, Gupta said, “we were demonstrating the art of the possible.”
He continued, “I would say in some ways we at SBA have been a little different than most agencies … I came from the private sector … and we knew the urgency and the need to respond at speed.” For other agencies, he reckoned that a 90-day pilot “is doable, but I am not sure if every agency is up for it.”
More generally, he offered, “to do major transformation, you have to be able to push yourself and your team to show some tangible results” over a relatively short time period – perhaps up to 150 days. If efforts continue beyond then, he said, “maybe you are losing momentum.”