FedRAMP TIC overlay pilots to answer questions around agency, cloud provider responsibilities


A Federal Chief Information Officers Council working group will wrap up four pilot projects by the end of September that test a security process that dovetails with the Federal Risk and Authorization Management Program, or FedRAMP.

The FedRAMP program office, which aims to accelerate the authorization of cloud computing technologies at federal agencies, has been working with the Homeland Security Department on a Trusted Internet Connection, or TIC, overlay that would allow a cloud service provider to come out of the FedRAMP authorization process with not only cloud security approvals, but also TIC certification. This would allow agencies to check two compliance boxes through a single process.

Comments on the draft TIC overlay were due May 1, and for the past six months, the CIO Council's Cloud TIC Interagency Working Group has been working with cloud service providers, or CSPs, to determine how to best meet the FedRAMP TIC overlay capability requirements, according to a Sept. 18 blog post. The working group's four pilots test varying cloud service models and unique computing scenarios, says the CIO Council post.

The DHS Federal Network Resilience Branch Chief Sara Mosley, who serves as co-chair of the working group, said the pilots are progressing on schedule and each CSP has outlined how they will meet overlay requirements.

A main goal of the pilots was for the DHS TIC Program Office, agencies and CSPs to determine "which TIC overlay capabilities are the responsibility of the CSP and which are on the agency," said the post.

"Depending on the cloud service model employed, certain security requirements are sometimes not applicable or become the responsibility of the customer rather than the provider," the CIO Council added.

The pilots are also looking into ways CSPs can provide log reporting back to the sponsoring agency and DHS.

The FedRAMP program office sees the TIC overlay as just the beginning of a broader effort to streamline compliance requirements through FedRAMP.

"We're pretty excited to see that there's a lot of forward movement between how cloud providers could possibly be providing TIC capabilities, or provide an alternative way for agencies to meet both FedRAMP and TIC," said FedRAMP Director Matt Goodrich in remarks at a conference in May.

For more:
- read the blog post

Related Articles: 
TIC overlay just the beginning for FedRAMP, says Goodrich 
FedRAMP, DHS aim to merge TIC and cloud security authorization through single process