Is TIC 3.0 slowing down agency EIS adoption?

Some agencies have delayed their move to EIS, saying they're hesitant to do so until TIC 3.0 final policy is issued.
Mike Duffy, DHS, Federal Network Resilience Division
Mike Duffy speaks April 4, 2019, at the Cybersecurity Leadership Forum presented by Forcepoint and produced by FedScoop and CyberScoop. (FedScoop)

Federal officials are anxious to transition agencies to a $50 billion next-generation network and telecommunications contract. But some agencies are hesitant to make that move before the final release of a policy update on securely connecting federal networks to the outside internet.

The General Services Administration has given agencies until Sept. 30 to award task orders under its Enterprise Infrastructure Solutions contract, which gives the government a platform to buy a variety of common modern network infrastructure capabilities, including cloud and managed cybersecurity services. Meanwhile, the Office of Management and Budget and the Department of Homeland Security are in the midst of overhauling existing for Trusted Internet Connections (TIC) — a mandate, first established in 2007, to consolidate agencies’ connections to the external internet through approved access points.

By the end of March, agencies were supposed to have issued solicitations for products or services under EIS. But Bill Zielinski, acting assistant commissioner in GSA’s Office of Information Technology Category, said last week that “there are several that have indicated that part of their reason for not moving out in their fair opportunity solicitations for EIS is because they’re waiting to find out what’s going to happen with TIC 3.0,” the latest evolution of the OMB policy.

OMB issued a draft TIC 3.0 policy in December 2018 expressing that it will give agencies more flexibility to adopt modern, emerging technologies through TIC Use Cases, which are essentially alternative approved tools that don’t go through a traditional centralized TIC Access Provider.


While it seems that agencies are worried about impending restrictions that will drop with the final release of TIC 3.0 that may clash with anything they buy through EIS, they shouldn’t assume that will be the case, Zielinski said during a panel at the Cybersecurity Leadership Forum presented by Forcepoint and produced by FedScoop and CyberScoop.

“We’re in the midst of a very aggressive transition in trying to get everyone to move forward together as a community,” he said, referring to EIS. “[F]olks are under the impression that TIC 3.0 is a highly prescriptive requirement … that’s absolutely not the case. Relative to any concerns in or around the impact or effect on TIC 3.0: No, do not wait for moving forward with your plans for transition onto EIS.”

Zielinski said that if agencies have concerns like this, they should reach out and “talk with us,” rather than operating with false assumptions. GSA, he said, is trying to figure out a better way to communicate with agencies as well.

“How do we start to socialize with agencies, what they can be doing, should be doing and would be doing, that there’s a lot more flexibility with TIC 3.0 and how do we start to align that with the offerings of EIS? I think if we start to have those conversations, folks will start to realize that they can move forward with an understanding and realization that there’s a lot of flexibility with TIC 3.0, but there’s also a lot of capability within EIS to allow them to deliver on any of those requirements that they would have now and into the future,” he said.

Mike Duffy, the director of the Federal Network Resilience Division at DHS, said there’s a great opportunity to take the momentum and progress of EIS and other modernization initiatives to inform the final TIC 3.0 policy as more of an evolutionary jump than an incremental one from TIC 2.0.


Duffy said EIS “offers a lot of flexibility, a lot of opportunities, a lot of ways that we are looking at the broad spectrum of services that we haven’t really looked at before in this way. And that’s going to take time to plan for, that’s going to take some conversations … to understand what the art of the possible is. And that’s something that has to happen now,” he said, urging agencies to move quickly in their EIS transitions.

“We need the planning of good ideas to happen now so that we can build into it future use cases,” he said.

Regardless of when TIC 3.0 final guidance drops — whether it’s before or after the EIS deadline — it will constantly be shifting to meet the demands of agencies, Duffy said. “We see that as being an iterative process where that’s going to grow. That’s going to be based on all the good ideas and solutions and technical advancements that we’re going to see over the next several years.”

On the EIS front, Zielinski sees momentum picking up and building. A handful of EIS vendors have been authorized to begin bidding for work on the contract. Likewise, some agencies are beginning to award contracts on their solicitations.

And though GSA has granted an extension for agencies to completely transfer over to EIS from preceding contract Networx by no later than fiscal 2023, he said that “isn’t to allow for the front end to slide out but to really allow for that time that’s really necessary to modernize,” making the leap from the same-old legacy tech to new and innovative solutions.


“The big message for agencies is to work with us. If you have questions or you want to really figure out how you can get moving on your solicitations, contact us,” he said. GSA wants to  “help folks understand the art of the possible, because without understanding the art of the possible, then they’re laboring under some assumptions about what that means.”

Latest Podcasts