Jump to content

Managed Trusted Internet Protocol Service

Add links
From Wikipedia, the free encyclopedia
This is an old revision of this page, as edited by Malcolma (talk | contribs) at 08:45, 17 June 2010 (cat). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.
File:MTIPS.jpg
MTIPS architectural design, demonstrating the MTIPS transport and agency trusted domain

Managed Trusted Internet Protocol Service (MTIPS) was developed by the US General Services Administration (GSA) to allow US Federal agencies to physically and logically connect to the public Internet and other external connections in compliance with the Office of Management and Budget's (OMB) Trusted Internet Connection (TIC) Initiative.[1]

MTIPS will reduce the number of connections, as originally dictated in the TIC mandate, but will not reduce the connection points to the degree originally quoted. Instead, focus has shifted on the securing of existing connection using the MTIPS architecture.[2]

Managed Services

Networx Program

The Networx Program facilitates transition to an MTIPS transport provider for participating agencies.

Service Providers

AT&T, Qwest, and Sprint, among others, will participate in the MTIPS services.

Architecture

Functional Model

The MTIPS functional model, as publicly known:

  • TIC Portal
    • Access to the Internet
    • Hosted EINSTEIN Enclave
    • Security Operations Center (SOC)

"TIC Portal Security Operations Center (SOC) — The TIC Portal SOC is the set of tools, appliances and processes that collect, reduce, normalize, correlate, fuse, and manage event data from a variety of devices that support the MTIPS operations. For the SOC, these devices include firewalls, Network Intrusion Detection Devices (NIDS), Host-based IDS (HIDS), and other platforms that may collect TIC Portal-relevant event data. The SOC tools also provide reports customized to Agency’s requirements [...] but as a minimum shall support TIC Portal authorities / analysts by identifying security events of interest that may be negatively affecting the TIC Portal environment."[3]

    • (redacted in reference)
  • Transport Collection and Distribution (MTIPS Transport)
    • (redacted in reference)

Connectivity

The MTIPS provider allows the agency to connect

  • To the public Internet through the TIC portal.
  • To other agency IP networks.
  • Other connections are established through MTIPS, but publicly unidentified in reference materials.

Standards Compliance

"MTIPS shall comply with the following standards, as applicable, and when commercially available. After award, the contractor may propose alternatives at no additional cost to the Government that meet or exceed the provisions of the listed standards." [3]

  • Applicable Internet Engineering Task Force (IETF) RFCs.
  • T1.276-2003 American National Standard for Telecommunications — Operations, Administration, Maintenance, and Provisioning Security Requirements for the Public Telecommunications Network: A Baseline of Security Requirements for the Management Plane.[4]
  • IP/MPLS Forum.
  • IEEE
  • Metro Ethernet Forum (MEF).
  • The PCI Data Security Standard (PCI DSS).
  • All new versions, amendments, and modifications to the above documents and standards when offered commercially.
  • MTIPS providers shall comply with current and future regulations, policies, requirements, standards, and guidelines for Federal U.S. Government technology and cyber security, including those listed below. Contractors shall comply with new document versions, amendments, and modifications. Those most notable include minimum expectations for MTIPS specified security services identified in this SOW. After award, the contractor may propose alternatives at no additional cost to the Government that meet or exceed the provisions.
  • E-Government Act of 2002, Title III (Federal Information Security Management Act (FISMA)).
  • NIST Federal Information Processing Standards Publication (FIPS) NIST FIPS PUB 140-2 — Security Requirements for Cryptographic Modules.[5]
  • NIST FIPS PUB 199 — Standards for Security Categorization of Federal Information and Information Systems.[6]
  • United States Computer Emergency Readiness Team (US CERT) reporting requirements. (http://www.us-cert.gov/federal/reportingRequirements.html)
  • The Health Insurance Portability & Accountability Act of 1996 (HIPAA) Standards for the Security of Electronic Health Information.
  • The Sarbanes-Oxley Act of 2002.
  • The Gramm-Leach-Bliley Financial Services Modernization Act, Pub. L. No. 106-102, 113 Stat. 1338, November 12, 1999 (GLBA).
  • The PCI Data Security Standard (PCI DSS).
  • (redacted in reference)
  • Standards included in Networx Contract Section C.2.4.3.1.2, Collocated Hosting Service (CHS).
  • Standards included in Networx Contract Section C.2.7.3.1.2, Network Based IP Virtual Private Network Service (NBIP-VPNS).
  • Standards included in Networx Contract Section C.2.10.1.1.2, Managed Firewall Service (MFS).
  • Standards included in Networx Contract Section C.2.10.2.1.2, Intrusion Detection and Prevention Service (IDPS).
  • Standards included in Networx Contract Section C.2.10.4.1.2, Anti-Virus Management Service (AVMS).
  • Department of Homeland Security Management Directive Number 11042, DHS MD11042, 2005. (http://www.fas.org/sgp/othergov/dhs-sbu.html)[7]
  • Electronic Code of Federal Regulation, Title 49, PART 1520—Protection Of Sensitive Security Information
  • IETF RFC 1757 — Remote Network Monitoring Management Information Base.
  • NIST suite of documents for conducting C&A.
    • SP 800-18 Rev 1 — Guide for Developing Security Plans for Federal Information Systems.
    • SP 800-30 — Risk Management Guide for Information Technology Systems.
    • SP 800-34 — Contingency Planning Guide for Information Technology Systems.
    • SP 800-37 — Guide for the Security Certification and Accreditation of Federal Information Systems.
    • SP 800-53 Rev 2 — Recommended Security Controls for Federal Information Systems.
    • Annex 3 to SP 800-53 Rev 2 — High Impact Baseline.
    • SP 800-53 A — Guide for Assessing the Security Controls in Federal Information Systems.
    • SP 800-59 — Guideline for Identifying an Information System as a National Security System.
    • SP 800-60 — Guide for Mapping Types of Information and Information Systems to Security Categories.
    • SP 800-64 Rev 1 — Security Considerations in the Information System Development Life Cycle.
    • SP 800-84 — Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities.
  • Designation and Sharing of Controlled Unclassified Information (CUI), http://www.whitehouse.gov/news/releases/2008/05/20080509-6.html *All commercially available standards for any applicable underlying access and transport services.
  • OMB Memo M-05-22 — Transition Planning for Internet Protocol Version 6 (IPv6).

References

  1. ^ MTIPS: Changing the Landscape Jeff Erlichman, Government Computer News
  2. ^ U.S. Internet security plan revamped Carolyn Duffy Marsan, Network World
  3. ^ a b Network Managed Trusted Internet Protocol Service (MTIPS) Statement of Work (redacted) (PDF) Networx MTIPS SOW, gsa.gov (ref: Feb. 2010)
  4. ^ Operations, Administration, Maintenance, and Provisioning(OAM&P) Security Requirements for the Public Telecommunications Network: A Baseline of Security Requirements for the Management Plane (PDF) NSTAC, (ref. Feb. 2010)
  5. ^ [1] (PDF) NIST FIPS PUB 140-2
  6. ^ [2] (PDF) PUB 199
  7. ^ [3] (PDF) DHS MD11042.1, supersedes cited DHS MD11042
Retrieved from "https://en.wikipedia.org/w/index.php?title=Managed_Trusted_Internet_Protocol_Service&oldid=368555222"