Managed Trusted Internet Protocol Service (MTIPS) was developed by the US General Services Administration (GSA) to allow US Federal agencies to physically and logically connect to the public Internet and other external connections in compliance with the Office of Management and Budget's (OMB) Trusted Internet Connection (TIC) Initiative.[1]
MTIPS will reduce the number of connections, as originally dictated in the TIC mandate, but will not reduce the connection points to the degree originally quoted. Instead, focus has shifted on the securing of existing connections using the MTIPS architecture.[2]
Managed Services
The Networx Program facilitates the transition to an MTIPS transport provider for participating agencies. Verizon, AT&T, and Qwest (now CenturyLink) are the carriers who will participate in the MTIPS services.
Architecture
Standards compliance
The MTIPS framework requires compliance with the following standards. After being awarded an MTIPS contract, the contractor may propose alternatives at no additional cost to the Government that meet or exceed the provisions of the listed standards.[3]
- Applicable Internet Engineering Task Force (IETF) RFCs.
- T1.276-2003 American National Standard for Telecommunications — Operations, Administration, Maintenance, and Provisioning Security Requirements for the Public Telecommunications Network: A Baseline of Security Requirements for the Management Plane.[4]
- IP/MPLS Forum.
- IEEE
- 802.1Q
- 802.1P
- 802.3AD
- Metro Ethernet Forum (MEF).
- The PCI Data Security Standard (PCI DSS).
- All new versions, amendments, and modifications to the above documents and standards when offered commercially.
- MTIPS providers shall comply with current and future regulations, policies, requirements, standards, and guidelines for Federal U.S. Government technology and cyber security, including those listed below. Contractors shall comply with new document versions, amendments, and modifications. Those most notable include minimum expectations for MTIPS specified security services identified in this SOW. After award, the contractor may propose alternatives at no additional cost to the Government that meet or exceed the provisions.
- Federal Information Security Modernization Act of 2014.
- NIST Federal Information Processing Standards Publication (FIPS) NIST FIPS PUB 140-3 — Security Requirements for Cryptographic Modules.[5]
- NIST FIPS PUB 199 — Standards for Security Categorization of Federal Information and Information Systems.[6]
- United States Computer Emergency Readiness Team (US CERT) reporting requirements. (http://www.us-cert.gov/federal/reportingRequirements.html Archived 2010-04-03 at the Wayback Machine)
- The Health Insurance Portability & Accountability Act of 1996 (HIPAA) Standards for the Security of Electronic Health Information.
- The Sarbanes–Oxley Act of 2002.
- The Gramm–Leach–Bliley Financial Services Modernization Act, Pub. L. No. 106-102, 113 Stat. 1338, November 12, 1999 (GLBA).
- The PCI Data Security Standard (PCI DSS).
- (redacted in reference)
- Standards included in Networx Contract Section C.2.4.3.1.2, Collocated Hosting Service (CHS).
- Standards included in Networx Contract Section C.2.7.3.1.2, Network Based IP Virtual Private Network Service (NBIP-VPNS).
- Standards included in Networx Contract Section C.2.10.1.1.2, Managed Firewall Service (MFS).
- Standards included in Networx Contract Section C.2.10.2.1.2, Intrusion Detection and Prevention Service (IDPS).
- Standards included in Networx Contract Section C.2.10.4.1.2, Anti-Virus Management Service (AVMS).
- Department of Homeland Security Management Directive Number 11042, DHS MD11042, 2005. (https://fas.org/sgp/othergov/dhs-sbu.html)[7]
- Electronic Code of Federal Regulation, Title 49, PART 1520—Protection Of Sensitive Security Information
- IETF RFC 1757 — Remote Network Monitoring Management Information Base.
- NIST suite of documents for conducting Security Assessment and Authorization.
- SP 800-18 Rev. 1 — Guide for Developing Security Plans for Federal Information Systems.
- SP 800-30 Rev. 1 — Risk Management Guide for Information Technology Systems.
- SP 800-34 Rev. 1 — Contingency Planning Guide for Information Technology Systems.
- SP 800-37 Rev. 2 — Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy.
- SP 800-53 Rev. 5 — Security and Privacy Controls for Information Systems and Organizations.
- SP 800-53A Rev. 4 — Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans. Archived 2021-02-05 at the Wayback Machine
- SP 800-59 — Guideline for Identifying an Information System as a National Security System.
- SP 800-60 Vol. 1 Rev. 1 — Guide for Mapping Types of Information and Information Systems to Security Categories.
- SP 800-60 Vol. 2 Rev. 1 — Guide for Mapping Types of Information and Information Systems to Security Categories: Appendices.
- Designation and Sharing of Controlled Unclassified Information (CUI), http://www.whitehouse.gov/news/releases/2008/05/20080509-6.html *All commercially available standards for any applicable underlying access and transport services.
- OMB Memo M-05-22 — Transition Planning for Internet Protocol Version 6 (IPv6).
References
- ↑ MTIPS: Changing the Landscape Archived 2010-01-03 at the Wayback Machine Jeff Erlichman, Government Computer News
- ↑ U.S. Internet security plan revamped Carolyn Duffy Marsan, Network World
- ↑ Network Managed Trusted Internet Protocol Service (MTIPS) Statement of Work (redacted) Archived 2009-05-09 at the Wayback Machine (PDF) Networx MTIPS SOW, gsa.gov (ref: Feb. 2010)
- ↑ Operations, Administration, Maintenance, and Provisioning(OAM&P) Security Requirements for the Public Telecommunications Network: A Baseline of Security Requirements for the Management Plane Archived 2009-12-29 at the Wayback Machine (PDF) NSTAC, (ref. Feb. 2010)
- ↑ (PDF) NIST FIPS PUB 140-3
- ↑ Archived 2012-05-16 at the Wayback Machine (PDF) PUB 199
- ↑ Archived 2015-02-01 at the Wayback Machine (PDF) DHS MD11042.1, supersedes cited DHS MD11042