Managed Trusted Internet Protocol Service
Managed Trusted Internet Protocol Service (MTIPS) was developed by the US General Services Administration (GSA) to allow US Federal agencies to physically and logically connect to the public Internet and other external connections in compliance with the Office of Management and Budget's (OMB) Trusted Internet Connection (TIC) Initiative.[1]
MTIPS will reduce the number of connections, as originally dictated in the TIC mandate, but will not reduce the connection points to the degree originally quoted. Instead, focus has shifted on the securing of existing connection using the MTIPS architecture.[2]
Managed Services
The Networx Program facilitates transition to an MTIPS transport provider for participating agencies. Verizon, AT&T, and Qwest (now CenturyLink) are the carriers who will participate in the MTIPS services.
Architecture
Standards Compliance
"MTIPS shall comply with the following standards, as applicable, and when commercially available. After award, the contractor may propose alternatives at no additional cost to the Government that meet or exceed the provisions of the listed standards." [3]
- Applicable Internet Engineering Task Force (IETF) RFCs.
- T1.276-2003 American National Standard for Telecommunications — Operations, Administration, Maintenance, and Provisioning Security Requirements for the Public Telecommunications Network: A Baseline of Security Requirements for the Management Plane.[4]
- IP/MPLS Forum.
- IEEE
- Metro Ethernet Forum (MEF).
- The PCI Data Security Standard (PCI DSS).
- All new versions, amendments, and modifications to the above documents and standards when offered commercially.
- MTIPS providers shall comply with current and future regulations, policies, requirements, standards, and guidelines for Federal U.S. Government technology and cyber security, including those listed below. Contractors shall comply with new document versions, amendments, and modifications. Those most notable include minimum expectations for MTIPS specified security services identified in this SOW. After award, the contractor may propose alternatives at no additional cost to the Government that meet or exceed the provisions.
- E-Government Act of 2002, Title III (Federal Information Security Management Act (FISMA)).
- NIST Federal Information Processing Standards Publication (FIPS) NIST FIPS PUB 140-2 — Security Requirements for Cryptographic Modules.[5]
- NIST FIPS PUB 199 — Standards for Security Categorization of Federal Information and Information Systems.[6]
- United States Computer Emergency Readiness Team (US CERT) reporting requirements. (http://www.us-cert.gov/federal/reportingRequirements.html)
- The Health Insurance Portability & Accountability Act of 1996 (HIPAA) Standards for the Security of Electronic Health Information.
- The Sarbanes-Oxley Act of 2002.
- The Gramm-Leach-Bliley Financial Services Modernization Act, Pub. L. No. 106-102, 113 Stat. 1338, November 12, 1999 (GLBA).
- The PCI Data Security Standard (PCI DSS).
- (redacted in reference)
- Standards included in Networx Contract Section C.2.4.3.1.2, Collocated Hosting Service (CHS).
- Standards included in Networx Contract Section C.2.7.3.1.2, Network Based IP Virtual Private Network Service (NBIP-VPNS).
- Standards included in Networx Contract Section C.2.10.1.1.2, Managed Firewall Service (MFS).
- Standards included in Networx Contract Section C.2.10.2.1.2, Intrusion Detection and Prevention Service (IDPS).
- Standards included in Networx Contract Section C.2.10.4.1.2, Anti-Virus Management Service (AVMS).
- Department of Homeland Security Management Directive Number 11042, DHS MD11042, 2005. (https://fas.org/sgp/othergov/dhs-sbu.html)[7]
- Electronic Code of Federal Regulation, Title 49, PART 1520—Protection Of Sensitive Security Information
- IETF RFC 1757 — Remote Network Monitoring Management Information Base.
- NIST suite of documents for conducting C&A.
- SP 800-18 Rev 1 — Guide for Developing Security Plans for Federal Information Systems.
- SP 800-30 — Risk Management Guide for Information Technology Systems.
- SP 800-34 — Contingency Planning Guide for Information Technology Systems.
- SP 800-37 — Guide for the Security Certification and Accreditation of Federal Information Systems.
- SP 800-53 Rev 2 — Recommended Security Controls for Federal Information Systems.
- Annex 3 to SP 800-53 Rev 2 — High Impact Baseline.
- SP 800-53 A — Guide for Assessing the Security Controls in Federal Information Systems.
- SP 800-59 — Guideline for Identifying an Information System as a National Security System.
- SP 800-60 — Guide for Mapping Types of Information and Information Systems to Security Categories.
- SP 800-64 Rev 1 — Security Considerations in the Information System Development Life Cycle.
- SP 800-84 — Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities.
- Designation and Sharing of Controlled Unclassified Information (CUI), http://www.whitehouse.gov/news/releases/2008/05/20080509-6.html *All commercially available standards for any applicable underlying access and transport services.
- OMB Memo M-05-22 — Transition Planning for Internet Protocol Version 6 (IPv6).
References
- ^ MTIPS: Changing the Landscape Jeff Erlichman, Government Computer News
- ^ U.S. Internet security plan revamped Carolyn Duffy Marsan, Network World
- ^ Network Managed Trusted Internet Protocol Service (MTIPS) Statement of Work (redacted) Archived 2009-05-09 at the Wayback Machine (PDF) Networx MTIPS SOW, gsa.gov (ref: Feb. 2010)
- ^ Operations, Administration, Maintenance, and Provisioning(OAM&P) Security Requirements for the Public Telecommunications Network: A Baseline of Security Requirements for the Management Plane (PDF) NSTAC, (ref. Feb. 2010)
- ^ [1] (PDF) NIST FIPS PUB 140-2
- ^ [2] (PDF) PUB 199
- ^ [3] (PDF) DHS MD11042.1, supersedes cited DHS MD11042