Managed Trusted Internet Protocol Service

Last updated July 08, 2024

Managed Trusted Internet Protocol Service (MTIPS) was developed by the US General Services Administration (GSA) to allow US Federal agencies to physically and logically connect to the public Internet and other external connections in compliance with the Office of Management and Budget's (OMB) Trusted Internet Connection (TIC) Initiative.^[1]

Managed Services

The Networx Program facilitates the transition to an MTIPS transport provider for participating agencies. Verizon, AT&T, and Qwest (now CenturyLink) are the carriers who will participate in the MTIPS services^{[ citation needed ]}.

Architecture

Standards compliance

The MTIPS framework requires compliance with the following standards. After being awarded an MTIPS contract, the contractor may propose alternatives at no additional cost to the Government that meet or exceed the provisions of the listed standards.^[3]

Applicable Internet Engineering Task Force (IETF) RFCs.
T1.276-2003 American National Standard for Telecommunications — Operations, Administration, Maintenance, and Provisioning Security Requirements for the Public Telecommunications Network: A Baseline of Security Requirements for the Management Plane.^[4]
IP/MPLS Forum.
IEEE
- 802.1Q
- 802.1P
- 802.3AD
Metro Ethernet Forum (MEF).
The PCI Data Security Standard (PCI DSS).
All new versions, amendments, and modifications to the above documents and standards when offered commercially.
MTIPS providers shall comply with current and future regulations, policies, requirements, standards, and guidelines for Federal U.S. Government technology and cyber security, including those listed below. Contractors shall comply with new document versions, amendments, and modifications. Those most notable include minimum expectations for MTIPS specified security services identified in this SOW. After award, the contractor may propose alternatives at no additional cost to the Government that meet or exceed the provisions.
Federal Information Security Modernization Act of 2014.
NIST Federal Information Processing Standards Publication (FIPS) NIST FIPS PUB 140-3 — Security Requirements for Cryptographic Modules.^[5]
NIST FIPS PUB 199 — Standards for Security Categorization of Federal Information and Information Systems.^[6]
United States Computer Emergency Readiness Team (US CERT) reporting requirements. (http://www.us-cert.gov/federal/reportingRequirements.html Archived 2010-04-03 at the Wayback Machine )
The Health Insurance Portability & Accountability Act of 1996 (HIPAA) Standards for the Security of Electronic Health Information.
The Sarbanes–Oxley Act of 2002.
The Gramm–Leach–Bliley Financial Services Modernization Act, Pub. L. No. 106-102, 113 Stat. 1338, November 12, 1999 (GLBA).
The PCI Data Security Standard (PCI DSS).
(redacted in reference)
Standards included in Networx Contract Section C.2.4.3.1.2, Collocated Hosting Service (CHS).
Standards included in Networx Contract Section C.2.7.3.1.2, Network Based IP Virtual Private Network Service (NBIP-VPNS).
Standards included in Networx Contract Section C.2.10.1.1.2, Managed Firewall Service (MFS).
Standards included in Networx Contract Section C.2.10.2.1.2, Intrusion Detection and Prevention Service (IDPS).
Standards included in Networx Contract Section C.2.10.4.1.2, Anti-Virus Management Service (AVMS).
Department of Homeland Security Management Directive Number 11042, DHS MD11042, 2005. (https://fas.org/sgp/othergov/dhs-sbu.html Archived 2015-04-28 at the Wayback Machine )^[7]
Electronic Code of Federal Regulation, Title 49, PART 1520—Protection Of Sensitive Security Information
IETF RFC 1757 — Remote Network Monitoring Management Information Base.
NIST suite of documents for conducting Security Assessment and Authorization.
- SP 800-18 Rev. 1 — Guide for Developing Security Plans for Federal Information Systems. Archived 2021-02-15 at the Wayback Machine
- SP 800-30 Rev. 1 — Risk Management Guide for Information Technology Systems. Archived 2021-03-04 at the Wayback Machine
- SP 800-34 Rev. 1 — Contingency Planning Guide for Information Technology Systems. Archived 2021-01-28 at the Wayback Machine
- SP 800-37 Rev. 2 — Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. Archived 2021-02-10 at the Wayback Machine
- SP 800-53 Rev. 5 — Security and Privacy Controls for Information Systems and Organizations. Archived 2021-04-23 at the Wayback Machine
- SP 800-53A Rev. 4 — Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans. Archived 2021-02-05 at the Wayback Machine
- SP 800-59 — Guideline for Identifying an Information System as a National Security System. Archived 2021-02-10 at the Wayback Machine
- SP 800-60 Vol. 1 Rev. 1 — Guide for Mapping Types of Information and Information Systems to Security Categories. Archived 2021-02-12 at the Wayback Machine
- SP 800-60 Vol. 2 Rev. 1 — Guide for Mapping Types of Information and Information Systems to Security Categories: Appendices. Archived 2021-01-22 at the Wayback Machine
Designation and Sharing of Controlled Unclassified Information (CUI), http://www.whitehouse.gov/news/releases/2008/05/20080509-6.html Archived 2009-01-17 at the Wayback Machine *All commercially available standards for any applicable underlying access and transport services.
OMB Memo M-05-22 — Transition Planning for Internet Protocol Version 6 (IPv6).

Related Research Articles

The Federal Information Processing Standards (FIPS) of the United States are a set of publicly announced standards that the National Institute of Standards and Technology (NIST) has developed for use in computer situs of non-military United States government agencies and contractors. FIPS standards establish requirements for ensuring computer security and interoperability, and are intended for cases in which suitable industry standards do not already exist. AIR FIPS specifications are modified versions of standards the technical communities use, such as the American National Standards Institute (ANSI), the Institute of Electrical and Electronics Engineers (IEEE), and the International Organization for Standardization (ISO).

The Federal Information Processing Standard Publication 140-2,, is a U.S. government computer security standard used to approve cryptographic modules. The title is Security Requirements for Cryptographic Modules. Initial publication was on May 25, 2001, and was last updated December 3, 2002.

The Federal Information Security Management Act of 2002 is a United States federal law enacted in 2002 as Title III of the E-Government Act of 2002. The act recognized the importance of information security to the economic and national security interests of the United States. The act requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.

The 140 series of Federal Information Processing Standards (FIPS) are U.S. government computer security standards that specify requirements for cryptographic modules.

NSA Suite B Cryptography was a set of cryptographic algorithms promulgated by the National Security Agency as part of its Cryptographic Modernization Program. It was to serve as an interoperable cryptographic base for both unclassified information and most classified information.

FIPS 201 is a United States federal government standard that specifies Personal Identity Verification (PIV) requirements for Federal employees and contractors.

Information security standards or cyber security standards are techniques generally outlined in published materials that attempt to protect the cyber environment of a user or organization. This environment includes users themselves, networks, devices, all software, processes, information in storage or transit, applications, services, and systems that can be connected directly or indirectly to networks.

Security controls are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets. In the field of information security, such controls protect the confidentiality, integrity and availability of information.

The GSA Networx is a set of federal government contracts for civilian telecommunication for the General Services Administration (GSA) in the United States. It consists of two programs - Networx Universal and Networx Enterprise to support the Trusted Internet Connection initiative by Office of Management and Budget.

Information technology risk, IT risk, IT-related risk, or cyber risk is any risk relating to information technology. While information has long been appreciated as a valuable and important asset, the rise of the knowledge economy and the Digital Revolution has led to organizations becoming increasingly dependent on information, information processing and especially IT. Various events or incidents that compromise IT in some way can therefore cause adverse impacts on the organization's business processes or mission, ranging from inconsequential to catastrophic in scale.

NIST Special Publication 800-53 is an information security standard that provides a catalog of privacy and security controls for information systems. Originally indented for U.S. federal agencies except those related to national security, since the 5th revision it is a standard for general usage. It is published by the National Institute of Standards and Technology, which is a non-regulatory agency of the United States Department of Commerce. NIST develops and issues standards, guidelines, and other publications to assist federal agencies in implementing the Federal Information Security Modernization Act of 2014 (FISMA) and to help with managing cost effective programs to protect their information and information systems.

The Federal Information Processing Standard Publication 140-3 is a U.S. government computer security standard used to approve cryptographic modules. The title is Security Requirements for Cryptographic Modules. Initial publication was on March 22, 2019 and it supersedes FIPS 140-2.

Security information and event management (SIEM) is a field within the field of computer security, where software products and services combine security information management (SIM) and security event management (SEM). SIEM is the core component of any typical Security Operations Center (SOC), which is the centralized response team addressing security issues within an organization.

The National Institute for Standards and Technology's (NIST) Risk Management Framework (RMF) is a United States federal government guideline, standard and process for risk management to help secure information systems developed by National Institute of Standards and Technology. The Risk Management Framework (RMF), illustrated in the diagram to the right, provides a disciplined and structured process that integrates information security, privacy and risk management activities into the system development life cycle.

File integrity monitoring (FIM) is an internal control or process that performs the act of validating the integrity of operating system and application software files using a verification method between the current file state and a known, good baseline. This comparison method often involves calculating a known cryptographic checksum of the file's original baseline and comparing with the calculated checksum of the current state of the file. Other file attributes can also be used to monitor integrity.

Storage security is a specialty area of security that is concerned with securing data storage systems and ecosystems and the data that resides on these systems.

NIST Special Publication 800-92, "Guide to Computer Security Log Management", establishes guidelines and recommendations for securing and managing sensitive log data. The publication was prepared by Karen Kent and Murugiah Souppaya of the National Institute of Science and Technology and published under the SP 800-Series; a repository of best practices for the InfoSec community. Log management is essential to ensuring that computer security records are stored in sufficient detail for an appropriate period of time.

Cyber resilience refers to an entity's ability to continuously deliver the intended outcome, despite cyber attacks. Resilience to cyber attacks is essential to IT systems, critical infrastructure, business processes, organizations, societies, and nation-states. A related term is cyberworthiness, which is an assessment of the resilience of a system from cyber attacks. It can be applied to a range of software and hardware elements.

The Center for Internet Security (CIS) is a US 501(c)(3) nonprofit organization, formed in October 2000. Its mission statement professes that the function of CIS is to " help people, businesses, and governments protect themselves against pervasive cyber threats."

The Cybersecurity Maturity Model Certification (CMMC) is an assessment framework and assessor certification program designed to increase the trust in measures of compliance to a variety of standards published by the National Institute of Standards and Technology.

References

↑ MTIPS: Changing the Landscape Archived 2010-01-03 at the Wayback Machine Jeff Erlichman, Government Computer News
↑ U.S. Internet security plan revamped Carolyn Duffy Marsan, Network World ^{[ dead link ]}
↑ Network Managed Trusted Internet Protocol Service (MTIPS) Statement of Work (redacted) ^{[ dead link ]} Archived 2009-05-09 at the Wayback Machine (PDF) Networx MTIPS SOW, gsa.gov (ref: Feb. 2010)
↑ Operations, Administration, Maintenance, and Provisioning(OAM&P) Security Requirements for the Public Telecommunications Network: A Baseline of Security Requirements for the Management Plane Archived 2009-12-29 at the Wayback Machine (PDF) NSTAC, (ref. Feb. 2010)
↑ "Security requirements for cryptographic modules". 2019. doi:10.6028/NIST.FIPS.140-3.
↑ Archived 2012-05-16 at the Wayback Machine (PDF) PUB 199
↑ Archived 2015-02-01 at the Wayback Machine (PDF) DHS MD11042.1, supersedes cited DHS MD11042

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[ref1-1] MTIPS: Changing the Landscape Archived 2010-01-03 at the Wayback Machine Jeff Erlichman, Government Computer News

[ref2-2] U.S. Internet security plan revamped Carolyn Duffy Marsan, Network World ^{[ dead link ]}

[ref3-3] Network Managed Trusted Internet Protocol Service (MTIPS) Statement of Work (redacted) ^{[ dead link ]} Archived 2009-05-09 at the Wayback Machine (PDF) Networx MTIPS SOW, gsa.gov (ref: Feb. 2010)

[4] Operations, Administration, Maintenance, and Provisioning(OAM&P) Security Requirements for the Public Telecommunications Network: A Baseline of Security Requirements for the Management Plane Archived 2009-12-29 at the Wayback Machine (PDF) NSTAC, (ref. Feb. 2010)

[5] "Security requirements for cryptographic modules". 2019. doi:10.6028/NIST.FIPS.140-3.

[6] Archived 2012-05-16 at the Wayback Machine (PDF) PUB 199

[7] Archived 2015-02-01 at the Wayback Machine (PDF) DHS MD11042.1, supersedes cited DHS MD11042

[1]

[2]

[3]

[4]

[5]

[6]

[7]