CISA Finalizes Guidance for Securing Federal Networks for Remote Users

mattjeacock/istockphoto.com

The latest guidance is the third of four use cases to be released as part of the Trusted Internet Connection 3.0 initiative.

The government’s cybersecurity leads released the final version of guidance for how agencies can ensure employees connecting to government networks from remote locations—like from home while teleworking—do so securely.

Thursday’s release marks the third of four use cases that together constitute the basis of the government’s Trusted Internet Connection 3.0 policy, the policy developed to govern how agencies and their employees connect to the internet.

While past iterations of TIC have focused on building strong boundaries between government networks and the public internet, the evolution of cloud computing and advances in wireless connections and mobile devices have severely reduced the importance of perimeter protections. The latest version of TIC recognizes this and attempts to center security on principles like zero trust that focus more on data protection and user authentication than perimeter defense.

Program officials at the Cybersecurity and Infrastructure Security Agency and the Office of Management and Budget also realized the speed of technology would make hard guidance obsolete within a short timeframe. So, rather than a prescriptive set of guidance documents, the agencies opted to release overarching reference documents along with use cases highlighting strong security architectures that can be replicated at other agencies.

Securing remote users became top of mind for every federal agency in early 2020, as the administration called for maximum telework to stem the spread of COVID-19. As thousands of federal employees began working from home, the TIC program office released interim guidance for securing telework connections but stressed that policy would not be the final word.

On Thursday, the program office released the final, official remote user guidance, with few updates from the original draft released in December 2020.

“These users could be personnel working from home, connecting from a hotel or telecommuting from a non-agency-controlled location,” the comments response summary states. “Collectively, the TIC 3.0 guidance is key in offering flexibility to agencies that are modernizing and securing the connections between the internet, agencies, the cloud, and mobile—remote—users.”

The release includes a new document with stakeholder questions and officials’ responses and adds new capabilities for agencies to deploy, including application containers and remote desktop access at the enterprise level and domain name monitoring.

The final remote user use case also adds to the list of universal security capabilities, which apply across all TIC use cases. The list now includes user training and awareness among other key capabilities like backup and recovery, maintaining logs, having strong authentication and least privilege access, among others.

Commentors broadly asked for four things from the final version:

  • For CISA to add clarity around telemetry—the network data used by the agency and CISA to monitor the security posture of a given system.
  • Additional guidance for security capabilities.
  • Integrating zero trust architecture concepts to align with other TIC and governmentwide initiatives.
  • Additional guidance on other topics, “such as expanding definitions, aligning security capabilities to other cybersecurity guidance and including new security patterns.”

CISA officials said they took all of these comments into consideration and incorporated the first three into the final guidance. However, the fourth request was determined to be out of scope for the remote user use case, though officials might include some of those considerations when finalizing outstanding draft use cases.

While CISA has finalized use cases for traditional connections, branch offices and, now, remote users, the agency still needs to finalize the use case for cloud connections—the last of the four use cases promised in the original guidance from OMB in 2019.

Even once the final use case is released, the work continues for the TIC program office, which plans to take on new use cases as the needs arise. The office has already released guidance for transitioning from IPv4 to IPv6 and officials expect other use cases around the internet of things and emerging technologies.

“Between the ones in the memo and the others that are speculative, we expect about 10 use cases,” TIC Program Manager Sean Connelly told Nextgov in March 2020. “Then, we’ll hear from agencies about where they want to go next.”

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.