CISA Releases Draft Use Case For Securing Remote, Mobile and Teleworking Connections

With many federal employees still teleworking, federal officials dropped a holiday gift for cybersecurity managers across the government: the draft remote user use case for the latest iteration of the Trusted Internet Connection, or TIC, policy.

The Cybersecurity and Infrastructure Security Agency, or CISA, released the draft use case Tuesday for public comment, asking stakeholders to offer feedback on the best methods for securing mobile and personal devices connecting to agency networks. The late-in-the-year policy drop meets the agency’s promise to deliver hard guidance—even if in draft form—before interim guidance released in April expires at the end of December.

The nature of computing has changed a lot since the first TIC policy was issued in 2007, and even since the last update—TIC 2—in 2012. Since that time, the use of cloud and remote computing have skyrocketed, as have security techniques for traditional connections, like at an agency’s headquarters office.

To meet these new realities, the Office of Management and Budget issued a new TIC 3 policy in September 2019. But rather than creating another stagnant guidance document, the policy pushes agencies toward a set of evolving use cases developed by CISA.

“We have the guidebook and the reference architecture documents—we consider those more of the strategic documents, the ones agencies use to build out their understanding of TIC 3 in general,” TIC Program Manager Sean Connelly told Nextgov in March. “And then what we call the operational, the more technical documents: the use cases, the security capabilities and the overlays. We think those are the ones that will be used more by agencies as they build out and secure their environments.”

The main body of the new TIC 3 policy was finalized in July, including the TIC 3 Guidebook; the reference architecture explaining how the concepts should be applied to agency enterprises; and the Security Capabilities Catalog, formerly the Security Capability Handbook.

But the real meat of the policy is in several use cases outlining specific scenarios and how agencies should secure those connections.

The program office released draft use cases late last year for traditional connections and branch offices—two of the primary use cases called out in the OMB policy. Remote users and cloud services were also cited in the memo, though CISA officials saw an urgent need to move on the remote use case as federal employees continue to telework en masse in response to the COVID-19 pandemic.

The agency released some interim telework security guidance in April with the caveat that it was not related to the official TIC 3 policy and a full use case would be published before the end of 2020. A forward in the latest document notes the draft use case will replace the interim guidance.

While the interim guidance offers a number of useful tips for creating secure remote connections to the cloud, the new draft use case expands that to include connections on-premise at agency facilities and to the internet at large.

The new use case outlines how remote users connect to agency networks and resources and highlights the different security enclaves—or trust zones—including the user; the agency; a cloud service provider, if applicable; and the internet at large. The document then outlines how an agency would secure these zones in a traditional context, with relevant alterations to meet the needs of a remote and teleworking workforce.

CISA officials noted the use case broadens the definition of remote users to include employees working on mobile as well as personal devices, also known as bring your own device, or BYOD. This also extends to the use of mobile devices—personal or government-furnished—while physically present in an agency building, per the document.

“The draft use case is designed to help agencies preserve security as they move away from traditional network scenarios in support of the maximized telework environment,” Matt Hartman, acting assistant director of CISA’s Cybersecurity Division, said in a statement Tuesday. “CISA expects the security guidance will help agencies improve application performance, reduce costs through reduction of private links and improve user experience by facilitating remote user connections to agency-sanctioned cloud services and internal agency services.”

The draft document is open for public comment until Jan. 29.

RELATED PODCAST