CISA Offers Aid to Enhance Telework Security
TIC 3.0 divides agency architectures by “trust zones,” or security enclaves, and it shifts the emphasis “from a strictly physical network perimeter to the boundaries of each zone within an agency environment to ensure baseline security protections across dispersed network environments,” CISA states in TIC 3.0 documentation.
The remote work guidance assumes that agencies are doing their due diligence in terms of managing endpoints, and therefore requirements for endpoint protection are beyond the scope of the guidance.
According to the guidance, the remote work use case is composed of four trust zones: remote user, agency campus, cloud service provider and the general internet. Each trust zone in a use case is labeled with a high, medium or low trust level based on a pilot implementation or best practices, according to CISA.
“The draft use case is designed to help agencies preserve security as they move away from traditional network scenarios in support of the maximized telework environment,” Matt Hartman, acting assistant director of the CISA Cybersecurity Division, said in a statement. “CISA expects the security guidance will help agencies improve application performance, reduce costs through reduction of private links and improve user experience by facilitating remote user connections to agency-sanctioned cloud services and internal agency services.”
CISA notes in the guidance that “with agency users working outside the traditional agency physical and network boundaries, agencies may need to reconsider their deployed protections.”
Those include access and network protections, the diversity of devices trying to access agency resources to get work done, and how and where cybersecurity policies are enforced. As the guidance notes, in remote environments, agencies have less control and visibility over users’ devices, and agencies may try to make it more difficult for users to access certain agency services or capabilities.
“Agencies may need to deploy additional capabilities to further restrict the types of access the agency user devices have to agency services and data,” the guidance states. “The agency must have policies in place ensuring that agency data is properly separated from personal data and cannot be accessed or transmitted except by agency-approved mechanisms.”
The draft document is open for public comment until Jan. 29.