Jan 11 2021

CISA Releases New Guidance for Remote Work Security

The guidance for the Trusted Internet Connections 3.0 initiative covers remote endpoints, including mobile devices.

With many federal agencies continuing to support large-scale remote work, and in the wake of a sophisticated cyberattack the government is still sorting through, the need for increased cybersecurity is more pressing than ever.

In late December, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency provided some aid to IT security leaders and managers across the government. CISA released draft use case guidance for remote work for public comment as part of the Trusted Internet Connections 3.0 initiative.

In July, CISA released the full TIC 3.0 guidance, with support for several use cases, including cloud, branch offices and remote work. The new guidance, issued in December, fleshes out the remote work use case and details security needed for external connections to federal networks.

CISA noted in a statement that the guidance could be used for personnel “working from home, connecting from a hotel, or telecommuting from a non-agency-controlled location” and also extends the definition of remote users to include those using mobile devices, including via BYOD.

CISA Offers Aid to Enhance Telework Security

TIC 3.0 divides agency architectures by “trust zones,” or security enclaves, and it shifts the emphasis “from a strictly physical network perimeter to the boundaries of each zone within an agency environment to ensure baseline security protections across dispersed network environments,” CISA states in TIC 3.0 documentation.

The remote work guidance assumes that agencies are doing their due diligence in terms of managing endpoints, and therefore requirements for endpoint protection are beyond the scope of the guidance.

According to the guidance, the remote work use case is composed of four trust zones: remote user, agency campus, cloud service provider and the general internet. Each trust zone in a use case is labeled with a high, medium or low trust level based on a pilot implementation or best practices, according to CISA.

“The draft use case is designed to help agencies preserve security as they move away from traditional network scenarios in support of the maximized telework environment,” Matt Hartman, acting assistant director of the CISA Cybersecurity Division, said in a statement. “CISA expects the security guidance will help agencies improve application performance, reduce costs through reduction of private links and improve user experience by facilitating remote user connections to agency-sanctioned cloud services and internal agency services.”

CISA notes in the guidance that “with agency users working outside the traditional agency physical and network boundaries, agencies may need to reconsider their deployed protections.”

Those include access and network protections, the diversity of devices trying to access agency resources to get work done, and how and where cybersecurity policies are enforced. As the guidance notes, in remote environments, agencies have less control and visibility over users’ devices, and agencies may try to make it more difficult for users to access certain agency services or capabilities.

“Agencies may need to deploy additional capabilities to further restrict the types of access the agency user devices have to agency services and data,” the guidance states. “The agency must have policies in place ensuring that agency data is properly separated from personal data and cannot be accessed or transmitted except by agency-approved mechanisms.”

The draft document is open for public comment until Jan. 29.

MORE FROM FEDTECH: What does it mean practically to deploy a zero-trust architecture?

MesquitaFMS/Getty Images

Zero Trust–Ready?

Answer 3 questions on how your organization is implementing zero trust.