The Cybersecurity and Infrastructure Security Agency released temporary guidance April 8 for federal network cybersecurity as a way to increase protections during the spike in telework from the coronavirus pandemic.
CISA, an organization within the Department of Homeland Security tasked with securing federal networks, released its interim Trusted Internet Connection 3.0 telework guidance to address scenarios in which federal employees need to connect remotely to agency cloud environments.
TIC is designed to secure federal network traffic. Because of the stress placed on federal networks due to telework, agencies may need to expand their cloud services, virtual private network and bandwidth to accommodate more users.
“To the extent practical, agencies should assess risks associated with broadening the use of cloud and collaboration services to ensure that due care as well as due diligence is applied to these changes in their respective information technology (IT) and user environments,” the guidance says.
The interim guidance encourages agencies to implement several security controls related to tracking users’ use of agency devices. It includes considerations for aspects such as situational awareness, incident response and intrusion detection. In addition, the guidance also encourages agencies to consider adding additional threat intelligence feeds that “align with new services or delivery mechanisms deployed.”
The guidance from CISA builds on the draft TIC 3.0 guidance it released late last year, but is not intended to be a permanent part of the TIC 3.0 document set, the guidance notes. The interim guidance will expire at the end of 2020.
The interim document also adds two new policy enforcement points: data protection and unified communications and collaboration.
The new data protection point was added because the increase in telework “requires agencies to have processes and tools in place to protect agency data, prevent data exfiltration, and ensure the privacy and integrity of data, considering that data may be accessed from devices beyond the protections and perhaps administration of agencies,” the guidance explains.
As for unified communications and collaboration (UCC), the rise in virtual meetings means agencies must be diligent about who is accessing what information and must mitigate that threat.
“Protections offered can vary significantly between UCC vendors and even within a single vendor, where some of a vendor’s offerings may be certified to offer additional protections (e.g., FedRAMP, HIPAA) while other versions lack those protections,” the guidance read.
The draft TIC 3.0 guidance, released by CISA in December last year, presented new use cases to accommodate for federal agencies’ move to cloud environments. In September, the Office of Management and Budget nullified several years-old TIC policy documents that it said were hindering federal cloud adoption.
The interim guidance was praised by industry.
“CISA has shown real leadership, pushing forward quickly with needed changes and guidance for remote telework in this time of need,” said Stephen Kovac, vice president of global government and head of corporate compliance at Zscaler.
Andrew Eversden covers all things defense technology for C4ISRNET. He previously reported on federal IT and cybersecurity for Federal Times and Fifth Domain, and worked as a congressional reporting fellow for the Texas Tribune. He was also a Washington intern for the Durango Herald. Andrew is a graduate of American University.