The Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) issued guidance to federal agencies to help them establish and maintain telework for their employees and contractors that comports with a recently revamped program to ensure that federal civilian agencies are limiting their cyber risk and exposure. The ad hoc guidance comes at a time when many federal employees and contractors are working from work, thus raising all sorts of security issues given the sensitivity of information some receive and handle.
In the TIC 3.0 Interim Telework Guidance, CISA stated “this document provides security capabilities for remote federal employees securely connecting to private agency networks and cloud environments.” The agency cautioned that “[t]he guidance is short-term for Calendar Year (CY) 2020 and is expected to be incorporated into a Remote User Use Case later.”
CISA stated that “[a]s federal civilian agencies respond to the COVID-19 situation, the number of federal agency employees working remotely has increased dramatically…[and] [i]n order to support agencies as they respond to this surge in teleworking, CISA is issuing this interim TIC guidance to help agencies leverage existing resources to secure their networks.” CISA said that “[t]he purpose of this document is to help federal civilian agencies address the telework surge concerns by:
- Providing awareness that the security patterns outlined under Agency Teleworker Options 1 and 2 (below) align to TIC architecture capabilities as presented in the draft TIC 3.0 guidance (December 2019).
- Agencies should ensure that appropriate data sharing is maintained with Agency Security Operations Centers.
- Agencies should be prepared to discuss the availability of log and telemetry features in order to determine what relevant information will need to be provided to CISA for cybersecurity analytical purposes.
- Informing agencies that the interim guidance provided under Agency Teleworker Option 3 provides additional temporary relief with additional security patterns.
- Suggesting security capabilities for agencies to consider when creating or expanding their teleworking platforms.
- Allowing vendors to map the cybersecurity capabilities provided by their services to the TIC security capabilities that support secure teleworking.”
- This document is only intended to address the current teleworking surge. It is not intended to be part of the TIC 3.0 document set or support a TIC 3.0 use case; it will be deprecated at the end of 2020. The guidance is not intended to be comprehensive and should not be interpreted as a use case nor reference architecture. Agencies can refer to the TIC 3.0 document set for more details on the TIC program and objectives, additional TIC 3.0 guidance, and clarification of TIC terminology used throughout this document. This interim guidance will be integrated into the TIC 3.0 Remote User Use Case at a later date.
- The COVID-19 situation presents unique cybersecurity threats, and agencies must consider these unique threats when securing their platforms. This document identifies a subset of the security capabilities detailed in the TIC 3.0 Security Capabilities Handbook that are applicable to the current telework surge and can be used to prevent, mitigate, and detect some of these emerging threats. This document also introduces new TIC security capabilities that are unique to telework. The full set of TIC security capabilities can be found in the TIC 3.0 TIC Security Capabilities Handbook.
- This document is only intended to address scenarios in which agency users connect remotely to agency-sanctioned cloud environments. Any traffic to the public internet (i.e., public web traffic) must still be routed through EINSTEIN sensors, the operational capabilities of the National Cybersecurity Protection System (NCPS) program3. When in doubt, agency traffic should be routed through EINSTEIN sensors.
- Vendors will be responsible for mapping their service offerings to the suggested TIC objectives and security capabilities. Agencies and vendors should work together to identify appropriate implementation approaches that focus on improving employment of capabilities and services in alignment with agency risk tolerances.
- Agencies, in consultation with appropriate vendors, will coordinate the expansion of cloud and collaboration services that deviate from existing reference architectures to ensure that CISA programs are notified. Agencies should be prepared to discuss the availability of log and telemetry features in order to determine what relevant information will need to be provided to CISA for cybersecurity analytical purposes.
In September 2019, the Office of Management and Budget (OMB) released its long-awaited revision of the TIC initiative that is of a piece with the Trump Administration’s push to modernize the federal government’s information technology (IT), notably by moving as much of operations as possible and feasible to the cloud. The Department of Homeland Security (DHS) will define what constitutes “TIC Use Cases” that will define alternative standards and processes that agencies may ultimately use instead of TIC. To this end, “DHS, in coordination with OMB and the Federal Chief Information Security Officer (CISO) Council shall establish and publicly release a detailed process document.”
The purpose of the TIC initiative is to enhance network security across the Federal Government. Initially, this was done through the consolidation of external connections and the deployment of common tools at these access points. While this prior work has been invaluable in securing Federal networks and information, the program must adapt to modem architectures and frameworks for government IT resource utilization. Accordingly, this memorandum provides an enhanced approach for implementing the TIC initiative that provides agencies with increased flexibility to use modern security capabilities. This memorandum also establishes a process for ensuring the TIC initiative is agile and responsive to advancements in technology and rapidly evolving threats.