The government’s cybersecurity leads released the final version of guidance for how agencies can ensure employees connecting to government networks from remote locations—like from home while teleworking—do so securely.
Thursday’s release marks the third of four use cases that together constitute the basis of the government’s Trusted Internet Connection 3.0 policy, the policy developed to govern how agencies and their employees connect to the internet.
While past iterations of TIC have focused on building strong boundaries between government networks and the public internet, the evolution of cloud computing and advances in wireless connections and mobile devices have severely reduced the importance of perimeter protections. The latest version of TIC recognizes this and attempts to center security on principles like zero trust that focus more on data protection and user authentication than perimeter defense.
Program officials at the Cybersecurity and Infrastructure Security Agency and the Office of Management and Budget also realized the speed of technology would make hard guidance obsolete within a short timeframe. So, rather than a prescriptive set of guidance documents, the agencies opted to release overarching reference documents along with use cases highlighting strong security architectures that can be replicated at other agencies.
Securing remote users became top of mind for every federal agency in early 2020, as the administration called for maximum telework to stem the spread of COVID-19. As thousands of federal employees began working from home, the TIC program office released interim guidance for securing telework connections but stressed that policy would not be the final word.
On Thursday, the program office released the final, official remote user guidance, with few updates from the original draft released in December 2020.
“These users could be personnel working from home, connecting from a hotel or telecommuting from a non-agency-controlled location,” the comments response summary states. “Collectively, the TIC 3.0 guidance is key in offering flexibility to agencies that are modernizing and securing the connections between the internet, agencies, the cloud, and mobile—remote—users.”
The release includes a new document with stakeholder questions and officials’ responses and adds new capabilities for agencies to deploy, including application containers and remote desktop access at the enterprise level and domain name monitoring.
The final remote user use case also adds to the list of universal security capabilities, which apply across all TIC use cases. The list now includes user training and awareness among other key capabilities like backup and recovery, maintaining logs, having strong authentication and least privilege access, among others.
Commentors broadly asked for four things from the final version:
- For CISA to add clarity around telemetry—the network data used by the agency and CISA to monitor the security posture of a given system.
- Additional guidance for security capabilities.
- Integrating zero trust architecture concepts to align with other TIC and governmentwide initiatives.
- Additional guidance on other topics, “such as expanding definitions, aligning security capabilities to other cybersecurity guidance and including new security patterns.”
CISA officials said they took all of these comments into consideration and incorporated the first three into the final guidance. However, the fourth request was determined to be out of scope for the remote user use case, though officials might include some of those considerations when finalizing outstanding draft use cases.
While CISA has finalized use cases for traditional connections, branch offices and, now, remote users, the agency still needs to finalize the use case for cloud connections—the last of the four use cases promised in the original guidance from OMB in 2019.
Even once the final use case is released, the work continues for the TIC program office, which plans to take on new use cases as the needs arise. The office has already released guidance for transitioning from IPv4 to IPv6 and officials expect other use cases around the internet of things and emerging technologies.
“Between the ones in the memo and the others that are speculative, we expect about 10 use cases,” TIC Program Manager Sean Connelly told Nextgov in March 2020. “Then, we’ll hear from agencies about where they want to go next.”