Federal Telework Guidance to Bolster Cybersecurity During COVID-19 Remote Operations

Published: April 17, 2020

Federal Market AnalysisCoronavirus (COVID-19) PandemicCybersecurityCISAPolicy and LegislationTelework

The lead agency for federal cybersecurity wants agencies to take steps to ensure the cybersecurity of their teleworkers.

Key Takeaways

  • The Cybersecurity and Infrastructure Security Agency (CISA) has issued suggested efforts that federal agencies should make to ensure the cybersecurity of their teleworking staff during remote operations due to COVID-19.
  • CISA provided a Service Provider Overlay template that agencies and cyber-solution providers can use to map needs with solutions.
  • This CISA guidance is only intended to address the current teleworking surge and not to be regarded as a permanent addition to TIC. It is set to expire at the end of 2020.

Addressing the Federal Telework Surge

Social distancing due to COVID-19 has rapidly increased the percentage of the federal workforce that is working remotely, raising concerns over operational cybersecurity of federal information and IT platforms.

To help federal civilian agencies address cybersecurity concerns presented by the telework surge the Cybersecurity and Infrastructure Security Agency (CISA) recently released a Trusted Internet Connections 3.0 Interim Telework Guidance. In the new contextual guidance CISA identifies a subset of the security capabilities from their TIC 3.0 Security Capabilities Handbook that are applicable to the current telework surge. CISA also introduces some new TIC security capabilities that are unique to telework. Similar to earlier CISA guidance on the critical infrastructure workforce during the coronavirus response, this telework security guidance is not intended to be prescriptive. Agencies have flexibility in applying it.

CISA noted that the guidance is only intended to address the current teleworking surge and not to be regarded as part of the TIC 3.0 document set or to support a TIC 3.0 use case. CISA intends for it to be disapproved at the end of 2020.

Securing Teleworking Done via Cloud Services

The guidance focuses on addressing scenarios in which agency users connect remotely to agency-sanctioned cloud service provider (CSP) environments, rather than scenarios where users connect directly to agency campus hosted resources. (Any public web traffic must still be routed through EINSTEIN sensors per existing rules.)

The TIC Security Capabilities List for Telework include the following:

  • Universal Security Capabilities – These are enterprise-level capabilities that apply across TIC Use Cases, such as strong authentication, situational awareness and integrated desktop, mobile, and remote policies.
  • Policy Enforcement Point (PEP) Capabilities – These are network-level capabilities that inform technical implementation for a given use case, such as teleworker communication with agency-sanctioned CSPs. PEP capabilities applicable to telework include file protections such as anti-malware, email protections such as anti-phishing, and Intrusion Detection such as endpoint detection and response tools.
  • Enterprise Capabilities – Effective telework often depends on users’ ability to remotely access an agency network, agency managed application, or an agency computer. Methods include VPN, mobile application containers, and remote desktop access.
  • Unified Communications and Collaboration – Telework often requires virtual meetings, frequently conducted using unified communications and collaboration (UCC) tools. From a security and risk standpoint, the primary concerns are to make sure that only the desired content is shared with the intended people that have access to that content.
  • Data Protection – Data protection is the process of maintaining the confidentiality, integrity and availability of agency data consistent with its risk management strategy. The surge in telework requires agencies to have processes and tools in place to protect agency data, prevent data exfiltration, and ensure the privacy and integrity of data, considering that data may be accessed from devices beyond the protections and perhaps administration of agencies.

CISA included a Service Provider Overlay template to help vendors align their products and services to the TIC telework security capabilities described above. Agencies can use the resulting overlays to identify products and services that fulfill their security capability needs in line with their risk tolerance and mission needs during the telework surge.

Implications

The current telework surge may require an increase in existing services such as internet bandwidth and VPN capabilities to meet the demand of remote operations. Additionally, the surge could drive a need for some agencies to quickly deploy new or expanded cloud services or authorize or expand the use of Bring Your Own Device (BYOD). To secure all of this some agencies may need to expand or upgrade their existing set of cybersecurity tools and services.  

Agencies and their supporting vendors will need work together to match TIC objectives and needed security capabilities with solutions and identify appropriate implementation approaches that quickly and effectively meet the telework surge needs.