CISA looks to help secure federal telework

New guidance allows teleworking feds to connect and access agency and cloud resources from their homes while staying in compliance with the Trusted Internet Connection program.

security defense (deepadesigns/Shutterstock.com)
 

The Cybersecurity and Infrastructure Security Agency has released new emergency guidance detailing how federal agencies can safely navigate the surge in telework following the COVID-19 outbreak.

CISA wants to manage web traffic and align data connections with authorized activities, protect the confidentiality and integrity of that traffic, promote the use of applications and services that ensure continuity of operations and allow for timely reaction and adaptation by agencies to newly discovered threats. The document also offers telework-specific guidance on capabilities like backup and recovery, log management, configuration management, incident response, authentication, vulnerability assessment, shared services and others.

"Agencies are making risk-based decisions in an environment that is completely different than it was 3-4 weeks ago," Ross Nodurft, Senior Director for Cybersecurity Services at Venable told FCW. "Telework is now something that has to happen quickly and in order to do that you're going to see more and more workloads put in a cloud environment and agencies will be interacting with them in a more robust way than before."

The guidance offers three options for federal agencies to consider during the crisis, noting that "teleworkers require access to resources on the agency campus, agency-sanctioned cloud services and on the public web" and each choice presents "unique risks and corresponding security capabilities."

The first option allows teleworkers to directly access cloud service provider (CSP) resources, with certain capabilities normally handled by the agency through an internal TIC or service provider being duplicated and policy enforcement done at the CSP level.

The second option involves teleworkers establishing a protected connection to agency networks and accessing cloud resources from there, with the agency, CSP and worker all involved in enforcement. This method could result in increased latency, network congestion and other performance issues.

The third option allows teleworkers to connect through a cloud access broker to access agency-sanctioned CSP resources. CISA advises that both the agency and teleworker should use the same broker or Security-as-a-Service to ensure enforcement parity.

The new guidance warns agencies that the shift to a largely remote workforce will open up new possibilities for malicious hackers and make it harder to ensure compliance.

"Telework environments, can present significant challenges associated with mitigating email-based threats (e.g., phishing). This challenge is amplified by the reality that agencies have limited visibility or control over remote user devices as the email service may be the only opportunity for meaningfully policy enforcement," the document reads.

The guidance is temporary and explicitly states will expire at the end of the year. However, an email from an CISA spokesperson said that agency officials will look to incorporate lessons learned in future iterations of the TIC program.