CISA Releases Draft Use Case For Securing Remote, Mobile and Teleworking Connections

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being.

With many federal employees still teleworking, federal officials dropped a holiday gift for cybersecurity managers across the government: the draft remote user use case for the latest iteration of the Trusted Internet Connection, or TIC, policy.

The Cybersecurity and Infrastructure Security Agency, or CISA, released the draft use case Tuesday for public comment, asking stakeholders to offer feedback on the best methods for securing mobile and personal devices connecting to agency networks. The late-in-the-year policy drop meets the agency’s promise to deliver hard guidance—even if in draft form—before interim guidance released in April expires at the end of December.

The nature of computing has changed a lot since the first TIC policy was issued in 2007, and even since the last update—TIC 2—in 2012. Since that time, the use of cloud and remote computing have skyrocketed, as have security techniques for traditional connections, like at an agency’s headquarters office.

To meet these new realities, the Office of Management and Budget issued a new TIC 3 policy in September 2019. But rather than creating another stagnant guidance document, the policy pushes agencies toward a set of evolving use cases developed by CISA.

“We have the guidebook and the reference architecture documents—we consider those more of the strategic documents, the ones agencies use to build out their understanding of TIC 3 in general,” TIC Program Manager Sean Connelly told Nextgov in March. “And then what we call the operational, the more technical documents: the use cases, the security capabilities and the overlays. We think those are the ones that will be used more by agencies as they build out and secure their environments.”

The main body of the new TIC 3 policy was finalized in July, including the TIC 3 Guidebook; the reference architecture explaining how the concepts should be applied to agency enterprises; and the Security Capabilities Catalog, formerly the Security Capability Handbook.

But the real meat of the policy is in several use cases outlining specific scenarios and how agencies should secure those connections.

The program office released draft use cases late last year for…