New TIC 3.0 Guidance Grounded in Zero Trust, CDM

The Cybersecurity Infrastructure and Security Agency released new TIC 3.0 remote user case guidance to help federal agencies secure their networks in a teleworking environment.

The new draft guidance, which is open to public comment, comes almost 10 months after federal agencies shifted to remote work due to the COVID-19 pandemic.

Zero trust and Continuous Diagnostics and Mitigation (CDM) principles ground CISA’s recommendations in the draft guidance, pointing to the agency’s consistent, interconnected approach to cybersecurity for federal agencies.

CISA recommends federal agencies collect device logs of all devices connected to their networks, including personal devices, and track data sent and received from remote user devices.

“These logs should, when possible, be integrated with the agency’s central log management solution,” CISA said.

CISA also recommends ongoing monitoring of devices connected to the network and constantly verifying compliance with security standards and procedures, which is a central tenet of CISA’s CDM program.

“When possible, agencies should verify device configuration compliance when authorizing access to agency networks, services and data,” CISA said. “This compliance should be verified in an ongoing manner while a device maintains access to agency networks or services.”

In a remote working environment, CISA advises a zero trust approach to security controls.

“Agency users’ access to agency services and data should consider the security of the device being used to access the service or data, enabling higher levels of access to users with more secure devices,” according to the draft guidance. “If agencies permit the administration of services by remote users, they should employ MFA and should account for device security and compliance before authorizing administrative access. Agencies should track and analyze administrative logins and activities, especially when inconsistent with normal usage, and should have procedures in place for quickly revoking administrative access.”

When patching devices, CISA also recommends a zero trust approach. “Assume that remote devices have not been patched until confirmed otherwise. Based upon agency risk tolerances, unpatched devices may merit follow up with the remote user and access restrictions on those devices until patched, particularly if active exploits are known,” CISA said in its recommendations.

Aligning desktop, mobile and remote policies is also key, CISA added, as is continuous monitoring for “changes or discrepancies” in remote users’ “use of agency services or data.”

These security measures, CISA added, are especially important when so many federal employees are now teleworking.

In addition to these recommendations, CISA advised caution when sharing information and materials in virtual meetings.