The goal, according to multiple sources, is to give agencies more flexibility to keep employees connected to data and applications, while not losing any security rigor.
One source said the interim guidance is trying to make it easier on agencies to adjust their networks while also giving them some top cover.
Additionally, sources say the interim guidance is good for only the rest of the calendar year 2020, and CISA continues to work on TIC implementation guidance that is expected to come later this spring.
“The branch office use case defines how network and multi-boundary security should be applied when an agency has personnel in more than one physical location,” DHS wrote in the draft document released on December. “This use case helps agencies gain application performance (latency, throughput, jitter, etc.); reduce costs (through reduction of private links); and improve user experience by facilitating branch office connections to agency-sanctioned cloud services, the web and agency internal services.”
The use case describes three security approaches:
Direct connection from the branch office to the cloud service;
Branch office to the cloud service, utilizing the agency campus as an intermediary traffic forwarding step;
Branch office to the cloud service, utilizing a cloud access security broker or other security-as-a-service provider as an intermediary forwarding step.
“The branch office use case is composed of four trust zones: agency campus, agency branch office, cloud service provider and web. Branch office network traffic flows to and from an agency campus, to and from an agency CSP, and to and from the web,” DHS wrote. “A branch office user is able to interact with CSP resources without having to connect directly through the agency.”
Part of the problem with TIC has been the requirement to back through the agency network that included software or services meeting the cyber standards, and then back out to the public internet or cloud application. This is part of the reason why TIC requirements have long been a problem for agencies connecting to cloud services or remotely.
And now, some agency networks and virtual private networks are feeling the brunt of a majority of federal employees teleworking.
“The U.S. Air Force servers cannot handle the load. I’ve not been able to access work emails from home 99% of the time during the past three days. Since I don’t have a government laptop, accessing the work servers via VPN is not possible,” wrote one respondent during the survey timeframe of March 18-23.
Another said, “The network is behaving erratically due to too many people on the VPN.”
Other respondents were more positive saying their networks and VPNs were working well.
“The FCC leadership has done an outstanding job implementing teleworking and advising its staff regarding the COVID-19 threat. The network is working well under the new virtual desktop stress,” wrote one employee.