Project Team: Qi’Anne Knox Kazeem Adelakun Shoeb Siraj

1. Authorized Device and Software Management InitiativesUnauthorized Device & Unauthorized Software Working Group Bi-weekly MeetingNovember 15, 2018 Project Team: Qi’Anne Knox Kazeem Adelakun Shoeb Siraj Code 710

2. Agenda • Roll Call • Authorized Device (AD) Initiative Phase Updates and Next Steps • Software Management (SM) Initiative Update • Web Content Filter (WCF) Update • Action Request • References

3. Roll Call

4. AD: Phase Updates (1) • Phase 1: • Timeline: No earlier than January 2, 2019 (dependent on when GSFC is migrated to Office 365) • Marshall Space Flight Center and Michoud Assembly Facility with more than 8,500 users migrated • Kennedy Space Center will migrate next, starting November 28, 2018 and ending December 6, 2018 • What’s happening? • NASA email access restrictions; remote email controlled • Put controls in place to prohibit ActiveSyncaccess without Mobile Device Management (MDM) • Put controls in place to prohibit Webmail access without MDM or Virtual Private Network (VPN)

5. AD: Phase Updates (2) • Phase 1 continued: • Mobile Device Management (MDM) enrollment for non-ACES Government Funded Equipment (GFE) or Personally Funded Equipment (PFE) iOS and Android smartphones and tablets (Go-Live Date: November 15, 2018): • O365 early adopters who have connected to NASA email and calendar services with a non-ACES GFE or PFE smartphone or tablet • Targeted communications will be distributed to O365 early adopters who have connected to NASA email and calendar services with a non-ACES GFE or personal smartphone or tablet as soon as possible

6. AD: MDM Service GFE Process • Enroll non-ACES GFE under NASA’s MDM service: • Submit MDM GFE NAMS request at: https://idmax.nasa.gov/nams/asset/252533 • If you are a NASA Civil Servant, you must select your supervisor as your sponsor/approver • If you are a contractor or non-NASA employee, must select the NASA Civil Servant with authority to allow access as your sponsor/approver • Please select the associated System Security Plan for the non-ACES GFE smartphone or tablet from the drop-down menu list • After receiving NAMS approval, please install MDM from: https://mdr.nasa.gov/ • Please note that a Personal Identity Verification (PIV) smartcard or Agency Smart Badge (ASB) is required to register for MDM • For MDM GFE support, contact the Enterprise Service Desk (ESD) at 877-677-2123, Option 2 or https://esd.nasa.gov

7. AD: MDM Service PFE Process • Voluntarily enroll PFE under NASA’s MDM service: • Review and accept the MDM PFE User Agreement Terms and Conditions at: https://bit.ly/2zdJzbK • Allow 24-48 hours for the SATERN system to register your acceptance of the Terms of Use with NAMS • Submit MDM PFE NAMS request at: https://idmax.nasa.gov/nams/asset/252534 • If you are a NASA Civil Servant, you must select your supervisor as your sponsor/approver • If you are a contractor or non-NASA employee, must select the NASA Civil Servant with authority to allow access as your sponsor/approver • After receiving NAMS approval, please install MDM from: https://mdr.nasa.gov/ • Please note that a PIV smartcard or ASB is required to register for MDM • MDM PFE support is self-service. Learning material and frequently asked questions are located at: https://aces.ndc.nasa.gov/subnav/mdm.html

8. AD: Phase Updates • Phase 2: • Timeline: To Be Determined (TBD) and will be discussed more early next calendar year (full compliance targeted for Dec 2019) • Participate in NASA Partner Discussion with the Technical Architecture Lead at Armstrong to discuss current challenges, risks, external authorization requirements/update, etc. as it relates to Phase 2 • Please continue to share use cases • Are there other examples where the VPN requirement can be problematic? • What impact will there be when the BigFix agent is enforced? Who will be impacted? • Partner Categories: Academic, Industry, Non-Profit, Contractor, Corporate, Commercial Space, Government Agency • Agency UD Core Team has an action to get us a schedule/outline • Met with Procurement to discuss the impact

9. AD: Next Steps • Send targeted communication regarding MDM enrollment for non-ACES GFE and PFE coordinating with OCIO Strategic Communications Committee (OSC2) and 710 reps • Validate NAMS submissions • Continue coordination with O365 Project Team (Agency and Local) • Meet with Landsat 7 on November 16, 2018 • Internal 710 working group meeting November 27, 2018 • Schedule additional stakeholders meetings • Work PIV Exemption user list with Agency Team and relay any additional actions to the working group

10. AD: Reminders • NASA webmail will no longer be remotely accessible from outside the NASA network, and will require an Agency Badge (PIV or Smart Badge) or RSA Token for authentication • Users will no longer be able to authenticate using username/password except for “PIV Exemption” • Webmail will remain remotely accessible via VPN with an Agency Badge or RSA token • Remote users will no longer be able to access NASA email via the Microsoft Outlook (or compatible) client unless they are connected to the NASA internal network via VPN • Personal Devices are not authorized to connect per UD Policy

11. SM Initiative: Unauthorized Software • Obtained relational database application to assist with BigFix data analysis to create baseline and develop whitelist • Created field requirements for SharePoint portal • Continue to attend the Agency Software Management Tiger Team meetings where the focus is on licensing currently • Software should be added to a System Security Plan (SSP) for approved use today

12. SM Initiative: Web Content Filter • Web content currently categorized as “unrated” will be blocked on January 1, 2019 • Briefly conducted an audit of sites previously categorized as “unrated” and several have been recategorized • Can the working group members distribute a spreadsheet of “unrated” sites to directorates and missions with instructions on how to recategorize?

13. SM Initiative: WCF Re-categorization • Go to the vendor site at: https://fortiguard.com/webfilter • Type the URL in the Search URL textbox and hit Enter • Review the Category • If the category is currently not categorized correctly, click the Request a Review link • Fill out the Web Filter Classification Rating Request • Click Submit

14. SM Initiative: WCF Re-categorization

15. SM Initiative: WCF Blocked Categories • Malicious Websites • Phishing • Spam URLs • Domain Parking • Games • Meaningless Content • Advocacy Organizations • Gambling • Marijuana • Nudity and Risque • Other Adult Materials • Pornography • Peer-to-peer File Sharing • Child Abuse • Discrimination • Drug Abuse • Explicit Violence • Extremist Groups • Hacking • Illegal or Unethical • Plagiarism • Proxy Avoidance

16. GSFC Points of Contact • Please continue to communicate your concerns and suggestions to us, which we will communicate up. • GSFC-IT-Security-Review@mail.nasa.gov • qianne.l.knox@nasa.gov • shoeb.siraj@nasa.gov • kazeem.a.adelakun@nasa.gov • Next meeting is November 29

17. References • MDM Registration Site: https://mdr.nasa.gov/ • Registration Documents: https://aces.ndc.nasa.gov/subnav/mdm.html • NAMS Workflow (not live): • MDM PFE (ID: 252534) - https://idmax.nasa.gov/nams/asset/252534/017767035 • MDM GFE (ID: 252533) - https://idmax.nasa.gov/nams/asset/252533/017767035 • Agency UD Sites: • NASAs Strategy to Improve Network Security OCIO Site: https://inside.nasa.gov/nasa-s-strategy-improve-network-security • IT Policy Memos: https://inside.nasa.gov/ocio/it-business-management/policy-standards/it-policy-memoranda • O365 Resources: http://inside.nasa.gov/euso/office-365-resources • AD/SM on ITCD Website and SharePoint: • https://itcd.gsfc.nasa.gov/ • https://itcdsp13.gsfc.nasa.gov/sites/security/servicemanagement/Authorized%20Devices%20%20Software%20Management%20Initiative/Home.aspx • Web Content Filter Portal: https://itcdsp13.gsfc.nasa.gov/sites/security/servicemanagement/SitePages/Website Access Requests.aspx