180 likes | 327 Views
Authorized Device and Software Management Initiatives Unauthorized Device & Unauthorized Software Working Group Bi-weekly Meeting February 21, 2019. Project Team: Qi’Anne Knox Kazeem Adelakun Shoeb Siraj Tammy Tuttle. Code 710. Agenda. Roll Call
E N D
Authorized Device and Software Management InitiativesUnauthorized Device & Unauthorized Software Working Group Bi-weekly MeetingFebruary 21, 2019 Project Team: Qi’Anne Knox Kazeem Adelakun Shoeb Siraj Tammy Tuttle Code 710
Agenda • Roll Call • Authorized Device (AD) Initiative / Unauthorized Device (UD) Phase Updates and Next Steps • Software Management (SM) Initiative Updates and Next Steps • Web Content Filter (WCF) Updates and Next Steps • References
AD: Phase Updates (1) • Phase 1: • Timeline:March 18 – March 22 (communication coming today) • Migrated: Marshall, Michoud, Kennedy, and Langley • In Progress: Johnson and White Sands Test Facility • Next: HQ, GRC, SSC, NSSC, AFRC, ARC, GISS, WFF, IVV, WSC, GSFC • What’s happening? • Virtual Private Network (VPN) use will be required to remotely access email and calendar services via client applications (e.g., Outlook) or Outlook Web Access (OWA)/Webmail • Only authorized smartphones and tablets will be allowed to access NASA email and calendar services with Mobile Device Management (MDM)
AD: Phase Updates (2) • License Count (as of 02/12/2019): • 241 Personally Funded Equipment (PFE) requests • 67 non-ACES Government Funded Equipment (GFE) requests • Total: 308 licenses used out of 10,000 licenses (3.08%) • MDM PFE and non-ACES GFE NAMS Workflow: • Due to license limitations, we are targeting ActiveSync users first for enrollment and validating the justification with the sponsor/IT Managers before approving the requests • Also coordinating non-ACES GFE with the ISSO for the selected System Security Plan
AD: MDM Service NAMS • PFE: Can you confirm the employee must require remote access to NASA email, calendaring and/or contact functions in order to accomplish NASA tasks? • PFE: Can you confirm the use of a personally-owned mobile device is more efficient or cost-effective than using Government Furnished Equipment (GFE) for remote access? • PFE and GFE: Did the user previously access email on this device? • PFE and GFE: Are you aware that there will be a cost associated with the MDM license after the first year? (Please note: the cost is still being discussed with the NEST contract change and will be shared once known)
NSINS Update/AD Phase 2 and 3 • NASA’s Strategy to Improve Network Security (NSINS): • The NSINS improvement initiatives are still being scoped and timelines are being re-baselined; AD has technology dependencies within NSINS • Upcoming Face-to-face March 5-7 • Should have a better roadmap for what AD Phase 2 looks like and when to implement • Focus on identifying use cases and mitigations • Discussion to create an NSINS memo
AD: Next Steps • Validate NAMS submissions and coordinate with necessary parties before approving • Continue coordination with stakeholders: • AD Agency Project Team • O365 Project Team (Agency and Local) • Internal 710 working group meeting/brainstorming session • Agency Partner Discussion working group • Gather use cases and survey responses to partner questions • Ensure list of users with no PIV or ASB who require access to email are added to the PIV exempt list and there’s no impact once migrated to O365
Web Content Filter • March 5, 2019: The Agency WCF will also restrict access to unrated websites. • Unrated websites are sites not yet analyzed or categorized • Employees should see little impact from this change, as the Cybersecurity Services and Integration Division (CSID) is reviewing and re-categorizing known unrated websites • Communication (2/19/2019):
Software Management • Background: • The enforcement of NASA OCIO’s Unauthorized Software (US) began, July 2018, with blocking access to gaming sites • The next phase is to ensure unauthorized software (gaming and personal finances software being used for “personal use”) is removed from all end-user systems at NASA • Due Date: April 5, 2019 • Policy: NPR-2540 • Questions: GSFC-IT-Security-Review@mail.nasa.gov • Next Steps: • Send center-wide communication
References (2) • Agency UD Sites: • NASAs Strategy to Improve Network Security OCIO Site: https://inside.nasa.gov/nasa-s-strategy-improve-network-security • IT Policy Memos: https://inside.nasa.gov/ocio/it-business-management/policy-standards/it-policy-memoranda • O365 Resources: http://inside.nasa.gov/euso/office-365-resources • AD/SM on ITCD Website and SharePoint: • https://itcd.gsfc.nasa.gov/ • https://itcdsp13.gsfc.nasa.gov/sites/security/servicemanagement/Authorized%20Devices%20%20Software%20Management%20Initiative/Home.aspx • Web Content Filter Portal: https://itcdsp13.gsfc.nasa.gov/sites/security/servicemanagement/SitePages/Website Access Requests.aspx
Ad-hoc Working Group SharePoint • https://itcdsp13.gsfc.nasa.gov/sites/CSID/Community/IT%20Security%20Working%20Group/Ad%20Hoc%20Working%20Groups/Unauthorized%20Devices%20Ad%20Hoc%20Working%20Groups • This site will house meeting slides, minutes, actions, etc. • There were some issues with the SharePoint going down last week, but it has been resolved • If you do not have access, let me know
GSFC Points of Contact • Please continue to communicate your concerns and suggestions to us, which we will communicate up • GSFC-IT-Security-Review@mail.nasa.gov • qianne.l.knox@nasa.gov • shoeb.siraj@nasa.gov • kazeem.a.adelakun@nasa.gov • Next meeting March 7 may be canceled or rescheduled • Conflict with O365 IT Matters and F2F
References (1) • Working Group SharePoint: https://itcdsp13.gsfc.nasa.gov/sites/CSID/Community/IT%20Security%20Working%20Group/Ad%20Hoc%20Working%20Groups/Unauthorized%20Devices%20Ad%20Hoc%20Working%20Groups • NASA Assessed & Cleared Lists—Supply Chain Whitelist, Devices you can use for the NASA MDM Solution at: https://ocio.ndc.nasa.gov/hq/ocio/security/itscommunity/GRC/Lists/Assessed%20and%20Cleared%20List%20ACL/AllItems.aspx • MDM Registration Site: https://mdr.nasa.gov/ • Registration Documents: https://aces.ndc.nasa.gov/subnav/mdm.html • MDM NAMS Workflow/Registration: • MDM PFE (ID: 252534): https://idmax.nasa.gov/nams/asset/252534/017767035 • MDM GFE (ID: 252533): https://idmax.nasa.gov/nams/asset/252533/017767035 • MDM Registration Site: https://mdr.nasa.gov/ • Registration Documents: https://aces.ndc.nasa.gov/subnav/mdm.html
AD: Reminders • NASA webmail will no longer be remotely accessible from outside the NASA network, and will require an Agency Badge (PIV or Smart Badge) or RSA Token for authentication • Users will no longer be able to authenticate using username/password except for “PIV Exemption” • Webmail will remain remotely accessible via VPN with an Agency Badge or RSA token • Remote users will no longer be able to access NASA email via the Microsoft Outlook (or compatible) client unless they are connected to the NASA internal network via VPN • Personal Devices are not authorized to connect per UD Policy
AD: Partner Use Case Questions • How many total users impacted? • On-site, Remote, or both? Location if remote? • Who manages the remote network? • Have NASA NOMAD accounts? How many? • What are the exact requirements to have NOMAD accounts? • What NASA resources (servers, files, etc.) other than email (via NOMAD) needed? • Who owns the laptops/PCs? • Authentication type? • How are encrypted emails exchanged today with their NASA counterparts while on NOMAD? • NASA VPN accounts? If so, what type of client software? • Is there any type of ATO or agreement covering their access?
AD: Partner Discussion WG • Partner Discussion Working Group: • Use Cases: • Partner Location • Device Ownership • NASA Service Access • NASA Authorization Requirements • Technical Impact • Credentials/Authentication • Exploring External Authorization Options • Level of Assurance Assessment