DOC IT Security Policy Update Enclosure

New sections 13.2.5, 13.2.6, Appendix D: 3.2.12 and 3.2.13 and revised section 17.18 of the DOC IT Security Program Policy and Minimum Implementation Standards:

13.2.5 Use of Two-Factor Authentication. For Tier 2 and 3 remote access, the use of two-factor authentication is required where one factor is provided by a device separate from the computer gaining access.

13.2.6 Logging of Computer-Readable Data Extracts from Databases. Log all computer-readable data extracts from databases holding sensitive information and verify each extract including sensitive data has been erased within 90 days or determine that its use is still required.

Appendix D: 3.2.12 Two-factor authentication is required where one factor is provided by a device separate from the computer gaining access.

Appendix D: 3.2.13 Log all computer-readable data extracts from databases holding sensitive information and verify each extract including sensitive data has been erased within 90 days or determine that its use is still required.

17.18 Remote Access Policy. DOC operating units shall comply with the NIST Special Publication 800-53 requirements for control AC-17, Remote Access (see NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems, online at http://csrc.nist.gov/publications/nistpubs/800-53/SP800-53.pdf).

17.18.1 DOC Policy Enhancement. In addition to the baseline requirements of section 17.18, DOC operating units shall implement two-factor authentication and logging of computer-readable data extracts from databases for Tier 2 and 3 remote access as described in Appendix D: Unclassified System Remote Access Security.

17.18.2 Procedures. DOC operating units shall comply with the requirements as described in the DOC Remote Access Security Procedure, which provides personnel (both federal and contractor) the mandatory and recommended practices for securing remote access connections to DOC IT resources.

U.S Department of Commerce
Remote Access Procedures

[This Procedure supersedes the IT Security Program Policy and Minimum Implementation Standard, Appendix D, issued June 30, 2005.]

1. Purpose. As authorized by Section 17.18 of the Department of Commerce (DOC) IT Security Program Policy and Minimum Implementation Standard, issued June 30, 2005, this DOC Remote Access Procedure (Procedure) defines the DOC implementation requirements for protection of DOC IT networks, systems, and information from the risks inherent in remote access without significantly impairing the DOC mission or the quality of service to the remote user.

This Procedure provides the mandatory minimum requirements to reduce risks to DOC IT systems and data while enabling DOC staff to continue to remotely access DOC IT systems for official duty purposes. When an individual remotely accesses DOC IT systems, the overall security of those systems may be lowered and the potential exists for unauthorized access to data. Computers that remotely access DOC IT systems are often not highly maintained with respect to security. The result is that such computers may have been penetrated by hackers or fallen victim to one of thousands of active viruses, Trojans, and worms. When these computers remotely access DOC IT systems, hackers, Trojans, and worms can circumvent DOC perimeter security mechanisms and cause great damage. This problem is exacerbated when a remote computer is connected to the Internet and to DOC IT systems at the same time (e.g. when using broadband technology). However, remote access is an increasing necessity as more federal workers are carrying portable IT devices (e.g. laptop computers, cell phones, Palm or Windows PDAs, and Blackberries) and using Internet cafés and kiosks to enhance communications and perform DOC mission functions while on travel or teleworking.

2. Applicability. This Procedure is to be applied independent of the size of the IT system and independent of the type of remote access technology. Thus, it includes the following modes of remote access: modems, broadband and wireless connections; third party internet service providers (ISP); public access sites such as kiosks and Internet cafés; and alternate platforms such as personal electronic devices (PED)/personal digital assistants (PDA), and cell phones. It applies to all non-national security IT systems used to carry out DOC’s mission, located both on and off government property, whether operated by federal employees or contractors.

It does not cover requirements for securing remote access to national security systems. This Procedure does not apply to remote access to publicly accessible DOC Web sites, including those sites that support transactions and access to databases, even if that access is in support of the conduct of official Government business, unless the access includes access to DOC systems and information not publicly available through such Web sites.

3. Tiered Access Levels. DOC categorizes remote access into three tiers according to the risk of harm inherent in the nature of the access and the sensitivity of the information accessed.

3.1 Tier 1: Tier 1 represents Low risk because the systems accessed are between the outermost DOC network perimeter or border device, such as a DOC firewall, and outside inner DOC firewalls that protect Commerce local area networks. It is intended for access to DOC IT services through the Internet or by dial-up that must be authenticated, requires access only to services outside (on the public side) of a DOC firewall, does not require access to internal DOC systems, and involves only unclassified information of low security categorization relative to availability, confidentiality, and integrity.

3.1.1 Operating units must establish, or participate in, centralized management control of all modem pools and require written authorization for use of modem pools and modem call-back features must be enabled.

3.1.2 Remote computers used for Tier 1 access must be configured and maintained in a secure manner as described in the following table. The following table lists the Mandatory (M) or Recommended (R) countermeasures to be implemented depending on the type of device used.

3.2 Tier 2: Tier 2 represents Moderate risk because basic user privileges are allowed to access systems processing or storing non-national security information inside the inner DOC firewalls and internal to the DOC computing environment, and information has been categorized at a Moderate impact level. It is intended for access to internal DOC systems (i.e., inside the outermost DOC firewalls or perimeter gateway). This category includes users who authenticate to a DOC gateway and are granted only partial access to the relevant network. Computers used for this Tier of authenticated internal network access must be configured and maintained in a secure manner. All of the countermeasures listed for Tier 1 are mandatory for Tier 2, PLUS the following additional requirements must be implemented:

3.2.1 Approve all remote access in writing by user’s supervisor and ensure the user certifies he/she has been trained and understands applicable policies. Users must agree to ensure that the government data processed on DOC-owned or personally-owned remote access computers are backed-up on a periodic basis, either automatically through the network or remotely with removable drives (such as government-furnished diskettes).

3.2.2 Conduct remote access either from DOC-owned/furnished or personally-owned computers under the control of the user, or public-access computers if the user can verify that security mechanisms exist that satisfy this standard.

3.2.3 Use a FIPS 140 compliant mechanism for encrypting remote access sessions.

3.2.4 Authenticate first to a remote access gateway on the DOC network perimeter as well as comply with the system owner’s requirements for authentication and identification of the specific internal system or data resource being accessed. All data must pass through an additional access control point (e.g., a firewall, a modem call-back feature, or SecureID tokens) before users are permitted to access internal systems.

3.2.5 Don’t use remote access computers as servers (e.g., web servers, private e-mail servers, File Transfer Protocol (ftp) sites, or chat servers), or connect the computer to other networks, including wireless networks, while connected to the DOC network.

3.2.6 Computers must be protected against unauthorized access by using password-protected screensavers when idle for a duration of 15 minutes.

3.2.7 Terminate connections to the DOC network (either initiated by the user or by DOC remotely accessed systems), when idle for more than 30 minutes.

3.2.8 Use of access protocols vulnerable to exploitation (e.g., Telnet, ftp, and rlogin) is prohibited unless transmission is through an encrypted tunnel such as a VPN.

3.2.9 Use of public-access equipment is prohibited.

3.2.10 When government information is copied to a removable drive, the media must be properly marked with the proper information category. In addition, removable media containing personally identifiable information must be encrypted to prevent unauthorized disclosure.

3.2.11 When not in use, media should be stored in heavy locked furniture such as a desk or credenza or a safe.

3.2.12 Two-factor authentication is required where one factor is provided by a device separate from the computer gaining access.

3.2.13 Log all computer-readable data extracts from databases holding sensitive information and verify each extract including sensitive data has been erased within 90 days or determine that its use is still required.

3.3 Tier 3: Tier 3 represents high risk because administrative (or “super-user”) privileges are allowed to access systems processing or storing sensitive-but-unclassified information that are internal to the DOC computing environment. It is intended for administrative access to a DOC computer, database, or IT resource on the internal network (e.g., using PCAnywhere). This category is usually used for obtaining remote administrator control but it also includes user level control when unrestricted user level access to the underlying operating system is obtained. Remote computers used for “remote control” access must be configured and maintained in a secure manner. All of the countermeasures listed for Tiers 1 and 2 are incorporated as mandatory for Tier 3. In addition, the following requirements must be implemented:

3.3.1 Grant remote control access privileges in moderation, and only to those with proper justification.

3.3.2 Allow use of third-party remote control/direct-access software in moderation (e.g., PCAnywhere or “www.gotomypc.com”), and only to those with proper justification.

3.3.3 Implement an uninterruptible power (UPS) supply should to protect data rated at the High security impact level

3.3.4 Properly configure use of direct-access software, including:

3.3.4.1 No remote control/direct access software may be permitted to use dial-up connectivity unless transmissions are encrypted in accordance with the requirements of this standard.

3.3.4.2 Dial-up access must be protected by call-back modems programmed to call authorized user numbers.

3.3.4.3 IP address screening must be used for broadband connections.

4. User Agreements. Operating units must develop and implement a mechanism to document and maintain management-approved remote access user security agreements for all users as follows:

4.1 Remote access rules of behavior must be incorporated into formal telework user agreements.

4.2 For Tier 2 and Tier 3 access, a remote access user security agreement provides documentation ensuring that:

4.2.1 The user’s manager, supervisor, or Contracting Officer’s Technical Representative has approved the remote access request;

4.2.2 The user certifies that he/she has received DOC security training within the last year; and

4.2.3 The user certifies that he/she understands, and will abide by, the terms of the remote access user security agreement and the DOC Remote Access Policy and Procedure.

4.3 The manager, supervisor, or COTR must maintain records of the documented supervisor approval and the user certification in accordance with the Privacy Act. He/she must also notify the system owner, who in turn must provide authorized DOC IT users with the minimum access privileges documented in the agreement that are necessary to accomplish their job duties.

5. Recommended Practices. DOC recommends the following practices for the protection of equipment used for remote access:

5.1 Physically secure laptops with a cable lock.

5.2 Use a non-descript carrying case for portable devices to avoid unwanted attention.

5.3 If traveling with sensitive government information, pack encrypted information backup media in a separate bag from the portable device in case of theft of the device.

5.4 Identify the portable device with contact information. Decals or markings can be placed on devices that are difficult to remove and if done so, indicate obvious tampering.

5.5 Record the serial number and other identification information about the portable device twice, and keep one copy at home or in the office in case of theft of the device. This information can be helpful to authorities searching for the device if lost or stolen.