Authorized Device and Software Management Initiatives Unauthorized Device

Agenda • Roll Call • Authorized Device (AD) Initiative / Unauthorized Device (UD) Phase

AD: Phase Updates (1) • Phase 1: – Timeline: March 18 – March 22

AD: Phase Updates (2) • License Count (as of 02/12/2019): – 241 Personally Funded

AD: MDM Service NAMS • PFE: Can you confirm the employee must require remote

NSINS Update/AD Phase 2 and 3 • NASA’s Strategy to Improve Network Security (NSINS):

AD: Next Steps • Validate NAMS submissions and coordinate with necessary parties before approving

Web Content Filter • March 5, 2019: The Agency WCF will also restrict access

Software Management • Background: – The enforcement of NASA OCIO’s Unauthorized Software (US) began,

References (2) • Agency UD Sites: – NASAs Strategy to Improve Network Security OCIO

Ad-hoc Working Group Share. Point • https: //itcdsp 13. gsfc. nasa. gov/sites/CSID/Comm unity/IT%20 Security%20

GSFC Points of Contact • Please continue to communicate your concerns and suggestions to

References (1) • Working Group Share. Point: https: //itcdsp 13. gsfc. nasa. gov/sites/CSID/Community/IT%20 S

AD: Reminders • NASA webmail will no longer be remotely accessible from outside the

• • • AD: Partner Use Case Questions How many total users impacted?

AD: Partner Discussion WG • Partner Discussion Working Group: 1. Use Cases: – Partner

Slides: 18

Download presentation

Authorized Device and Software Management Initiatives Unauthorized Device & Unauthorized Software Working Group Bi-weekly Meeting February 21, 2019 Code 710 Project Team: Qi’Anne Knox Kazeem Adelakun Shoeb Siraj Tammy Tuttle 1

Agenda • Roll Call • Authorized Device (AD) Initiative / Unauthorized Device (UD) Phase Updates and Next Steps • Software Management (SM) Initiative Updates and Next Steps • Web Content Filter (WCF) Updates and Next Steps • References 2

Roll Call 3

AD: Phase Updates (1) • Phase 1: – Timeline: March 18 – March 22 (communication coming today) • Migrated: Marshall, Michoud, Kennedy, and Langley • In Progress: Johnson and White Sands Test Facility • Next: HQ, GRC, SSC, NSSC, AFRC, ARC, GISS, WFF, IVV, WSC, GSFC – What’s happening? • Virtual Private Network (VPN) use will be required to remotely access email and calendar services via client applications (e. g. , Outlook) or Outlook Web Access (OWA)/Webmail • Only authorized smartphones and tablets will be allowed to access NASA email and calendar services 4

AD: Phase Updates (2) • License Count (as of 02/12/2019): – 241 Personally Funded Equipment (PFE) requests – 67 non-ACES Government Funded Equipment (GFE) requests – Total: 308 licenses used out of 10, 000 licenses (3. 08%) • MDM PFE and non-ACES GFE NAMS Workflow: – Due to license limitations, we are targeting Active. Sync users first for enrollment and validating the justification with the sponsor/IT Managers before approving the requests 5

AD: MDM Service NAMS • PFE: Can you confirm the employee must require remote access to NASA email, calendaring and/or contact functions in order to accomplish NASA tasks? • PFE: Can you confirm the use of a personally-owned mobile device is more efficient or cost-effective than using Government Furnished Equipment (GFE) for remote access? • PFE and GFE: Did the user previously access email on this device? • PFE and GFE: Are you aware that there will be a cost associated with the MDM license after the first year? (Please note: the cost is still being discussed with the NEST contract change and will be shared once known) 6

NSINS Update/AD Phase 2 and 3 • NASA’s Strategy to Improve Network Security (NSINS): – The NSINS improvement initiatives are still being scoped and timelines are being re-baselined; AD has technology dependencies within NSINS – Upcoming Face-to-face March 5 -7 • Should have a better roadmap for what AD Phase 2 looks like and when to implement • Focus on identifying use cases and mitigations • Discussion to create an NSINS memo 7

AD: Next Steps • Validate NAMS submissions and coordinate with necessary parties before approving • Continue coordination with stakeholders: – AD Agency Project Team – O 365 Project Team (Agency and Local) – Internal 710 working group meeting/brainstorming session – Agency Partner Discussion working group • Gather use cases and survey responses to partner questions • Ensure list of users with no PIV or ASB who require access to email are added to the PIV exempt list and 8 there’s no impact once migrated to O 365

Web Content Filter • March 5, 2019: The Agency WCF will also restrict access to unrated websites. – Unrated websites are sites not yet analyzed or categorized • Employees should see little impact from this change, as the Cybersecurity Services and Integration Division (CSID) is reviewing and recategorizing known unrated websites • Communication (2/19/2019): 9

Software Management • Background: – The enforcement of NASA OCIO’s Unauthorized Software (US) began, July 2018, with blocking access to gaming sites – The next phase is to ensure unauthorized software (gaming and personal finances software being used for “personal use”) is removed from all end-user systems at NASA • Due Date: April 5, 2019 • Policy: NPR-2540 • Questions: GSFC-IT-Security-Review@mail. nasa. gov • Next Steps: – Send center-wide communication 10

References (2) • Agency UD Sites: – NASAs Strategy to Improve Network Security OCIO Site: https: //inside. nasa. gov/nasa-s-strategy-improvenetwork-security – IT Policy Memos: https: //inside. nasa. gov/ocio/itbusiness-management/policy-standards/it-policymemoranda • O 365 Resources: http: //inside. nasa. gov/euso/office-365 resources • AD/SM on ITCD Website and Share. Point: – https: //itcd. gsfc. nasa. gov/ – https: //itcdsp 13. gsfc. nasa. gov/sites/security/servicem anagement/Authorized%20 Devices%20%20 Software %20 Management%20 Initiative/Home. aspx • Web Content Filter Portal: https: //itcdsp 13. gsfc. nasa. gov/sites/security/servicemana 11 gement/Site. Pages/Website Access Requests. aspx

Ad-hoc Working Group Share. Point • https: //itcdsp 13. gsfc. nasa. gov/sites/CSID/Comm unity/IT%20 Security%20 Working%20 Group/Ad %20 Hoc%20 Working%20 Groups/Unauthorized %20 Devices%20 Ad%20 Hoc%20 Working%20 Gr oups – This site will house meeting slides, minutes, actions, etc. – There were some issues with the Share. Point going down last week, but it has been resolved – If you do not have access, let me know 12

GSFC Points of Contact • Please continue to communicate your concerns and suggestions to us, which we will communicate up – GSFC-IT-Security-Review@mail. nasa. gov – qianne. l. knox@nasa. gov – shoeb. siraj@nasa. gov – kazeem. a. adelakun@nasa. gov • Next meeting March 7 may be canceled or rescheduled – Conflict with O 365 IT Matters and F 2 F 13

References (1) • Working Group Share. Point: https: //itcdsp 13. gsfc. nasa. gov/sites/CSID/Community/IT%20 S ecurity%20 Working%20 Group/Ad%20 Hoc%20 Working%20 Gr oups/Unauthorized%20 Devices%20 Ad%20 Hoc%20 Working% 20 Groups • NASA Assessed & Cleared Lists—Supply Chain Whitelist, Devices you can use for the NASA MDM Solution at: https: //ocio. ndc. nasa. gov/hq/ocio/security/itscommunity/GRC/ Lists/Assessed%20 and%20 Cleared%20 List%20 ACL/All. Items. aspx • MDM Registration Site: https: //mdr. nasa. gov/ • Registration Documents: https: //aces. ndc. nasa. gov/subnav/mdm. html • MDM NAMS Workflow/Registration: – MDM PFE (ID: 252534): https: //idmax. nasa. gov/nams/asset/252534/017767035 – MDM GFE (ID: 252533): https: //idmax. nasa. gov/nams/asset/252533/017767035 – MDM Registration Site: https: //mdr. nasa. gov/ – Registration Documents: 14

Back up 15

AD: Reminders • NASA webmail will no longer be remotely accessible from outside the NASA network, and will require an Agency Badge (PIV or Smart Badge) or RSA Token for authentication – Users will no longer be able to authenticate using username/password except for “PIV Exemption” • Webmail will remain remotely accessible via VPN with an Agency Badge or RSA token • Remote users will no longer be able to access NASA email via the Microsoft Outlook (or compatible) client unless they are connected to the NASA internal network via VPN – Personal Devices are not authorized to connect per 16

• • • AD: Partner Use Case Questions How many total users impacted? On-site, Remote, or both? Location if remote? Who manages the remote network? Have NASA NOMAD accounts? How many? What are the exact requirements to have NOMAD accounts? What NASA resources (servers, files, etc. ) other than email (via NOMAD) needed? Who owns the laptops/PCs? Authentication type? How are encrypted emails exchanged today with their NASA counterparts while on NOMAD? NASA VPN accounts? If so, what type of client software? Is there any type of ATO or agreement covering their access? 17

AD: Partner Discussion WG • Partner Discussion Working Group: 1. Use Cases: – Partner Location – Device Ownership Do the partner users have – NASA Service NASA credentials? • User authentication type Access (PIV, token, etc. )? – NASA Authorization • What type of corporate Requirements credentials are available – Technical Impact (affiliation options) • Data sensitivity levels: – Credentials/Authent Low/Moderate/High ication What NASA resources does 2. Exploring External the partner require access Authorization Options to? • Email/Calendaring, Skype, 3. Level of Assurance Box, Mission data Assessment Authorization Related Criteria Architecture • • Who is the partner(s) • • • What type of agreement(s) do we have with them? Subcontracts Is the partner on-site at a Center or remote? Who manages/provides the devices/network? • Is there IT services/systems within the contract? Current NASA system authorization • • • Contract related security requirements NASA ATOs Interconnect agreements • systems, etc. Web-based versus nonweb based apps 18