As large scale telework continues across the Federal government, the Cybersecurity and Infrastructure Security Agency (CISA) released a remote vulnerability and patch management guide yesterday to supplement the Trusted Internet Connection (TIC) 3.0 Interim Telework Guidance released in April.
The new supplement shares recommendations for patching remote devices roaming outside of agency networks. Agencies have reported Virtual Private Network bandwidth constraints impacting service and access to patches, so the new guidance aims to assist leaders with leveraging the TIC telework guidance to improve remote patch efforts.
The Remote Vulnerability and Patch Management Capacity Enhancement Guide walks agency leaders through a scenario where a vulnerability and patch management solution is hosted in an agency-sanctioned cloud environment. CISA says that agencies must ensure “that remote device traffic destined for the cloud-based solution is properly constrained to sanctioned destinations and that roaming devices do not connect to unsanctioned resources.” The guide also provides a checklist of requirements that should be met to allow for a cloud-based remote vulnerability and patch management solution.
The recommendations only apply to software on end-user roaming government-furnished equipment, such as laptops, running Microsoft Windows or MacOS operating systems. It does not apply to mobile devices, unmanaged government-furnished equipment, or non-government-furnished equipment.
Any network traffic to the public internet should still be routed through EINSTEIN sensors, CISA recommends.