With much of the nation - and world for that matter - working from home for the foreseeable future, companies have had to adapt with the changing times.

Now, roughly a month into the pandemic, the Department of Homeland Security has issued security guidance to help federal agencies with newly remote employees better protect their networks and cloud environments.

The Cybersecurity and Infrastructure Security Agency (CISA) - the federal agency that helps state and local officials oversee cybersecurity strategy – this week released its TIC (Trusted Internet Connections) 3.0 Interim Telework Guidance. The 23-page document digs into how agencies can leverage security capabilities to support secure teleworking.

CISA says the guidance is technically short form - hence the inclusion of interim in the title - and that it is only for 2020 but that it will take bits and pieces of the guidance and feed it into TIC 3.0 Remote User Use Case.

Specifically, the document outlines several patterns teleworkers can follow when interacting with an agency-approved cloud service provider, see below:

It also contains guidance around what it calls universal security capabilities, basically principles like how workers should handle incident response, backup and recovery, authentication, and so on.

Data protection, as you might imagine, is a crucial way to ensure the confidentiality, integrity, and availability of data accessed by federal teleworkers.

“The surge in telework requires agencies to have processes and tools in place to protect agency data, prevent data exfiltration, and ensure the privacy and integrity of data, considering that data may be accessed from devices beyond the protections and perhaps administration of agencies,” the DHS document reads, “Data protection capabilities must be considered and may be adapted for data stored and accessed at sanctioned agency cloud services, on agency-owned devices, as well as on remote devices that are not owned by an agency.”

Access control, protecting data in transit, at rest, data access and use telemetry, and data loss prevention all factor into this.

The guidance still recommends agencies do their due diligence when it comes to evaluating whatever service they choose, however.

“To the extent practical, agencies should assess risks associated with broadening the use of cloud and collaboration services to ensure that due care as well as due diligence is applied to these changes in their respective information technology (IT) and user environments,” the document reads.

While it may seem like a fairly recent intiative, breaking down how remote federal employees connect to an agency's network and cloud was part of what the Trusted Internet Connections initiative said it would look into last fall. Further guidance from the group can be found on its page at the CISA website here.