WIXLIB

DEPARTMENT OF DEFENSE6000 DEFENSE PEITTAGONWASHINGTON, D.C. 20301-6000APR 1 3 2020CHEF NFORMAl10N OFFICERMEMORANDUM FOR CHIEF MANAGEME T OFFICER OF THE DEPARTMENT OFDEFENSESECRETARIES OF THE MILITARY DEPARTMENTSCLEAREDCHAIRMANOF THE JOINT CHIEFS OF STAFFFor Open PublicationUNDER SECRETARIES OF DEFENSECHIEF OF THE NATIONAL GUARD BUREAUMay 14, 2020GENERAL COUNSEL OF THE DEPARTMENT OF DEFENSEDepartment of DefenseDIRECTOR OF COST ASSESSMENT AND PROGRAMOFFICE OF PREPUBLICATION AND SECURITY REVIEWEVALUATIONINSPECTOR GENERAL OF THE DEPARTMENT OF DEFENSEDIRECTOR OF OPERATIONAL TEST AND EVALUATIONCHIEF INFORMATION OFFICER OF THE DEPARTMENT OFDEFENSEASSISTANT SECRETARIES OF DEFENSE FOR LEGISLATIVEAFFAIRSASSIST ANT TO THE SECRETARY OF DEFENSE FOR PUBLICAFFAIRSDIRECTOR OF NET ASSESSMENTUNITED STATES CYBER COMMANDDIRECTORS OF DEFENSE AGENCIESDIRECTORS OF DOD FIELD ACTIVITIESSUBJECT: Authorized Telework Capabilities and GuidanceReferences: (a) "Temporary Authorization to Use Impact Level (IL) 2 Cloud Environment forCertain Basic Controlled Unclassified Information (CUI)," March 26, 2020(b) "Treatment of PII within IL 2 Commercial Cloud,) August 7, 2019(c) DoD Chief Information Officer memorandum, "COVID-19 Response: RemoteWork Capability," March 19, 2020(d) DoD Chief Information Officer memorandum, "Authorizations to OperateExtensions and Cybersecurity Function Prioritization Guidance," April 3, 2020Department of Defense Chieflnformation Officer (DoD CIO) has engaged in a numberof initiatives to enhance the telework capabilities of the Department. We continue to fieldquestions from components and have identified a number of areas where clarification is needed.In support of expanded telework requirements, DoD Components should first look toleverage approved DoD Enterprise Collaboration Capabilities, which are already approved foruse by all DoD users. If these capabilities do not meet the Component needs, components areauthorized to approve use of commercial cloud services which have been issued a DoDProvisional Authorization. Components must continue to abide by all DoD policies regardingtelework capabilities and the u e of cloud services, reinforce Operations Security (OPSEC) and20-S-1290

ensure compliance with the level of sensitivity of data approved for these services. If neither ofthese options are sufficient, Components must submit requirements for approval by DoD CIOand USCYBERCOM. These requirements should be submitted to Joint Forces Headquarters Department of Defense Information Network (JFHQ-DODIN) . The current list of enterprise and provisionallyauthorized capabilities is provided in Appendix A, and an updated list will be maintained athttps://cyber.mil/covid19. Also posted on the site are additional guidelines for initiatingteleconferences.In support of dramatically expanded telework requirements, DoD CIO has approved theuse of a Commercial Virtual Remote (CVR) environment as a temporary capability that will beavailable to supplement existing collaboration tools and enhance remote telework capabilitiesduring the National Emergency. This capability is authorized for use by all DoD users. TheCVR Environment is a DoD-contracted Microsoft Office 365 (0365) Teams capability,implemented with DoD specific security controls, which provides video, voice, and textcommunication, as well as document sharing tools for Basic Controlled Unclassified Information(CUI) as outlined in Reference (a). CVR is accessible from the Internet or DoD networks viaboth Government Furnished Equipment and personal devices. DoD Components will beincrementally on-boarded by Components in accordance with the prioritization established bythe COVID-19 task force. Additional CVR information is available athttps://www.cloud.mil/CVR. For all other CVR questions, please contact the DoD CIO team atOSD.COVID19.RemoteWorkTeam@mail.mil.DoD is aware that several components have expressed pursing unauthorized cloud andcollaboration capabilities. These capabilities place DoD information at risk and are notauthorized to conduct internal DoD business. Components should not initiate communicationsusing unapproved commercial collaboration capabilities, but may participate in sessions ifinitiated by outside partners for public, unclassified purposes. The use of cloud services must beformally authorized by a component Authorizing Official (AO) and comply with requirements inthe DoD Cloud Computing Security Requirements Guide, found athttps://dl.cyber.mil/cloud/pdf/Cloud Computing SRG vlr3.pdf.Components should not engage in unilateral agreements or accept offers of free solutionsfrom vendors without appropriate consultation and appropriate contracting actions.Engagements with vendors in this context should be coordinated through the DoD CIO team atOSD.COVID 19.RemoteWorkTeam@mail.mil. We continue to assess additional teleworkcapabilities that may supplement the existing suite on a temporary basis during the current crisisbased on mission need.Telework has provided the Department with the flexibility to continue operations.However, telework may present significant risks to the Department. To minimize this risk weare providing teleworking guidance to components (Appendix B) and individuals (Appendix C).CIO will continue to update this guidance as needed.

All are reminded that adherence to all standing cyberspace policies and guidance is asimportant while teleworking as it is while working on-site. Questions for any aspects of thismemo should be directed to OSD.COVIDl9.RemoteWorkTeam@mail.mil.Dana DeasyAttachments: As stated

CLEAREDFor Open PublicationMay 14, 2020Appendix ADepartment of DefenseOFFICE OF PREPUBLICATION AND SECURITY REVIEWAuthorized Enterprise Telework CapabilitiesPrimary Telework CapabilitiesPrimary telework capabilities are authorized at the enterprise level and are available for use byall DoD personnel without additional authorizations. In addition, any existing teleworkcapability which has a valid A TO from , and is hosted by a DoD Component remains approved.Components must inform JFHQ-DODIN of these capabilities to ensure a comprehensiveunderstanding of the DoD telework environment is maintained.UNCLASSIFU!OANTIVIRUSEMAILVOICEHow do I protectmy personalcomputer frommahc,ous act1v1ty?What tools canI use for email?What tools canI use to set-up aconference call?r.oorMEMEETMEAHTIVIRUSHOME USE-· .f1'Al\JIH5eo.,.,.""* 1.t,tJQp .,.,r rtt ft-:,,e3"aric,wu, JC ,c,IIQWl.aortatDll'eDcOINorrei 'Mf'tfU'r ll'leclEt . Ql'!Wll'I\CDn"a,,nw(PC & U.C:IHCIWTOACaSI.,' ., Voia,,V(N I')l)lllty Jo J51' Uffl,-olloUSITMCI:A)ltAtlllTAHCf.htto9·Hwww tcll'!I , 1,mlt/llPofff.t.Q.h wectte M111'"111rud101'SIIO :I AOIS\l(ll)0'18(ltir n1SA114'1) J47.J07dili&WM'. .,.,,.,-.r,M'Pf'se, u1rai.T r 1150 .aet;a, 1.1.'W)r1DCOld OI -- -tt,.,,.;tcaco. oron:x,.ioLlSASer,,oeC t \al«lC;a'l OIS,.JSPh 1t 7Dl-571-0nhttpt:'1sloref!'Oltt.dlf.il lllllllll dlstllMf'ric: lillo9"l'c , -.n lyMf'Vk" ""fOII .MClHOWTOAC(;f:Sf-rn11Suite.mflFOAASIISTMCELogt vn:ln te m.lKMTOACCCSI'FcttAUIITNCE.Uo()SAI Lo Scc.- A.eatMteeJ s :,o e MOW TO.-cct:11ft!lpl "N'e · "'"'s :iocnooDy OISA(1,UJ:147-1417 OIW-tt(l tll.mdAPANAUPUTICIACct:U.,-WOllli:.,. , :. ' '(Ol.l"h ,,,,,rrtFtATUIIO.MOWTOAC:etnMILl RIVE LITE a n o n-!C'm :;,":.:'. ::,:.pubfic.cyber.milTOPTELEWORKTOOLS, .,,.-«·C CII'' .,.d'-.tCIIPIIOIC ntew'TOMXEIS.i«:l!lillOld; ,hcldarlFld&IHNI(UoDm:wcnpat"*'lt.- ,FOlAIIIITMICl:st,vDlSAtlWJ )41'.JW7 O!N .appaO!NII .DOD TERPRISEPORT AL SERVICEl lL"SOtCv41.al"IOtll"allQtlll'lf(ll)l"l . 1 r l l t V , g - rMrric.nct- .IJ:Nbilltiftmf - -t:,'Il.' - t!S '"' -,o,ccmap,1narg . - 1 1 : a .q:l)'!t t)O!SA !844) )4 7,2U7FOOAMSTAIIClDCPS -'ab'e.,.hOIMS.W: SUW:,,h.J ll"I USA,;d11,&9Ml Hmll.,.,lce.utal fy/u.,,-,a l o , . ""19htlfltl:Nst """"11.d!111.mllniln.ekl""'' """"'., ,. ., . ., .,. .,,. 'l)',"' trtUr .eLmos11Glalbti.,N Ol .\Sl! C.1!'0akiosk. O.OPll kl TlOl4mYKltIUI.CHOlltr-J.:IOuCI J ICor,mon l\cceu Care (CACJ .oFOIIAlaTMCE -DCS-UII SdiKll 1,C k.l0G61J\i1Cl I MM'IIN'CluOI' IYOUghllldll:I-» ionllYClU')t oullh9 W'.ilolot tne COVI0-1 9 .E-.dl)ud.mill'CVl't"""""'r --. clood.mWCVRDoDSAFES DyDtSAta.t)47, 20701W9'0,.,.it-lM.,. -IQPI ,. Y l t T U.IL llwOtteo,.-,,1,,onwac-POS" IOI'MDW TO.flCtl:KGVSTr;,rf',lvo:lC!OCVROlOIAl WIIO tlh'ICU - UHCl.Ala'IO""""""' r.-a.ntdVICCXlllllne&'ol'J. IO""'*'* 'Wtlhn USU"""'c.- tl eotSAJSP 70J-H1 .!117 al"C ll)l'IOl'll'Dne?CfOI ASSITAIC(How canI share fileswith someone ?CI/S ,J c,o,,,,oc,au . w:c1 11dIUNTOACCENl,FRl ht1P9 ·.,,. t.,. ., lftll,' bum.htmpubl lc.cybet.,.t OWTOMXUI.What too ls canI use for a teamvideo conference?.tol'lf:-.r FILE SHARINGVTCllap1,J l t l O I N,l!Ml.'klntllCIGIM.I."""'""". ,., lc. .· ncl Pllbilitln t844) k7 2417GIN.a a G , .,,.Alternative CapabilitiesAlternate capabilities are capabilities that have received a DoD Provisional Authorization(PA TO). However, these capabilities must still be authorized by the component and meet allapplicable DoD cybersecurity policies and standards. Finally, Alternative Capabilities may onlyprocess data types consistent with the data impact level of their PA TO.Services with a Provisional Authorization for Sensitive (but non-classified) DoD data20-S-1290

Cloud Sen icePnn idcrTitleData ImpactLevelCisco HostedCollaborationSolution (HCS-D)IL5IL5BOXCiscoS stems, Inc. XXXMicrosoftServices with a Provisional Authorization for Public (non-FOUO) DoD dataData ImpactCloud Sen iceTitleLe,clPnn idcrAdobeCiscoAvayaIL2XXXCisco WebExIL2XXXCollab9: CloudIL2XXXCiscoCommunications,Contact Centerand

MicrosoftMicrosoft:Dynamics 365for GovernmentIL2XXXXZoomContingency CapabilitiesIf your mission requires a capability which cannot be met by the current approved enterpriseofferings, or by issuing a component ATO for one of the alternate capabilities, contingencycapability requirements must be submitted for approval by DoD CIO and USCYBERCOM.These requirements should be submitted to JFHQ-DODIN athttps ://intelshare. intelink. gov/sites/j fhq-dodin.

CLEAREDFor Open PublicationMay 14, 2020Department of DefenseAppendixBOFFICE OF PREPUBLICATION AND SECURITY REVIEWTelework Best Practices for OrganizationsDUTIES AND RESPONSIBILITIES.1) The organization will provide the overall direction for the individual telework programand ensure employee teleworking activities are consistent with records managementpolicy and mission requirements2) Organizations must enable security measures with the assumption the public networkbetween the teleworking individual and the organization cannot be trusted3) Organizations will review operational processes to maintain telework and remote accesssecurity4) Organizations will review usage restrictions, configuration requirements, connectionrequirements5) Administrative rights will not be granted to users on Government Furnished Equipment(GFE) or equipment furnished to employees of a contracted company6) The organization will monitor and log all GFE device activity of individuals engaged intelework7) Multi-factor authentication will be required when accessing a GFE or contractorfurnished device8) Hosts and devices must use random number values and public/private key pairs for allcryptographic functions9) The organization will provide telework training and ensure any individual engaged intelework has completed the training10) The organization will have a plan for allowing teleworkers to be able to successfully andsecurely telework, and to recover records into the Component's record keepingenvironment11) The organization will develop system threat models for any resource that is accessedremotely12) Organizations must assume that there is a potential for a device being used forteleworking to fall into the hands of malicious actors20-S-1290