Transcription
Authorized Device and Software Management InitiativesUnauthorized Device & Unauthorized SoftwareWorking Group Bi-weekly MeetingOctober 25, 2018Code 710Qi’Anne KnoxKazeem AdelakunShoeb Siraj1
Agenda Roll CallACES Order Status UpdateAuthorized Device (AD) Initiative Phase 1 UpdateUpcoming Action and RemindersWeb Content Filter UpdateSoftware Management (SM) InitiativeCommunication/OutreachReferences2
Roll Call3
AD: ACES Orders Status Orders not received to date may impact delivery as it relates to Office 365(O365) Velocity Migration requirements Please continue to coordinate with Emma Coates from End User ServicesOffice (EUSO) for orders not fulfilled within waves and send RITM numbersfrom orders placedCenterGSFCGSFCGSFCQTY Total ordered Open DifferenceACES Seat Forecast to date Orders from 019TOTAL GSFC6473936084
AD: Phase 1 Update (1 of 3) Starting MDM rollout with Office 365 (O365) early adopters includingnon-ACES Government Funded Equipment (GFE) and PersonallyFunded Equipment (PFE) devices; coordinating with Agency Team Current ActiveSync users today will receive NASA MDM enrollmentemails first because of 10K license cap “Security controls will be levied to ensure users remain up to date ontheir operating system (OS)”– Today, users will get alerts that their OS needs to be updated to continue usingMDM. In the future, a more active updating mechanism may be implemented toinclude updates to MDM and pushing– Pushing only applies to GFE, not PFE Changes to user agreement briefed to IT Counsel on October 23 Corporate/partner devices access to NASA MDM will be explored5
AD: Phase 1 Update (2 of 3) Phase 1 of UD Policy will be enforced as employees are migrated to O365 Status updates from O365 Project Manager:– Officially rolled out MDM with encryption on O365 (messaging sent to earlyadopters regarding this)– Linux with O365: The current identified solution for Linux is Evolution 3.27 Thunderbird does not support the required modern authentication A workaround is to utilize the portal (webmail), but encryption won’t work EUSO is currently looking at options for how to make Evolution 3.27 available tothe NASA Linux users– Current Apple Mac users will need to upgrade to Outlook 2016 to correctlyauthenticate prior to O365 migration– O365 Services can only be accessed from NASA IP space, exception beingMDM enrolled devices; Users will either have to be on Center Networks orVirtual Private Network (VPN)6
AD: Phase 1 Update (3 of 3) Timeline: Calendar Year 2018 Fourth Quarter– UD Security Requirements are being implemented in conjunction withO365; GSFC O365 deployment will begin no earlier than mid-November Next Steps:– Continue coordination with O365 Project Team (Agency and Local)– Continue exploring single Mobile Device System Security Plan at GSFC Continue working with Chief Information Security Officer (CISO) andnecessary parties exploring the feasibility– Coordinate PIV Exempt User Validation Action with the working group Work with Identity, Credential, and Access Management (ICAM) Team todiscuss impact on Federal Information Security Management Act (FISMA)score, Chief Information Officer (CIO), and UD Agency UD Project Team7
AD: Phase 2 Update Timeline: To Be Determined (TBD) and will be discussed more earlynext calendar year (full compliance targeted for Dec 2019) However, brainstorming solutions for partner/corporate devices hasalready started (i.e. clientless solution)– Partner systems must have an external authorization to operate thatdefines required access– Connectivity options for mitigating risk and limiting connectivity to onlyrequired systems are being evaluated– Various partner profiles will need to be developed based on accessneeded– The Agency will work with Centers to get concurrence on profiles8
AD: Action Focus on “Long Term and Mission Critical” users in the “MasterApproved PIV Exemptions” Tab– These users should be fine when migrating to O365; The users who arenot part of this spreadsheet will not transition successfully to O365 Review “Email Acct No PIV or ASB” Tab. If the users are not on the“Master Approved PIV Exemption” spreadsheet and should be PIVexempt, provide their names to GSFC-IT-SecurityReview@mail.nasa.gov by COB November 5– We will work with the Center CIO, ICAM, UD Agency Team, andadditional parties as needed9
AD: Reminders NASA webmail will no longer be remotely accessible from outside theNASA network, and will require an Agency Badge (PIV or SmartBadge) or RSA Token for authentication– Users will no longer be able to authenticate using username/passwordexcept for “PIV Exemption” Webmail will remain remotely accessible via VPN with an AgencyBadge or RSA token Remote users will no longer be able to access NASA email via theMicrosoft Outlook (or compatible) client unless they are connected tothe NASA internal network via VPN– Personal Devices are not authorized to connect per UD Policy10
SM Initiative: Web Content Filter GSFC WCF Transition:– As of October 24th, the new portal to unblock web pages hasgone live Users will be directed to the portal instead of to an email to CenterSecurity– A process to review web content currently categorized as unratedis being developed End goal is to get back to the original state of blocking unratedcategories by January 1, 2019 Briefly conducted audit of sites previously categorized as unratedand several have been recategorized11
SM Initiative: Unauthorized Software Unauthorized Software:– Attended first Agency Software Management Tiger Team meetingon October 23 The Agency SM team is focused on licensing currently Center Security will Interface with CSPD (Cybersecurity & PrivacyDivision) to establish security segment of Software Management– FAQs page will be updated and posted by the end of next week– BigFix dataset is still being assessed to create baseline andbegin developing whitelist12
Communication/Outreach Status of Office 365 (O365) Deployment & Authorized Device(AD) Initiative / Unauthorized Device (UD) Policy sent October 23at 12:02 PMMore than 670 end user migrated to O365 across all centersFull Velocity migration delayed because of migration issuesAdditional testing at Marshall Space (October 24 – November 8)Upon completion, readiness for full migration will be assessed and atimeline for full migration will be established– Full GSFC O365 deployment will begin no earlier than mid-November– Phase 1 of UD Policy will be enforced as employees are migrated toO365––––13
GSFC Points of Contact Please continue to communicate your concerns and suggestions tous, which we will communicate up.– GSFC-IT-Security-Review@mail.nasa.gov– qianne.l.knox@nasa.gov– shoeb.siraj@nasa.gov– kazeem.a.adelakun@nasa.gov Would you prefer the next meeting to be November 1st or 8th?14
References MDM Registration Site: https://mdr.nasa.gov/ Registration Documents: https://aces.ndc.nasa.gov/subnav/mdm.html NAMS Workflow (not live):– MDM PFE (ID: 252534) - – MDM GFE (ID: 252533) - https://idmax.nasa.gov/nams/asset/252533/017767035 NASAs Strategy to Improve Network Security OCIO ve-network-security O365 Resources: http://inside.nasa.gov/euso/office-365-resources AD/SM on ITCD Website: https://itcd.gsfc.nasa.gov/ Web Content Filter ty/servicemanagement/SitePages/Website Access Requests.aspx15
Oct 25, 2018 · A workaround is to utilize the portal (webmail), but encryption won’t work EUSO is currently looking at options for how to make Evolution 3.27 available to the NASA Linux users –Current Apple Mac users will need to upgrade to Outlo
