Authorized Device and Software Management InitiativesUnauthorized Device & Unauthorized Software

Working Group Bi-weekly MeetingSeptember 20, 2018

Code 710

Qi’Anne KnoxShoeb Siraj

Tammy Tuttle

1

• Authorized Device (AD) Initiative Phase 1 Update & Next Steps• NASA GFE & PFE MDM Program • Software Management (SM) Initiative• Actions & Tracking

2

Agenda

• Office 365 (O365) has a tentative deployment completion date of Oct 31• ActiveSync and Webmail controls enforced via deployment of 0365• 76 O365 early adopters will be affected prior to that (58 users at GSFC, 5

users at IVV, and 13 users at WFF)• ACES users who are currently enrolled in MDM Phase 2 will need to un-

enroll and re-enroll after the migration to O365 is complete• All non-ACES GFE and personal device enrollment will be eligible for

enrollment in MDM Phase 2 after O365 migration is complete– Accessing NASA email via a mobile device outside of MDM will continue to be

possible until the user is migrated to O365– NASA Webmail (Outlook Web Application) will remain accessible via the public

internet until the user is migrated to O365

AD Initiative Phase 1 Update (1)

• Phase 1 ACES ordering in process– Wave #1: 9/12/18 - 9/16/18 (fulfillment by 10/22/18)– Wave #2: 9/18/18 - 9/26/18 (fulfillment by 11/16/18)– Please note, orders outside the provided waves must notify End User

Services Program Office (EUSO) so they can work with the Center to avoid delay impacts

• Developing workflows to support Government Funded Equipment (GFE) and Personally Funded Equipment (PFE) rollout

• Partner/Corporate VPN connectivity will remain functional without checking for BigFix tentatively until Q1 FY2020

AD Initiative Phase 1 Update (2)

Workflow Requires Civil Servant Approval

User Registrationhttps://mdr.nasa.gov

• Center CIOs and/or designees are no longer responsible for approving NAMS requests for MDM Phase 2

• Center CISOs will be responsible for answering any questions regarding Security Plan selection and validation in NAMS for workflow approval

Civil Servant approval & Security Plan Selection

Civil Servant Approval

Draft

Non-ACES GFE & PFE Workflows

• Continue coordination with O365 PM on scheduled activities• UD Security Requirements are being implemented in conjunction with

O365. Requirements of particular interest will be: – PIV Authentication is default required method for authentication

• RSA Token and UserName/Password can be used to authenticate in, but will require for users to have a “PIV Exemption” to utilize either option listed

– O365 Services can only be accessed from NASA IP space, exception being MDM enrolled devices• Users will either have to be on Center Networks or VPN’d

• Implement MDM Solution on non-ACES GFE *iOS and Android Smartphones/tablets

• Implement MDM Solution on Personal Mobile iOS and Android Smartphones if the user meets baseline criteria and voluntarily accepts MDM User Agreement

AD Initiative Phase 1 Next Steps

• NASA webmail will no longer be remotely accessible from outside the NASA network, and will require an Agency Badge (PIV or Smart Badge) or RSA Token for authentication. Users will no longer be able to authenticate using username/password except for “PIV Exemption”

• Webmail will remain remotely accessible via VPN with an Agency Badge or RSA token

• Remote users will no longer be able to access NASA email via the Microsoft Outlook (or compatible) client unless they are connected to the NASA internal network via VPN– Personal Devices are not authorized to connect per UD Policy

Continue to Stress!

• Users should not enroll any non-ACES device in MDM until they have been migrated to O365. Users will receive notification of migration schedule two weeks prior to occurrence with instructions and additional details

• NASA will not authorize personal devices for use on the NASA network, however, users may be eligible to enroll their personal smartphone (iOS or Android) in NASA’s MDM Program given they meet the initial set of baseline requirements

• Enrollment of a personal device in NASA’s MDM program is voluntary, and the government will not mandate the requirement to anyone

• Users are only allowed to enroll 1 personal device in NASA’s MDM program • Users who have an enrolled ACES or GFE device are not eligible to enroll a

personal device in NASA MDM program due to current license limitations

NASA GFE & PFE MDM Program (1)

• NASA personnel which have the NASA MDM container or solution installed on their personally owned devices shall not access the MDM solution from such device while outside the U.S. and its territories (enforced through the use of geofencing capabilities)

• Security controls will be levied to ensure users remain up to date on their operating system

• Security controls will be levied to ensure users are not violating supply chain management controls (certain phones/models will be blacklisted from participation)

• All users registering a personal device will be required to submit a NAMS request for approval

• All users registering a personal device will be required to accept the MDM terms of use via SATERN training on an annual basis

NASA GFE & PFE MDM Program (2)

• GSFC Web Content Filter Transition was on Sept 4• Developing process to review web content currently categorized as unrated• The current web content review process relies on email technology• Planning to transition to automated portal early October• Building inventory list from BigFix dataset to create baseline and begin

developing whitelist• Planning bi-weekly meetings with SM points of contact to identify next steps

SM Initiative

• System Security Plans (SSPs):– Please let us know about the System Security Plans (SSPs) to which the staff

will link the Non-ACES GFE devices during the NAMS workflow • The goal is to create a drop down list per Center on the NAMS workflow

– Add government funded equipment to system security plan• UD Orders:

– Please review your ACES order forecast that you have sent previously and let us know of any change; please only include what has not been ordered

– Please let us know the day prior to any orders—conforming to the provided wave schedule• Forward/Copy RITM and email to Emma Coates at emma.l.thomas@nasa.gov

and GSFC-IT-Security-Review@mail.nasa.gov– For any orders outside the provided waves, please let us know so EUSO is

aware and they can try to work with the Center to avoid delay impacts

Sept 6 Actions

Action TrackingDirectorate / Mission Status

100, 110 Received Sept 19 from Danielle Mahone150200 Received Sept 6 from Patty Gay300400 Received Sept 18 for L7 from KT500 Received updated forecast Sept 19 from Monisha Dawson600 Received Sept 14 from Jeff Simpson700800 Reported 0 devices; N/A from Jeff Ross

JPSSGOES-R (410)

STScIESMO (428)

ESDISHST

JWSTSSMOIV&V

WSC (452)

• Please continue to communicate your concerns and suggestions to us, which we will communicate up.– GSFC-IT-Security-Review@mail.nasa.gov– shoeb.siraj@nasa.gov– qianne.l.knox@nasa.gov

• Next Meeting is Oct 11

GSFC Points of Contact

Backup

• Civil Servants. A NASA Civil Servant may be permitted to participate in the MDM Program if two conditions are met. First, the Civil Servant must need remote access to NASA e-mail and calendaring functions in order to effectively perform his or her job duties. Second, the Civil Servant must voluntarily request to use their personally-owned mobile device instead of GFE.• Contractor Personnel. An employee of a contractor may be permitted to participate in

the MDM Program if two conditions are met. First, the employee must need remote access to NASA e-mail and calendaring functions in order to accomplish contract tasks. Second, use of a personally-owned mobile device must be more efficient and/or cost-effective than using GFE for remote access.• Other Individuals. Other individuals, such as grantees, investigators, or partners, may

be permitted to participate in the MDM Program if two conditions are met. First, the individual must need remote access to NASA e-mail and calendaring functions in order to accomplish a NASA purpose. Second, use of a personally-owned mobile device must be more efficient and/or cost effective than using GFE for remote access.

MDM Baseline Requirements