SP 800-46 Rev. 3 (Draft)

PRE-DRAFT Call for Comments: Guide to Enterprise Telework Security

Date Published: September 10, 2020
Comments Due: October 30, 2020
Email Comments to: telework@nist.gov

Announcement

Summary

NIST requests review and comments on Special Publication (SP) 800-46 Revision 2, Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security. This documents presents recommendations for safeguarding the technologies used for telework and remote access.

The public comment period is open through October 30, 2020. See the planned objectives (below) for updating the SP. Please submit your comments to telework@nist.gov. Note that all comments are subject to release under the Freedom of Information Act (FOIA).

Background

Originally published in 2002, SP 800-46 was most recently updated in 2016. Work-from-home and other forms of telework—performing work from locations other than an employer’s facilities—have been on the rise for some time, but sharply increased in 2020 because of the COVID-19 pandemic. For many, telework is now the only way to get work done, and the original concept of "telework" has evolved into being able to work anytime, anywhere.

The technologies used for telework have also evolved since 2016. Examples of this include the ubiquity of mobile devices, the expectation to be able to access information from anywhere at any time, and the highly distributed nature of data and apps across end user devices, data centers, and clouds. Telework and zero-trust architecture may even be converging in the near future.

All of these recent changes are affecting cybersecurity and privacy risks, and organizations need to be aware of and manage these risks. Accordingly, NIST is soliciting public feedback on this Special Publication to identify areas that industry, government, and others deem most important to revise or add. NIST would also like suggestions of existing resources related to telework cybersecurity and privacy that could help inform the update of SP 800-46. Please send all comments to telework@nist.gov.

Community of Interest

NIST is also building a community of interest so that interested individuals and organizations can follow the progress of NIST telework cybersecurity and privacy publications and can provide input on them. To join the community of interest, please send a request to telework@nist.gov.

Planned Updates

Reviewers are welcome to comment and suggest changes and enhancements to any parts of the publication. We are particularly interested in comments on our planned objectives for updating SP 800-46, which are listed in the table below along with the high-level changes each objective is intended to address. Reviewers are encouraged to provide feedback on the contents of the table, citing the relevant objectives and changes by number and letter, respectively. After we review all comments and finalize the table, it will serve as the basis of determining what needs to be revised in SP 800-46 and other NIST publications on telework cybersecurity and privacy.

Objective High-Level Changes to Address
Objective 1: Reflect changes in how telework is performed.
  1. More people are teleworking, many of whom haven’t teleworked before.
  2. Many people are teleworking for extended periods of time, with neither the people nor their devices necessarily visiting the organization’s facilities during that time.
  3. Mobile device usage has increased, and mobile devices can do much more than they used to.
  4. Teleworkers frequently use services not controlled by the organization, such as ad hoc file sharing, instant messaging/chat, and teleconferencing and videoconferencing services.
  5. Organization-controlled and personally-owned technologies are increasingly intermingled.
  6. Telework is more often occurring from networks shared with potentially compromised Internet of Things (IoT) devices.
  7. By default, the networks that the devices are connected to are untrusted and exposed to malicious attacks.
Objective 2: Reflect changes in the role of remote access technologies.
  1. The migration to cloud-based applications and services has degraded traditional perimeter-based security models.
  2. A smaller percentage of telework traffic is passing over an organization’s networks unless that traffic is specifically tunneled through those networks, so organizations are losing visibility and control.
  3. Device and access provisioning occur away from the organization’s facilities.
  4. Many organizations are adopting zero-trust principles.
Objective 3: Update all references and mappings to references.
  1. The NIST Cybersecurity Framework and SP 800-53 publications have been updated since the last SP 800-46 revision, so their mappings are out of date.
  2. The NIST Privacy Framework has been released since the last SP 800-46 revision, so mappings to it could be added to SP 800-46.
  3. Several other NIST publications with related material have been created or updated since the last SP 800-46 revision (e.g., SP 800-124 for mobile device security, SP 800-207 for zero-trust architecture, SP 800-77 for IPsec, SP 800-52 for TLS).
Objective 4: Shorten SP 800-46 to improve its readability.
  1. Some of the existing material is already widely known by today’s readers or is no longer relevant to most readers, so it could be condensed, deleted, or moved to auxiliary publications.
  2. There may be content in SP 800-46 that is also covered in other NIST publications, so removing such material and pointing readers to the other NIST publications would shorten SP 800-46 and ensure readers are seeing the latest content on the topics.
  3. There are additional telework topics to address, like teleconferencing / videoconferencing security practices or secure file transfer technologies, but they are discrete and evolving. It is unclear how much of this new content should be added to SP 800-46 versus producing separate documents on individual topics.

Abstract

Control Families

None selected

Documentation

Publication:
None available

Supplemental Material:
None available

Related NIST Publications:
SP 800-46 Rev. 2

Document History:
09/10/20: SP 800-46 Rev. 3 (Draft)

Topics

Security and Privacy
general security & privacy

Technologies
internet

Applications
enterprise; telework