Text

CSO-GUID-2111 Remote Access ESA Guidance v1.0 Errata
	ML22101A264
Person / Time
Issue date:	09/15/2021
From:	; NRC/OCIO/CISD
To:	;
Shared Package
ML22101A241	List: ML22101A253; ML22101A261; ML22101A264; ML22101A268; ML22101A276; ML22101A295; ML22101A296; ML22102A163; ML22102A171; ML22102A191; ML22102A200; ML22102A205; ML22102A212; ML22102A215; ML22102A220; ML22102A223; ML22102A225;
References
	CSO-GUID-2111
	Download: ML22101A264 (23)
	v • d • e

Nuclear Regulatory Commission Office of the Chief Information Officer Computer Security Guidance Office Instruction:

CSO-GUID-2111 Office Instruction

Title:

Remote Access Enterprise Security Architecture Guidance Version Number:

1.0 Effective Date:

September 15, 2021 Primary Contacts:

Jonathan Feibus Responsible Organization: OCIO/CSO

==

Description:==

CSO-GUID-2111, Remote Access Enterprise Security Architecture Guidance, provides additional information in complying with the remote access security requirements specified in CSO-STD-2111, Remote Access Enterprise Security Architecture Standard.

Training:

As requested Approvals Primary Office Owner Office of the Chief Information Officer (OCIO) /

Computer Security Organization (CSO)

Signature Date SWG Chair Bill Bauer

/RA/

8/17/2021 CISO (Acting)

Garo Nalabandian

/RA/

8/23/2021

CSO-GUID-2105 Page i TABLE OF CONTENTS 1

PURPOSE............................................................................................................................................. 1 2

GENERAL GUIDANCE......................................................................................................................... 1 2.1 REMOTE ACCESS METHODS.............................................................................................................. 1 2.1.1 Virtual Private Network............................................................................................................ 2 2.1.2 Citrix Broadband Remote Desktop.......................................................................................... 3 2.1.3 Direct Access........................................................................................................................... 3 2.2 REMOTE ACCESS ENDPOINTS, NETWORK TYPES, AND SERVICES........................................................ 3 2.3 REMOTE ACCESS EXAMPLES............................................................................................................. 4 2.4 DIGITAL IDENTITY.............................................................................................................................. 6 2.4.1 Identity Proofing and Enrollment.............................................................................................. 7 2.4.2 Digital Authentication............................................................................................................... 7 2.4.3 Federation and Assertions....................................................................................................... 8 2.5 INFORMATION SENSITIVITY................................................................................................................ 8 2.6 ENDPOINT IDENTIFICATION AND AUTHENTICATION............................................................................... 8 2.7 REMOTE ACCESS SECURITY.............................................................................................................. 9 3

SPECIFIC GUIDANCE.......................................................................................................................... 9 3.1 USE OF REMOTE ACCESS METHODS FOR ENDPOINTS AND ORIGINATING NETWORK TYPES.................. 9 3.1.1 NRC Mobile Desktops and NRC Loaner Mobile Desktops - Domestic................................ 10 3.1.2 Non-NRC Computers............................................................................................................. 12 3.1.3 NRC Loaner Mobile Desktop - International......................................................................... 13 3.2 REMOTE ACCESS RECOMMENDATIONS BY ORIGINATING AND DESTINATION ENDPOINTS OR SERVICES 14 3.2.1 NRC Mobile Desktop / NRC Loaner Mobile Desktops.......................................................... 14 3.2.2 NRC Network Devices........................................................................................................... 15 3.2.3 Remote Access Recommendations for Endpoints and Network Devices............................. 15 APPENDIX A.

ACRONYMS................................................................................................................... 17 APPENDIX B.

GLOSSARY.................................................................................................................... 19 List of Tables Table 2.2-1: Endpoint Types........................................................................................................................ 4 Table 3.1-1: Remote Access Methods for NRC Mobile Desktops and NRC Loaner Mobile Desktops -

Domestic............................................................................................................................. 11 Table 3.1-2: Remote Access Methods for Non-NRC Computers.............................................................. 12 Table 3.1-3: Remote Access Methods for NRC Loaner Mobile Desktop - International.......................... 13 Table 3.2-1: Remote Access Recommendations for Endpoints and NRC Network Devices.................... 16

Computer Security Guidance CSO-GUID-2111 Remote Access Enterprise Security Architecture Guidance 1 PURPOSE CSO-GUID-2111, Remote Access Enterprise Security Architecture Guidance, provides additional information in complying with the remote access security requirements specified in CSO-STD-2111, Remote Access Enterprise Security Architecture Standard, for the Nuclear Regulatory Commission (NRC) network-computing environment.

This document is intended for system administrators, system and solution architects, information technology (IT) system managers (operational and project-related), system owners, and Information System Security Officers (ISSOs) to ensure compliance with CSO-STD-2111 and CSO-STD-2105, NRC User Remote Access and International Travel Security Standard.

National Institute of Standards and Technology (NIST) Special Publication (SP) 800-63-3, Digital Identity Guidelines, provides guidance related to digital identity of a user engaged in online transactions and remote access to a system. The companion documents, NIST SP 800-63A, Digital Identity Guidelines: Enrollment and Identity Proofing, defines user enrollment and identity proofing process and NIST SP 800-63B, Digital Identity Guidelines: Authentication and Lifecycle Management, and NIST SP 800-63C, Digital Identity Guidelines: Federation and Assertions, provide details on assurance levels for remote access. These documents provide guidance to facilitate compliance with CSO-STD-2111.

2 GENERAL GUIDANCE The security requirements specified in CSO-STD-2111 relate to remote access to NRC systems. The requirements in the standard are derived from the following high-level concepts and terminology associated with the NRC enterprise security architecture (ESA).

2.1 Remote Access Methods NRC has three approved remote access methods to access NRC resources processing information up to, and including, the Sensitive Unclassified Nonsafeguards Information (SUNSI) or Controlled Unclassified Information (CUI) (excluding Safeguards Information [SGI]) level:

1. Virtual Private Network (VPN)

2. Citrix Broadband Remote Desktop (BRD)

3. Direct Access (DA)

The remote access methods are used in conjunction with appropriate authentication and encryption methods. The following subsections provide further details of the remote access methods.

CSO-GUID-2111 Page 2 2.1.1 Virtual Private Network A VPN connection allows secure transmission of data from an endpoint on the internal network to a remote location on the internet. The endpoints can be either physical or logical in nature and are placed at the originating or terminating end of a communications channel. Examples of endpoints include:

NRC Desktops NRC Mobile Desktops Smartphones Tablets Servers Gateways Platform as a Service (PaaS) devices System as a Service (SaaS) Application Program Interfaces (APIs) in a cloud environment VPN uses tunneling protocols to encapsulate data within another transmission protocol while traversing through internal or external networks. Merely encapsulating data within a transmission protocol, without encryption, is not enough to protect the information from unauthorized access. VPN data protection occurs when data is both encapsulated and protected using encryption while traversing through internal or external networks.

A VPN connection with encryption is used to establish and maintain secure, logical connections between separate networks, systems, or sites (e.g., business locations) with communications occurring over internal or external networks. The VPN connection is established between two networked endpoints, such as NRC Mobile Desktops and VPN gateways.

For example:

A VPN connection is established when a user initiates a remote access request from an NRC Mobile Desktop, using GlobalProtect VPN client, to access NRC resources over the internet connection.

User access using multiple VPN gateways to connect different systems (e.g.,

between multiple NRC systems in different geographic locations, between NRC and external systems) with communication occurring over internal and external networks.

With advancements in technology, more prevalent Always On VPN remote access solutions are now available that can assist organizations with improved patch deployment, security updates, endpoint protection, and configuration/asset management through persistent connectivity.

Always On VPN remote access is often configured to permit selective connectivity to the internet for applications that are accessible via DA remote access in case the VPN remote access fails. Remote access VPNs provide connectivity for the external clients to access the internet and other NRC resources when an endpoint is not directly connected to the NRC internal network.

CSO-GUID-2111 Page 3 For example:

An NRC Mobile Desktop (after user login) uses an Always On VPN application to connect to the VPN gateway to receive client configuration and establish a VPN tunnel that allows the client to connect to the NRC internal network and access agency resources over the internet (e.g., Microsoft 365 [M365] applications).

2.1.2 Citrix Broadband Remote Desktop The Citrix BRD remote access method provides secure entry from an external network into NRC managed networks. Citrix BRD provides web-based remote desktop connections to authenticated users and enables access to NRC resources.

For example:

A user can remotely access their desktop or business applications through a centralized interface, as used in a virtual desktop infrastructure (VDI). Similarly, a mobile device (e.g., smartphone, tablet) can access NRC resources through the Citrix BRD remote access method.

2.1.3 Direct Access The DA method requires users to identify and authenticate to NRC systems and resources from external networks for accessing information up to, and including, the SUNSI or CUI (excluding SGI) level. DA applications encrypt all data in transit between the remote access user and the direct access server(s).

For example:

A DA application is used to access M365 remotely. This DA application is web-based and provides authorized and authenticated user access to NRC M365 applications from external networks.

Mobile applications (e.g., MaaS360) on a smartphone or tablet can be used to remotely access resources on an NRC managed network through a DA method.

2.2 Remote Access Endpoints, Network Types, and Services The NRC approved endpoints (e.g., Mobile Desktops, Loaner Mobile Desktops) provide user remote access to NRC networks and systems using appropriate network types or services. In a cloud-based environment, an endpoint may be either physical or virtual, or merely a service (e.g., SaaS environment is not device centric). Remote access can originate from or terminate at an endpoint or a service, dependent upon the network type or system environment in use (e.g., NRC Enterprise Network or Infrastructure as a Service [IaaS]).

In an on-premises infrastructure (e.g., a legacy datacenter environment with servers, storage, networking, and destination endpoints) all aspects of the infrastructure from the physical hardware all the way up the stack to the application level is set up and managed in a traditional way.

In a cloud infrastructure (i.e., IaaS, SaaS, or PaaS environment) services are provided through a self-service model for accessing, monitoring, and managing a remote datacenter infrastructure

CSO-GUID-2111 Page 4 with virtualized computing, storage, networking, and network services (e.g., firewalls). The cloud infrastructure is set up and managed by the cloud service provider and the operating systems middleware and application software is purchased, installed, configured, and managed by the service subscriber. The virtualized computing endpoints (e.g., servers), networking endpoints (e.g., VPN gateways), or software applications service (e.g., M365) are configured and operate at a remote cloud-based datacenter location.

Table 2.2-1 lists endpoint types and examples of endpoints that are considered as an originating or destination endpoint type.

Table 2.2-1: Endpoint Types Endpoint Type Examples of Endpoints NRC Desktops Physical or virtual desktops.

NRC Mobile Desktops NRC Mobile Desktops, NRC Loaner Mobile Desktops.

Government Furnished Equipment (GFE) or Bring Your Own Device (BYOD)

Devices GFE or personally owned smartphones, or tablets, enrolled in an authorized NRC BYOD program.

NRC Network Devices A physical or virtual network device. Examples include VPN gateways, integrated services routers, unified threat monitoring devices, or other appliances on NRC networks.

NRC Servers Physical or virtual servers (e.g., on premise virtualization, cloud IaaS) with a role of web application server or portal server.

PaaS or SaaS Endpoints Cloud-based cloud applications/platform services (e.g., SaaS web application, PaaS VPN gateway).

2.3 Remote Access Examples This section provides examples of remote access that traverse the internet to and from NRC defined network types. These examples are not inclusive; however, the objective is to provide an understanding of how remote access applies to the NRC (both at the current time and in the future).

Table 2.3-1 identifies NRC network types and provides examples of remote access to and from NRC network types. All remote access examples require proper user identification and authentication.

CSO-GUID-2111 Page 5 Table 2.3-1: NRC Network Type and Remote Access Examples Network Type Remote Access Examples NRC Wide Area Network (WAN)

Enterprise Network NRC Mobile Desktop users establish a VPN tunnel from public access networks to access NRC enterprise network. The VPN tunnel traverses the internet from public access networks.

NRC desktop users on NRC enterprise network establish DA to systems hosted on vendor networks.

The DA traverses the internet from NRC enterprise network to vendor networks.

Business/Application Networks NRC applications in business/application networks establish a VPN tunnel to an external system, such as one hosted by a different federal agency or commercial organization, for data transfer. The VPN tunnel traverses the internet to perform data transfer from NRC business/application network to the external system.

Home Networks Wired or Wireless Networks NRC user using home wired or wireless network establishes a VPN tunnel to access NRC enterprise network. The VPN tunnel traverses the internet from home network to access resources on the NRC enterprise network.

If the VPN connection is not available for technical reasons, Citrix BRD or DA methods can be used to access resources on the NRC enterprise network.

Access may originate from a mobile device that utilizes Citrix BRD or DA remote access methods.

Cellular Networks GFE Cellular Hotspots (Connection via Wi-Fi, wired, Universal Serial Bus [USB] tethering or Peripheral Component Interconnect Express

[PCIe] cellular modem)

NRC Mobile Desktop user establishes a VPN tunnel by using GFE Cellular Hotspot to access NRC enterprise network. The VPN tunnel traverses the internet from cellular network to access resources on the NRC enterprise network.

If the VPN connection is not available for technical reasons, Citrix BRD or DA can be used to access resources on the NRC enterprise network. A mobile device (e.g., smartphone or tablet) can be used for access.

Non-GFE Cellular Hotspot (Connection via Wi-Fi, wired, USB tethering or PCIe cellular modem)

NRC Mobile Desktop user establishes a VPN tunnel by using non-GFE Cellular Hotspot to access NRC enterprise network. The VPN tunnel traverses the internet from cellular network to access resources on the NRC enterprise network.

Travel Networks Hotel/Lodging or Transit Networks (including Airplane, Airport, Rail, Bus - wired or wireless)

NRC Mobile Desktop user establishes a VPN tunnel by using hotel/lodging or transit network to access NRC enterprise network. The VPN tunnel traverses the internet from any of these networks to access resources on the NRC enterprise network.

NRC users utilize mobile applications (e.g., MaaS360 M365) on their smartphones and tablets to access NRC resources through DA using travel networks.

CSO-GUID-2111 Page 6 Network Type Remote Access Examples Business Guest Networks NRC Guest Wireless Network NRC Mobile Desktop user connects to NRC enterprise network using a VPN tunnel over the NRC Wireless Guest Network. The VPN tunnel traverses the internet to access resources on the NRC enterprise network.

Other Business Guest Wireless Networks NRC users visiting other businesses use NRC Mobile Desktop to establish access to NRC enterprise network using VPN tunnel. The VPN tunnel traverses the internet to access resources on the NRC enterprise network.

Licensee Wireless Networks NRC users visiting a licensee site uses NRC Mobile Desktop to establish access to NRC enterprise network using VPN tunnel. The VPN tunnel traverses the internet to access resources on the NRC enterprise network.

NRC user visiting licensee site can directly access NRC web applications, which are accessible over the internet. The DA traverses the internet from licensee network to access NRC resources (e.g., web applications requiring user identification and authentication).

Other Publicly Accessible Wireless Networks This refers to wireless networks that are specifically available for use by an organization/business customers/visitors (e.g.,

protected wireless networks in libraries, telework centers).

This does not include wireless networks if it is not clear that the network is available for the purpose of public access (e.g., unprotected wireless networks in an apartment / condominium building)

NRC Mobile Desktop user establishes access to NRC enterprise network through publicly accessible wireless networks using a VPN tunnel. The VPN tunnel traverses the internet to access resources on the NRC enterprise network.

NRC users visiting other organizations/businesses can directly access NRC mobile applications (e.g.,

MaaS360, M365) that are accessible over the internet.

The DA traverses the internet from publicly accessible wireless networks to access NRC resources (e.g., from a smartphone or tablet after user identification and authentication).

2.4 Digital Identity Granting remote access for users requires validation of their digital identity. Digital identity is the unique representation of a user engaged in an online transaction. Digital identity consists of two primary parts:

1. Identity Proofing and Enrollment: Establishes that a user is who he/she claims to be.

2. Digital Authentication: Establishes that a user attempting to gain remote access is in control of one or more authenticators associated with that users digital identity.

CSO-GUID-2111 Page 7 An additional area of digital identity is federation, which provides the ability for a relying party (e.g., cloud service) to obtain and use identity information from an identity provider (e.g.,

enterprise NRC Identity, Credential and Access Management [ICAM] services).

The Office of Management and Budget (OMB) memorandum, M-19-17, Enabling Mission Delivery through Improved Identity, Credential, and Access Management, requires federal agencies to follow NIST SP 800-63-3 and establishes policy for the federal governments approach to ICAM.

The digital identity guidelines specified in the NIST SP 800-63-3 facilitate compliance with the memorandum. OMB M-19-17 reinforces Homeland Security Presidential Directive 12 (HSPD-

12) policy and use of Personal Identity Verification (PIV) credentials for the digital identity of the federal employees and contractors. The memo also requires agencies to support PIV assertions from other agencies.

The following subsections provide further information in accordance with NIST SP 800-63-3.

2.4.1 Identity Proofing and Enrollment Identity proofing is the process by which the credential issuer (e.g., system owner, ISSO) validates sufficient information that uniquely identifies a person applying for the credential.

There are three Identity Assurance Levels (IALs) 1 with varying levels of requirements. These requirements are based on the acceptable identity proofing techniques to increase the user identity acceptance, decrease false negatives (i.e., legitimate applicants that cannot successfully complete identity proofing), and detect the presentation of fraudulent identities by a malicious applicant. The credential issuer provides the applicant with an identifier (authenticator) after validating the identification credentials by utilizing an identity resolution, validation, and verification process. Further details on identity proofing and enrollment processes can be found in NIST SP 800-63A.

2.4.2 Digital Authentication Digital authentication is the process of determining the validity of one or more authenticators used to claim the digital identity of a user. Authentication establishes that a user attempting to gain access to NRC systems is in control of the technologies used to authenticate.

Authentication is performed by verifying that the user is in control of one or more assigned authenticators. The authenticators are assigned to a user, at three different Authenticator Assurance Levels (AALs) 2, to provide the appropriate level of confidence that the user controls the authenticator bound to the users account. Successful authentication requires that the user proves possession and control of the authenticator through a secure authentication protocol.

Further details on authentication and lifecycle management can be found in NIST SP 800-63B.

1 NIST SP 800-63A, Digital Identity Guidelines: Enrollment and Identity Proofing, Section 2.2, Identity Assurance Levels, describes each IAL: https://doi.org/10.6028/NIST.SP.800-63a 2 NIST SP 800-63B, Digital Identity Guidelines: Authentication and Lifecycle Management, Section 4, Authenticator Assurance Levels, describes each AAL: https://doi.org/10.6028/NIST.SP.800-63b

CSO-GUID-2111 Page 8 2.4.3 Federation and Assertions Federation is a process that allows an identity provider to provide authentication attributes and (optionally) subscriber attributes to a number of separately administered relying parties through the use of assertions. As a part of the digital identity process, Federation Assurance Levels (FALs) 3 refer to the strength of an assertion in a federated environment (e.g., multiple distinct identity management systems) that conveys authentication and attribute information to a relying party. There are three FALs to choose from, based on the agency risk profile and potential harm caused by an attacker taking control of federated transactions. Federation authorities establish parameters regarding acceptable IALs, AALs, and FALs in conjunction with their federated relationships.

Several assertion types can be used, most common being Security Assertion Markup Language (SAML), that uses an Extensible Markup Language (XML)-based framework for creating and exchanging authentication and attribute information between trusted entities over the internet.

With Just-in-Time (JIT) provisioning for communities, SAML assertion can be used to create user accounts on the fly the first time they log in from an identity provider. This process eliminates the need to create user accounts in advance. Further details on federation and assertions can be found in NIST SP 800-63C.

2.5 Information Sensitivity Information processed within NRC networks can be of different sensitivity levels. Therefore, remote access to NRC systems is controlled in accordance with security requirements for each sensitivity level. The following information sensitivity levels can be processed within appropriate network systems:

SUNSI or CUI (excluding SGI): This information can only be processed within NRC managed networks and networks managed on behalf of NRC.

Safeguards Information (SGI): This information can only be processed within specific SGI networks.

Classified Information: This information can only be processed within specific classified networks.

2.6 Endpoint Identification and Authentication Endpoint identification and authentication ensures that only authorized endpoints (e.g., NRC Mobile Desktops, NRC Loaner Mobile Desktops, servers) can establish a connection to NRC systems.

Uniquely identifying and authenticating endpoints before establishing remote access to NRC systems is frequently accomplished using public key infrastructure (PKI) certificates.

3 NIST SP 800-63C, Digital Identity Guidelines: Federation and Assertions, Section 4, Federation Assurance Levels, describes each FAL: https://doi.org/10.6028/NIST.SP.800-63c

CSO-GUID-2111 Page 9 2.7 Remote Access Security The nature and scope of cybersecurity threats change while working remotely, whether from home or during travel. These scenarios present challenges especially due to the use of/reliance on personal and non-NRC equipment, such as personal computers, networks, and other endpoints. These endpoints may not be securely configured, up-to-date on security patches, or may be infected with malware. Therefore, the following key factors should be kept in mind in relating to remote access security:

Monitor for the endpoint security patching status (especially for NRC issued devices) and flag any vulnerabilities.

Monitor the use of NRC Mobile Desktop from an international location and stop/report such remote access to NRC systems.

Detect unauthorized use of access privileges from an endpoint engaged in accessing NRC systems remotely.

Monitor for suspicious activities, may be due to a malware infected endpoint, and deny remote access to NRC systems.

Monitor for any unauthorized application installation on the NRC issued endpoints.

Enforce authentication of endpoints for VPN connectivity.

Limit the use of applications that are not required.

3 SPECIFIC GUIDANCE This section provides specific guidance related to secure configuration and use of remote access methods 3.1 Use of Remote Access Methods for Endpoints and Originating Network Types This section provides information for the use of remote access methods for NRC Mobile Desktops, non-NRC computers and NRC Loaner Mobile Desktops (domestic and international),

depending upon where remote access originates (e.g., home network, travel network), which is also referred to as the originating network type.

System administrators, and ISSOs should use the guidance in this section in tandem with Section 3.2, Remote Access Recommendations by Originating and Destination Endpoints or Services, to determine whether remote access is allowed for each endpoint type.

The subsequent sections provide explanatory information for why the remote access method is allowed, not allowed, or not applicable, based on the network type the connection is originating from and the specific endpoint type initiating the remote access request, which is referred to as the originating endpoint type.

CSO-GUID-2111 Page 10 For example:

NRC Mobile Desktops connecting from home networks to access resources on the NRC enterprise network can connect remotely using any of the allowed remote access methods (e.g., VPN, Citrix BRD, DA). In some cases, all three remote access methods are allowed and in others, only one or two remote access methods are allowed.

The following defines the information contained within each table presented in the subsequent sections:

Originating Endpoint Type: The specific endpoint initiating the remote access request (e.g., NRC Mobile Desktop).

Network Type (Remote Access Originating From): The network type where the remote access originates. In other words, this is the network where the endpoint is locally connected (e.g., a local connection to a home network).

Remote Access Method: The specific remote access method (e.g., VPN, Citrix BRD, DA) that can be used when the remote access originates from the network type.

- Allowed: The endpoint can use the remote access method (e.g., VPN, Citrix BRD, DA) when connecting from the network type.

- Not Allowed: The endpoint is not allowed to use the remote access method (e.g.,

VPN, Citrix BRD, DA) when connecting from the specific network type.

- Not Applicable: A determination of allowed or not allowed does not apply. The endpoint is not allowed to locally connect to the network type.

3.1.1 NRC Mobile Desktops and NRC Loaner Mobile Desktops - Domestic NRC Mobile Desktops and NRC Loaner Mobile Desktops-Domestic can directly connect to different network types; however, this does not always allow the use of all three remote access methods.

When NRC Mobile Desktops or NRC Loaner Mobile Desktops - Domestic are locally connected to the NRC enterprise network or Resident Inspector Site Expansion (RISE) networks, VPN or Citrix BRD remote access methods are not applicable. For remote access originating from the NRC enterprise network or RISE networks, the DA method is allowed. Hence, NRC users may connect from the NRC enterprise network to NRC systems hosted outside of the NRC WAN by using a DA method.

For example:

An NRC user could use the DA method to connect to iLearn when using an NRC Mobile Desktop while connected to the NRC enterprise network (e.g., while at an NRC facility).

When the remote access originates from any of the networks listed below, VPN is the only allowed remote access method. These networks are either unsecure or NRC cannot validate the enforcement of security controls. VPN provides a higher level of security by routing the users network traffic through the NRC enterprise network.

CSO-GUID-2111 Page 11

- Travel Networks

- Business Guest Networks

- Other Publicly Accessible Wireless Networks When the connection originates from any of the networks listed below, all three remote access methods are allowed. NRC has limited oversight or assurance for these networks through mutual understanding that home networks are secured in accordance with industry best practices, agreements between the NRC and internet service providers, or interconnection security agreements (ISAs) between the NRC and other government agencies.

- Home Networks

- Cellular Networks - using GFE Hotspots

- Licensee Guest Wireless Network Table 3.1-1 summarizes the remote access methods that can be used by NRC Mobile Desktops and NRC Loaner Mobile Desktops - Domestic.

Table 3.1-1: Remote Access Methods for NRC Mobile Desktops and NRC Loaner Mobile Desktops - Domestic NRC MOBILE DESKTOPS and NRC LOANER MOBILE DESKTOP - DOMESTIC Network Type (Remote Access Originating From)

Remote Access Method VPN Citrix BRD DA NRC WAN Enterprise Network Not Applicable Not Applicable Allowed RISE Networks Not Applicable Not Applicable Allowed Home Networks Wireless or Wired Networks Allowed Allowed Allowed Cellular Networks GFE Cellular Hotspot, PCIe Cellular Modem Allowed Allowed Allowed Non-GFE Cellular Hotspot (through Wi-Fi)

Allowed Not Allowed Not Allowed Travel Networks Hotel/Lodging Networks (Wired or Wireless)

Allowed Not Allowed Not Allowed Transit (e.g., Airport, Airplane, Rail, Bus)

Networks Allowed Not Allowed Not Allowed Business Guest Networks NRC Guest Wireless Networks Allowed Not Allowed Not Allowed Other Business Guest Wireless Networks Allowed Not Allowed Not Allowed Licensee Networks Licensee Wireless Networks Allowed Allowed Allowed

CSO-GUID-2111 Page 12 NRC MOBILE DESKTOPS and NRC LOANER MOBILE DESKTOP - DOMESTIC Network Type (Remote Access Originating From)

Remote Access Method VPN Citrix BRD DA Other, Non-NRC Business Networks Excludes Guest Networks Not Allowed Not Allowed Not Allowed Other Publicly Accessible Wireless Networks This refers to wireless networks that are specifically available for use by an organization/business customers/visitors (e.g.,

libraries, telework centers).

Allowed Not Allowed Not Allowed 3.1.2 Non-NRC Computers Non-NRC computers can directly connect to different network types; however, the use of all three remote access methods are not allowed.

Non-NRC computers are not allowed to directly connect to the NRC enterprise network or RISE networks; therefore, use of remote access methods from the NRC enterprise network or RISE networks are not applicable.

When the remote access originates from any of the networks listed below, VPN is not allowed. However, Citrix BRD and DA methods can be used.

- Home Networks

- Cellular Networks

- Travel Networks

- Business Guest Wireless Networks

- Other Publicly Accessible Wireless Networks Table 3.1-2 summarizes the use of remote access methods for non-NRC computers.

Table 3.1-2: Remote Access Methods for Non-NRC Computers NON-NRC COMPUTERS Network Type (Remote Access Originating From)

Remote Access Method VPN Citrix BRD DA Home Networks Wireless or Wired Networks Not Allowed Allowed Allowed Cellular Networks GFE Cellular Hotspot, PCIe Cellular Modem Not Allowed Allowed Allowed Non-GFE Cellular Hotspot (through Wi-Fi)

Not Allowed Allowed Allowed Travel Networks Hotel/Lodging Networks (Wired or Wireless)

Not Allowed Allowed Allowed

CSO-GUID-2111 Page 13 NON-NRC COMPUTERS Network Type (Remote Access Originating From)

Remote Access Method VPN Citrix BRD DA Transit (e.g., Airport, Airplane, Rail, Bus)

Networks Not Allowed Allowed Allowed Business Guest Networks NRC Guest Wireless Networks Not Allowed Allowed Allowed Other Business Guest Wireless Networks Not Allowed Allowed Allowed Licensee Networks Licensee Wireless Networks Allowed Allowed Allowed Other, Non-NRC Business Networks Excludes Guest Networks Not Allowed Not Allowed Not Allowed Other Publicly Accessible Wireless Networks This refers to wireless networks that are specifically available for use by an organization/business customers/visitors (e.g.,

libraries, telework centers).

Not Allowed Allowed Allowed 3.1.3 NRC Loaner Mobile Desktop - International NRC Loaner Mobile Desktops - International are used by the NRC users travelling outside of the United States on official business. In comparison to NRC Mobile Desktops and NRC Loaner Mobile Desktops - Domestic, more stringent requirements apply due to greater potential threats associated with international travel. This is in accordance with OEDO-18-00191, Evaluation of NRC Policies and Guidance for Use of Electronic Media during International Travel.4 Table 3.1-3 summarizes permissible remote access methods (based upon the network types used for the local network connectivity) that can be used by NRC Loaner Mobile Desktops -

International.

Table 3.1-3: Remote Access Methods for NRC Loaner Mobile Desktop - International NRC LOANER MOBILE DESKTOPS - INTERNATIONAL Network Type (Remote Access Connectivity Originating From)

Remote Access Method VPN Citrix BRD DA Wireless Networks (Wi-Fi)

Not Allowed Allowed Allowed 4 OEDO-18-00191 (Agencywide Documents Access and Management System [ADAMS] Accession # - ML18109A097): Provides recommendations to ensure that the devices, and the information on them, are adequately protected while in-use during international travel.

CSO-GUID-2111 Page 14 NRC LOANER MOBILE DESKTOPS - INTERNATIONAL Network Type (Remote Access Connectivity Originating From)

Remote Access Method VPN Citrix BRD DA Cellular Networks (Carrier)

Not Allowed Allowed Allowed International Carrier Service Not Allowed Not Allowed Not Allowed Additionally, NRC users travelling outside of the United States on official business can use the following devices, where a connection originates from any of the three network types listed in Table 3.1-3:

International Loaner Smartphone International Loaner Tablet NRC-assigned GFE Smartphone NRC-assigned GFE Tablet Personal BYOD Mobile Device However, sensitive NRC information is not to be placed on any of these devices while taken on international travel.

3.2 Remote Access Recommendations by Originating and Destination Endpoints or Services This section provides information related to remote access recommendations between originating and destination endpoints or services. These endpoints or services can be physical or virtual, depending on their use in either on-premises or cloud environments. Further information on remote access endpoints or services is provided in Section 2.2, Remote Access Endpoints, Network Types, and Services.

The originating endpoint, such as an NRC Mobile Desktop, makes the request to initiate a remote access connection to the destination endpoint, such as a network gateway or a server.

For example:

An NRC Mobile Desktop being used to remotely access an NRC internal network requires a VPN connection through the VPN gateway. The NRC Mobile Desktop would be considered the originating endpoint and the VPN gateway would be considered the destination endpoint.

The following subsections provide recommendations for endpoints, considering each endpoint can be an originating or a destination type. For each unique combination of originating and destination endpoints, all remote access methods, some remote access methods, or no remote access methods may be allowed.

These recommendations should be used in combination with recommendations in Section 3.1, Use of Remote Access Methods for Endpoints and Originating Network Types, to determine whether remote access is allowed based on both the originating network type and destination endpoint.

CSO-GUID-2111 Page 15 3.2.1 NRC Mobile Desktop / NRC Loaner Mobile Desktops The NRC Mobile Desktops or NRC Loaner Mobile Desktops should not provide remote access to any other NRC Mobile Desktop and NRC Loaner Mobile Desktops or other endpoint types.

For example:

An NRC server cannot, as an originating endpoint type, initiate a remote access connection to an NRC Mobile Desktop or NRC Loaner Mobile Desktop. However, an exception is made for an NRC Mobile Desktop or NRC Loaner Mobile Desktop to allow remote access to helpdesk support personnel, using NRC approved helpdesk support software (e.g., Beyond Trust Bomgar).

3.2.2 NRC Network Devices NRC network devices should only provide remote access using VPN to NRC servers and other network devices located in a Demilitarized Zone (DMZ) network. The following recommendations apply:

NRC network devices located in DMZs can provide remote access.

For example:

An NRC user with an NRC Mobile Desktop is to establish a remote access connection using a VPN tunnel, which is provided by an NRC network device (e.g., VPN gateway inside the DMZ).

NRC network devices, such as VPN gateways, can provide remote access using the VPN method to the originating endpoint types except for NRC desktops. NRC desktops are directly connected to the NRC enterprise network or RISE networks. This is due to the risk posed by no inspection of data within the tunnel when a tunnel is established from an internal NRC network.

NRC network devices, such as Citrix NetScaler Gateways, can provide remote access using the Citrix BRD method. NRC network devices can provide remote access using the Citrix BRD method to NRC Mobile Desktops, NRC Loaner Mobile Desktops, non-NRC computers, GFE, and BYODs (including smartphones and tablets).

NRC network devices, such as locked down network appliances working as hardened web servers, can provide remote access using the DA method. NRC network devices can provide remote access using the DA method to NRC desktops, NRC Mobile Desktops, NRC Loaner Mobile Desktops, non-NRC computers, GFE, and BYODs (including smartphones and tablets).

3.2.3 Remote Access Recommendations for Endpoints and Network Devices This section summarizes remote access recommendations for endpoints and NRC network devices. The following defines the information contained within Table 3.2-1, Remote Access Recommendations for Endpoints and NRC Network Devices, which are organized by originating endpoint type:

Endpoint Type: The specific name of the originating endpoint type.

CSO-GUID-2111 Page 16 Remote Access Method: Identifies remote access method (e.g., VPN, Citrix BRD, DA) that can be used to provide remote access to the originating endpoint type.

- Allowed: The destination endpoint can use the remote access method (e.g.,

VPN, Citrix BRD, DA) to provide remote access to originating endpoint type.

- Not Allowed: The destination endpoint is not allowed to use the remote access method (e.g., VPN, Citrix BRD, DA) to provide remote access to originating endpoint type.

Conditions: Identifies any conditions that apply to the destination endpoint when using a remote access method to provide remote access to the specified originating endpoint type.

Table 3.2-1 summarizes the remote access recommendations for endpoints and NRC network devices.

Table 3.2-1: Remote Access Recommendations for Endpoints and NRC Network Devices ENDPOINTS AND NRC NETWORK DEVICES Originating Endpoint Type Remote Access Method Conditions VPN Citrix BRD DA NRC Desktops Not Allowed Not Allowed Allowed NRC Mobile Desktops Allowed*

Allowed Allowed VPN: Allowed except when connected to NRC enterprise or RISE networks.

GFE/BYOD Devices, Non-NRC Computers Not Allowed Allowed Allowed NRC Servers Allowed*

Not Allowed Not Allowed VPN: Allowed only when connected to DMZ networks.

NRC Network Devices Allowed*

Not Allowed Not Allowed VPN: Allowed only when connected to DMZ networks.

The remote access method is only allowed based upon the requirements specified in the Conditions column.

CSO-GUID-2111 Page 17 APPENDIX A.

ACRONYMS AAL Authenticator Assurance Level ADAMS Agencywide Documents Access and Management System API Application Program Interface BRD Broadband Remote Desktop BYOD Bring Your Own Device CSO Computer Security Organization CUI Controlled Unclassified Information DA Direct Access DMZ Demilitarized Zone ESA Enterprise Security Architecture FAL Federation Assurance Level GFE Government Furnished Equipment HSPD-12 Homeland Security Presidential Directive 12 IaaS Infrastructure as a Service IAL Identity Assurance Level ICAM Identity, Credential, and Access Management ISA Interconnection Security Agreement ISSO Information System Security Officer IT Information Technology JIT Just-in-Time M365 Microsoft 365 NIST National Institute of Standards and Technology NRC Nuclear Regulatory Commission OCIO Office of the Chief Information Officer OEDO Office of the Executive Director for Operations OMB Office of Management and Budget PaaS Platform as a Service PCIe Peripheral Component Interconnect Express PIV Personal Identity Verification PKI Public Key Infrastructure RISE Resident Inspector Site Expansion SaaS System as a Service SAML Security Assertion Markup Language SGI Safeguards Information SP Special Publication

CSO-GUID-2111 Page 18 STD Standard SUNSI Sensitive Unclassified Nonsafeguards Information USB Universal Serial Bus VDI Virtual Desktop Infrastructure VPN Virtual Private Network WAN Wide Area Network XML Extensible Markup Language

CSO-GUID-2111 Page 19 APPENDIX B.

GLOSSARY Assertion A statement from a verifier to a Relying Party that contains identity information about a subscriber.

Classified Information Restricted Data and National Security Information, that is processed or produced by a system that requires protection against unauthorized disclosure in the interest of national security.

Controlled Unclassified Information Information that requires safeguarding or dissemination controls in accordance with applicable law, regulations, and government-wide policies but is not classified.

Direct Access Access to applications that require users to identify and authenticate to NRC systems and resources from external networks such as the internet for accessing information up to, and including, the SUNSI or CUI (excluding SGI) level while encrypting data in transit.

Digital Authentication The process of establishing confidence in user identities electronically presented to a system.

Endpoint A physical or logical entity, that is placed at the originating or terminating end of a communication channel.

External Network Networks that interconnect with the NRC network or are used by individuals to connect to NRC networks, systems, and applications.

Federation A process that allows the conveyance of identity and authentication information across a set of networked systems.

Identification An act or process that presents an identifier to a system so that the system can recognize a system entity (e.g., user, process, or device) and distinguish that entity from all others.

Identifier Unique data used to represent a persons identity and associated attributes.

Identity Proofing The process by which the credential issuer (e.g., system owner, ISSO) validates sufficient information that uniquely identifies a person applying for the credential (e.g., the identifier). The credential issuer provides the applicant with an identifier after validating the identification credentials to ensure that the individual is the person for whom access is authorized.

Network Access Controls A feature provided by hardware, software, and rule sets that allows access based on a users credentials and the results of health checks performed on the client endpoint.

Networks Managed on Behalf of NRC Networks and systems operated by other parties (e.g., contractors) on behalf of NRC that connect to NRC managed networks for the purpose of supporting core mission operations and other internal business or enterprise services.

NRC Extended Networks NRC network that is specifically stretched to accommodate a specific remote facility, where NRC controls both endpoints.

CSO-GUID-2111 Page 20 NRC Loaner Mobile Desktops Laptops provided by OCIO to users for presentations, travel on agency business, or for other work-related uses. The two types of NRC Loaner Mobile Desktops are:

a. NRC Loaner Mobile Desktop - Domestic: Permitted for use within the NRC and while on domestic (United States) travel.

b. NRC Loaner Mobile Desktop - International: Permitted for travel outside of the United States.

NRC Managed Networks Networks that are managed or operated by NRC personnel at NRC facilities and include infrastructure support and business/application networks, and NRC extended networks.

NRC Mobile Desktop Laptops provided to users by the OCIO, allowing users to remotely connect to the NRC enterprise to access NRC resources and process information up to, and including, the SUNSI or CUI (excluding SGI) level.

Portal Secure entry from an external network, such as the internet, into NRC managed networks. They are typically web-based and enable authorized NRC users to connect to NRC resources. Portals include use of Citrix BRD technologies.

Publicly Accessible Wireless Networks -

Protected A wireless network that is set up for the use of visitors, guests, or patrons (e.g., at a library or a business center) with a known level of security implementation to protect the network.

Publicly Accessible Wireless Networks -

Unprotected A wireless network that is open to the public (e.g., at an apartment /

condominium complex) without a known level of security implementation to protect the network.

Remote Access Remote access is authenticated access to a system by an authorized user or an authorized endpoint communicating through the internet.

Remote Access Information Sensitivity The highest information sensitivity of all the information types that a user can access through a remote access method used in a system.

Remote Access Method The vendor and product agnostic means of providing remote access to an NRC system.

Safeguards Information A special category of sensitive unclassified information authorized by Section 147 of the Atomic Energy Act to be protected. Sensitive unclassified information specifically identifies the detailed security measures of a licensee or an applicant to protect special nuclear material or to protect the physical location of certain plant equipment.

Sensitive Unclassified Non-Safeguards Information Information that is generally not publicly available and encompasses a wide variety of categories (e.g., personnel privacy, attorney-client privilege, confidential source, etc.).

Terminal Server A server that provides users with access to an NRC desktop environment with a common connection point to NRC managed networks.

Tunneling A method to send data that is encapsulated and transmitted over the network using Point-to-Point Tunneling Protocol.

Unprotected Wireless Network An unsecure wireless connection that is accessed without a password or authentication. For example, public wireless networks offered in places like cafes are often open and unprotected.

User Home Networks Home Networks used by the NRC authorized users to remotely connect to NRC enterprise network.

Virtual Private Network Protected system link utilizing tunneling and security controls.

CSO-GUID-2111 Page 21 CSO-GUID-2111 Change History Date Version Description of Changes Method Used to Announce &

Distribute Training 17-Aug-21 1.0 Initial release Post to OCIO/CSO Standards SharePoint site As needed 3-Feb-22 1.0 Errata issuance to correct PDF conversion issue for posting.

Post to OCIO/CSO Standards SharePoint site Upon request

CSO-GUID-2111 Remote Access ESA Guidance v1.0 Errata
Person / Time
ML22101A264
Issue date:	09/15/2021
From:	NRC/OCIO/CISD
To:
Shared Package
ML22101A241	List: ML22101A253 ML22101A261 ML22101A264 ML22101A268 ML22101A276 ML22101A295 ML22101A296 ML22102A163 ML22102A171 ML22102A191 ML22102A200 ML22102A205 ML22102A212 ML22102A215 ML22102A220 ML22102A223 ML22102A225
References
CSO-GUID-2111
Download: ML22101A264 (23)
v • d • e

ML22101A264

Text

Title:

Navigation menu

Search