OWA/2-Factor Authentication VPN FAQ. Outlook Web Access (OWA) QUESTIONS



Similar documents
POSTAL REGULATORY COMMISSION

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL

Two-Factor Authentication User FAQ s

PRIVACY IMPACT ASSESSMENT

Two-Factor Authentication (2FA) Registration Instructions Symantec VIP Access

Final Audit Report FEDERAL INFORMATION SECURITY MANAGEMENT ACT AUDIT FY Report No. 4A-CI

RSA Solution Brief. RSA SecurID Authentication in Action: Securing Privileged User Access. RSA Solution Brief

NSF AuthentX Identity Management System (IDMS) Privacy Impact Assessment. Version: 1.1 Date: 12/04/2006. National Science Foundation

State of South Carolina Policy Guidance and Training

Status: Final. Form Date: 30-SEP-13. Question 1: OPDIV Question 1 Answer: OS

IMS Health Secure Outlook Web Access Portal. Quick Setup

INFORMATION PROCEDURE

Report of Evaluation OFFICE OF INSPECTOR GENERAL. OIG 2014 Evaluation of the Farm Credit OIG 2014 Administration s. Management Act.

Note: Support: Never use your TruMobi application for personal use.

Understanding the Security & Privacy Rules associated with the HITECH and HIPAA Acts

Rule 4-004G Payment Card Industry (PCI) Remote and Mobile Access Security (proposed)

I. U.S. Government Privacy Laws

OWA vs. MDM. Once important area to consider is the impact on security and compliance policies by users bringing their own devices (BYOD) to work.

Justice Management Division

Remote Access Procedure. e-governance

INFORMATION DIRECTIVE GUIDANCE GUIDANCE FOR MANUALLY COMPLETING INFORMATION SECURITY AWARENESS TRAINING

IT SECURITY EDUCATION AWARENESS TRAINING POLICY OCIO TABLE OF CONTENTS

Final Audit Report. Report No. 4A-CI-OO

Information Security for Managers

REMOTE ACCESS POLICY OCIO TABLE OF CONTENTS

Document No.: VCSATSP Restricted Data Access Policy Revision: 4.0. VCSATS Policy Number: VCSATSP Restricted Data Access Policy

STRONGER AUTHENTICATION for CA SiteMinder

Accessing Derbyshire County Council s Outlook Web Access (OWA) Service. Smart Phone App version

U.S. Office of Personnel Management. Actions to Strengthen Cybersecurity and Protect Critical IT Systems

DHHS Information Technology (IT) Access Control Standard

1.1. Who will have the main responsibility for organizing, storing, and archiving the data? Please provide name(s) and job title(s).

ADMINISTRATIVE POLICY # (2014) Remote Access. Policy Number: ADMINISTRATIVE POLICY # (2014) Remote Access

ADDING STRONGER AUTHENTICATION for VPN Access Control

PASSWORD MANAGEMENT POLICY OCIO TABLE OF CONTENTS

Kaspersky Lab Mobile Device Management Deployment Guide

UNIFIED COMMUNICATIONS POST-MIGRATION INSTRUCTIONS

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics

Ensuring the security of your mobile business intelligence

Department of Veterans Affairs VA Handbook Information Security Program

Session #56. Two-Factor Authentication. Steven Burke & James McMahon U.S. Department of Education

Allianz Global Investors Remote Access Guide

An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule

Remote Access Securing Your Employees Out of the Office

OWA (Outlook Web Access) FAQs

Healthcare Information Security Today

1. What are the System Requirements for using the MaaS360 for Exchange ActiveSync solution?

United States Department of Agriculture. Office of Inspector General

Office of Inspector General

Why SMS for 2FA? MessageMedia Industry Intelligence

COMMONWEALTH OF PENNSYLVANIA DEPARTMENT S OF PUBLIC WELFARE, INSURANCE AND AGING

User Guide Remote PIV to VDI Using a PIV Card

U.S. Department of the Interior's Federal Information Systems Security Awareness Online Course

e-governance Password Management Guidelines Draft 0.1

RSA Authentication Manager 7.1 Basic Exercises

Strong Authentication: Enabling Efficiency and Maximizing Security in Your Microsoft Environment

SHC Client Remote Access User Guide for Citrix & F5 VPN Edge Client

Accessing Derbyshire County Council s Outlook Web Access (OWA) Service. Mobile Phone SMS version

Enhancing Organizational Security Through the Use of Virtual Smart Cards

Department of Information Technology Remote Access Audit Final Report. January promoting efficient & effective local government

DIVISION OF INFORMATION SECURITY (DIS)

SYSTEM NAME: Digital Identity Access Management System (DIAMS) - P281. SYSTEM LOCATION: U.S. Department of Housing and Urban Development, 451 Seventh

Audit Report. The Social Security Administration s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013

FedRAMP Package Access Request Form For Review of FedRAMP Security Package

Information Security for Executives

ONE Mail Direct for Mobile Devices

The Convergence of IT Security and Physical Access Control

Step 1. Step 2. Open your browser and go to and you will be presented a logon screen show below.

NotifyMDM Device Application User Guide Installation and Configuration for Windows Mobile 6 Devices

HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS

OUTLOOK ANYWHERE CONNECTION GUIDE FOR USERS OF OUTLOOK 2010

F5 and Microsoft Exchange Security Solutions

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014

EPA Classification No.: CIO P-09.1 CIO Approval Date: 08/06/2012 CIO Transmittal No.: Review Date: 08/06/2015

CMS POLICY FOR THE INFORMATION SECURITY PROGRAM

COORDINATION DRAFT. FISCAM to NIST Special Publication Revision 4. Title / Description (Critical Element)

Setup Corporate (Microsoft Exchange) . This tutorial will walk you through the steps of setting up your corporate account.

INFORMATION TECHNOLOGY POLICY

Information Technology Internal Controls Part 2

Quick Heal Exchange Protection 4.0

Proven. Trusted.

A new Secure Remote Access Platform from Giritech. Page 1

NASA Information Technology Requirement

Configuring an Android device to access Staff Wi-Fi and .

Department of the Interior Privacy Impact Assessment Template

ESET Secure Authentication

REMOTE ACCESS USER GUIDE

2012 FISMA Executive Summary Report

Transcription:

Outlook Web Access (OWA) QUESTIONS Q1. With OWA and ActiveSync going away, how does an employee/contractor access Outlook (email, calendar and contacts)? A1. An employee must use their government/contractor issued equipment to access Outlook (email, calendar, and contacts) beginning July 1, 2015. Q2. Does CMS have a help desk to assist contractors? A2. The CMS IT help desk may be contacted at cms_it_service_desk@cms.hhs.gov or by telephone at: 1-800-562-1963. Q3. How will contractors access Outlook or resource mailboxes? A3. Contractors should work with their Contracting Officer Representative to discuss next steps to use their PIV cards, purchase PIV card readers or RSA tokens to access CMS email. Q4. Will CMS BlackBerry or GOOD users be affected by this change? A4. No, these users will not experience any impacts as a result of these changes. Q5. The directive states that OWA will no longer be allowed. However, If OWA is implemented with Two-factor authentication; will it be allowed for HCQIS? A5. Access to CMS email via OWA will be generally deactivated July 1st. This will be done on a per account basis. Q6. Will Exchange ActiveSync, a protocol that allows mobile devices to synchronize data with Exchange mailboxes, be allowed? A6. ActiveSync will be phased out. Q7. Does this notification today mean that CMS system users will only be able to access those systems with a PIV or RSA token or does it mean that contractors must attest that in instances in which they access the CMS system that they fully comply with the CMS Acceptable Risk Safeguards regarding authentication? A7. The short answer is Yes. The CMS CIO and CISO are seeking confirmation that contractors are using strong authentication or that they shut down access to users that are not protected by twofactor authentication. This applies to contractors that access CMS systems or systems operated on behalf of CMS. Use of PIV, PIV-I, or RSA Tokens are preferred methods, however there are other acceptable technologies. Please contact the CMS CISO mailbox if you have questions about a particular technology. 1

Q8. Is CMS shutting off access to these CMS systems for anyone one without multi-factor authentication? A8. CMS is responsible for ensuring multi-factor authentication is used by contractors. It is a crucial component to an overall strategy of strong security for example, Federal employees use PIV cards and passwords as multifactor authentication to access systems. It is our responsibility to ensure that our systems are maintained, sustained and protected and we take that seriously. Q9. It seems to us the security issue is a CMS issue, not a contractor issue. Why do we have to make the changes to our processes? A9. Contractors act on behalf of CMS based upon the scope of their contract. Each contract contains standard language from CMS that requires compliance with agency security and privacy requirements in order to protect the sensitive information. Component Heads need to work with both federal and contractor staff to achieve the actions in this directive. Q10. Who should I contact with more questions? A10. Any technical questions regarding the impact of these technical direction letters on your contract should be directed to the assigned Contracting Officer Representative (COR). If you believe that the technical guidance is not within the scope of your contract or that there are not sufficient funds available, you should not act upon the direction and should contact your Contracting Officer immediately. 2

Multi-factor Authentication FAQs for CMS Information Systems Q1. Do contractors maintaining CMS systems require multi-factor authentication? A1. Yes. The CIO directive applies to all FISMA systems. Those having an ATO or in the process of obtaining an ATO must incorporate 2FA for all privileged and non-privileged accounts therein. Q2. For systems hosted in external contractor operated facilities with no dependency on the CMS network, is 2FA applicable? A2. Yes. Same as question 1. Q3. I have a waiver, risk acceptance or other relief from using multi-factor authentication for a CMS system, how does this new policy impact my waiver? A3. The CIO directive supersedes any existing waiver, risk acceptance memo or other exception. Appropriate processes will be followed to address these situations. Q4. I am a contractor responsible for maintaining a CMS system residing in an external contractor operated facility and do not have a PIV card or RSA token, how do I continue to support CMS and comply with the CIO directive? A4. The contractor should evaluate all available technical solutions for enabling 2FA for all privileged and non-privileged accounts within the system. The preferred methods are PIV and Hard Token which should be used where available. However, CMS will consider any recommended solution that we feel meets the definition of two factor and integrates with existing technology, policies and standards. We encourage all of our contract partners to develop alternatives that address the resource challenges, time constraints and compliance to policy, such as 508. Some options that have been identified thus far include smart phone apps, phone back, text back, open source and others. Q5. I am a COR with a contractor who has not been PIV enabled or have an RSA token, what do I do? A5. If determined that a PIV is required, the COR should have their contractor complete an HHS- 745 and submit for processing. Contractors should evaluate any available option and recommend an appropriate solution. Refer to question 4. 3

Q6. Would the user be able to access CMS systems with her personal computer if her company purchases a PIV card reader and/or an RSA token? I m presuming the user needs to get one or the other. As long as the computer supports the CMS VPN client needed. A6. The CMS environment also performs compliance checks on all computers to make sure specific security criteria are met prior to allowing access. Either a PIV or RSA token will suffice, but other options may also be available depending on the specific situation. Q7. Will CMS pay contractors for the costs to implement multi-factor authentication (e.g., the cost of getting RSA Tokens for employees)? A7. These costs will be minimal, and CMS considers them to be general costs for doing business with the government. Multi-factor authentication is also part of what every entity should be doing to maintain high levels of security within their own business practices. Therefore, CMS expects these costs to be indirect rather than direct costs to the contract. If a contractor determines that this direction has a direct cost impact on its contract, they should explore alternative and contact their Contracting Officer. Q8. Does each IT contractor need to take some action to shut off access to accounts that are not two factor enabled? A8. In situations where 2FA is not possible and alternative work flows do exist, accounts should be disabled. Q9. Please define Privileged Users: A9. Privileged users: accounts associated with individuals who perform system administrative or other maintenance and development type actions typically not available to a standard user. Server Admins, Workstation admins, network admins, developers are a few examples. Please refer to your system security plan which includes a specific definition of privileged and non-privileged users. (The intent of this working definition is to assist in the initial implementation of the CIO directive. It should not be viewed as a CMS standard as it primarily covers the fundamental or traditional categories of privileged users and is not all inclusive. This definition does not cover system and service accounts, which are the accounts, used for inter-process communications and not intended for user login sessions. Password management and complexity best practice solutions are ideal to protect service/system accounts.) 4

Q10. How do I get VPN Access? A10. Please ask your CAA to add the CTR_VPN Job code to your EUA Profile. Once the job code has been added, you may download and install the VPN software appropriate for your VPN authentication method (PIV or Token) from https://vpnext.cms.hhs.gov/download. Q11. How do I know if I should use PIV or RSA token? A11. Please refer to question 4 above in response to which authentication method to use. Q12. Are there software installation instructions for the VPN software? A12. Instructions, including screen shots, are in the CMS VPN Contractor User Guide. Q13. Is there troubleshooting help for VPN access? A13. Troubleshooting help is in CMS VPN Contractor FAQ. Q14. Is there a web page containing detailed instructions for VPN access? A14. There are two; both require a CMS User ID and password For external access, use https://vpnext.cms.hhs.gov/download. Q15. What is the process for obtaining a VPN job code for a contractor? A15. Job codes that grant VPN access are specific to whether a token or a PIV card is used to gain access. For job code assistance, please contact your COR. Q16. Is PIV installation software different from that used for RSA? A16. Each type has its own set of profiles. The VPN web pages have sections for RSA and for PIV installation types. Q 17. Why is CMS undertaking this effort? 5 A 17. There are several explanations for this action. First, this is not a new requirement, CMS has been working on strengthening authentication controls for many years. Federal Information Security Management Act (FISMA), Public Law (P.L.) 107-347 is the law of the land. NIST is responsible for developing information security standards and guidelines, including minimum requirements for federal information systems. The NIST security controls are developed to meet the objectives of Office of Management and Budget (OMB) Circular A-130, Section 8b(3), Securing Agency Information Systems, as analyzed in Circular

A-130, Appendix IV: Analysis of Key Sections. Supplemental information is provided in Circular A-130, Appendix III. In addition, please refer to OMB M-06-16. Second, CMS is seeing an increased effort by malicious actors who are attempting to gain unauthorized access to CMS systems and data by stealing user credentials. Third, the threat against the federal government is significant; cyber-attacks against federal agencies such IRS and OPM simply reveal how devastating a data breach can be. Lastly, the Department of Health and Human Services has requested each Agency/OpDiv CIO to take immediate steps to strengthen the posture of the agency by taking immediate steps to enforce strong authentication. Q18. What are the specifications for the PIV card reader? RSA token? A18. The RSA Tokens are specified in the VPN document. The PIV card reader needs to be a current version from a major manufacturer. Documentation may be obtained at https://vpnext.cms.hhs.gov/download; 6

7 OWA/2-Factor Authentication VPN FAQ

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information