Capacity Enhancement Guide for Federal Agencies: Remote Patch and Vulnerability Management Capacity Enhancement Guide

The purpose of this document is to assist federal agencies with patching roaming devices, i.e., remote devices outside agency campus networks. Traditional vulnerability and patch management solutions require that all roaming devices first establish a trusted connection to—and route all remote traffic back through—agency campus networks. However, when routing traffic through agency campus networks, agencies face challenges related to virtual private network (VPN) bandwidth constraints, which are impacting the timely patching of roaming devices and degrading or interrupting other vital services being accessed from roaming devices. These significant delays in patching leave roaming devices susceptible to common vulnerabilities and threats. Recent increases in teleworking have amplified these issues and made securing roaming devices even more challenging.

In April 2020, the Cybersecurity and Infrastructure Security Agency (CISA) released Trusted Internet Connection (TIC) 3.0 Interim Telework Guidance, which provided an alternative solution for remote vulnerability and patch management, allowing agencies to route associated traffic directly to agency-sanctioned cloud service providers (CSPs), thus bypassing limited bandwidth connections back to agency campus networks.

This guide assists federal agencies in leveraging the TIC 3.0 Interim Telework Guidance to improve remote vulnerability management efforts to meet the growing demands on network capacity that may otherwise require an increase in bandwidth for existing internet service provider (ISP) or VPN services.