Approved Date – 02/22/2021
Published Date – 02/22/2021
Revised Date – 05/25/2021
To establish the policy for safeguarding District information technology (IT) and communications ecosystems, data assets, DC Workforce Members, District constituents, and stakeholders. The District is highly dependent on the use of information technology, communications systems, and other cloud-based resources to effectively manage District programs and services. As such, with increasing risks, threats, and vulnerabilities the District must respond with the availability and continued modernization of security policies and technology which provide for information confidentiality, integrity, and availability.
DC Official Code § 1-1401 et seq., provides the Office of the Chief Technology Officer (“OCTO”) with the authority to provide information technology (IT) services, write and enforce IT policies, and secure the network and IT systems for the District government. This document can be found at: https://code.dccouncil.us/dc/council/code/sections/1-1402.html.
This policy applies to all District workforce members (including contractors, vendors, consultants, temporary staff, interns, and volunteers) performing official functions on behalf of the District, and/or any District agency or entity (e.g. subordinate and independent agencies, Council of the District of Columbia, D.C. Charter Schools, etc.) who receive enterprise services from OCTO.
In addition, this Policy applies to any providers and third-party entities with access to District information, networks, and applications.
DC Agencies must strictly control access to the District's network ("DC networks") and the asset resources that reside on the network by enforcing this Policy. Agencies that are unable to immediately comply with these requirements must submit a plan of action and milestones to OCTO outlining the date of compliance.
4.1. On Network:
4.1.1. Only DC Agency authorized endpoints shall be used to access DC networks.
4.1.2. DC Workforce Members that access DC networks must be granted the most restrictive set of privileges required to perform authorized tasks.
4.1.3. DC Workforce Members that access DC networks must be connected using enterprise active directory credentials.
4.1.4. DC Workforce Members that need to perform IT administrator tasks on DC networks must use a separate privileged account to perform authorized tasks.
4.1.5. DC Agency authorized endpoints must implement an OCTO Operating System image. The following OCTO security and management tools must not be disabled or removed: an endpoint management agent (e.g. ePO, LANDESK, or SCCM), Anti-Virus Software (McAfee), and Full Disk Encryption (for laptops). These requirements are further described in "OCTO Enterprise Endpoint Device Standards." Remote administration by any DC Agency must only be performed using the OCTO-approved tools.
4.1.6. Remote Administrative access to enterprise resources within DC Data Centers must use a privilege access management solution (e.g. Jump Host). Direct administrative access from an endpoint to enterprise resources in DC Data Centers is strictly prohibited.
4.1.7. All non-DC agencies must sign a Memorandum of Understanding (MOU), Interconnection Security Agreement (ISA), and external rules of behavior document to gain access to DC ICT Resources.
4.1.8. All inter-agency network communication must be authorized; DC agencies are prohibited from accessing other DC agency non-public resources without an MOU.
4.2. Off-Network/Virtual Private Network (VPN) Access
For specific VPN guidance, refer to the OCTO Virtual Private Network Policy.
4.2.1. Government endpoints (laptop/desktop):
184.108.40.206. DC Agency-approved endpoints must follow the same requirements for On Network endpoints.
220.127.116.11. DC Agency-approved endpoints must ONLY use an OCTO enterprise VPN.
4.2.2. Government mobile devices (phone, tablets, etc.):
18.104.22.168. DC Agency-approved mobile devices must follow the same requirements for On Network devices.
22.214.171.124. DC Agency approved mobile devices must implement an OCTO-approved Mobile Device Management Solution (MDM).
4.2.3. Non-Government endpoints (e.g. BYOD):
126.96.36.199. Non-government endpoints are prohibited from accessing the DC Intranet (DC network) via wired or wireless connections unless connecting via Virtual Desktop Infrastructure (VDI). Agency help desks are not responsible for providing help desk support for these devices.
188.8.131.52. On-government endpoints must use an enterprise Layer 4 VPN connection to authorized network resources.
4.3. Access Not Conforming to Standards
Access to the network not conforming to the above standards is expressly prohibited.
Exceptions to this policy shall be requested in writing to the Agency’s CIO and the request will be escalated to the OCTO Chief Information Security Officer (“CISO”) for approval.
The definition of the terms used in this document can be found in the Policy Definitions website.