Approved Date – 02/22/2021
Published Date – 02/22/2021
Revised Date – 05/25/2021
To establish the policy for safeguarding District information and systems for all employees, contractors, and other users while on travel outside of the continental United States, Alaska, and Hawaii.
DC Official Code § 1-1401 et seq., provides the Office of the Chief Technology Officer (“OCTO”) with the authority to provide information technology (IT) services, write and enforce IT policies, and secure the network and IT systems for the District. This document can be found at: https://code.dccouncil.us/dc/council/code/sections/1-1402.html.
This policy applies to all District workforce members responsible for application identity and role definition on behalf of the District, and/or any District agency/District/entity who receive enterprise services from OCTO. In addition, this policy applies to any providers and third-party entities with access to District information, networks, and applications.
This policy establishes procedures for safeguarding District information and systems when used on personal and/or business travel.
4.1. Transport of mobile computing devices via Air Travel:
4.1.1. In most cases, employees shall follow the Transportation Safety Administration (TSA) recommendation and carry mobile electronic communication equipment (laptops/tablets/phones/ mobile) devices on to flights instead of placing them inside checked baggage. A laptop, even if it is in a laptop bag, does not count as a flyer's carry-on item.
4.1.2. As of March 2017, the U.S. Department of Homeland Security placed restrictions on US-bound flights origin at ing from specific airports (Queen Alia International Airport (AMM), Cairo International Airport (CAI), Ataturk International Airport (IST), King Abdul-Aziz International Airport (JED), King Khalid International Airport (RUH), Kuwait International Airport (KWI), Mohammed V Airport (CM ), Hamad International Airport (DOH), Dubai International Airport (DXB), and Abu Dhabi International Airport (AUH)). Employees traveling from these locations may not transport devices larger than a mobile phone (e.g., Laptops, Tablets, E-Readers, Cameras, Portable DVD players, Electronic game units larger than a smartphone) in the plane cabin; devices must be transported in the cargo hold. Before travel, Employees must submit a request to their respective Agency Director. Agency C IOs are responsible for forwarding the request to the OCTO CTO, via the OCTO CISO. Agency CIO S shall implement a process to ensure employee compliance with paragraph 4.4.
4.2. VPN Usage
VPN connections and devices are an extension of the DC Enterprise Network (DCEN) and are subject to the same rules and regulations that apply to DC government-owned equipment.
4.2.1. VPN connections from outside of the continental United States, Alaska, and Hawaii are blocked by policy. Employees wishing to establish a communication outside of the continental United States, Alaska, and Hawaii must submit a request to the City-Wide Information Technology Security (CWITS) VPN Team (vpn.octo.dl cvdc.gov\) via their Agency Chief Information Officer (CIO).
4.2.2. Requests are limited to the duration of each trip.
4.3. Personal Travel
When traveling on personal leave, travel with and use of government-issued equipment (laptops, tablets, or smartphones) is not recommended. If required, take only devices required to maintain communications (e.g., government phone); this will minimize the opportunity for government issued equipment and data to be lost or stolen.
4.4. Business Travel
When traveling for business, employees will travel with the government-issued equipment required for the business purpose. All devices must be reviewed for sensitive data (e.g., Personal Identifiable Information (PII) or sensitive government business data); this data shall be removed from the device. The following requirements must be met when using government-issued devices when on travel:
4.4.1. Virtual Private Network (VPN): when connecting to the DC Enterprise network, VPN use is required for all devices (i.e., laptop, tablet, smartphone). Workforce members shall use the VPN at all times, even when not accessing the DC Enterprise Network, to reduce the risk of intercepted connections.
220.127.116.11. Before departure, review device to ensure removal of Agency or District sensitive data (e.g., Personal Identifiable Information (PIT) or sensitive government business data).
18.104.22.168. Before departure, ensure District Mobile Device Management software (e.g, AIR.WATCH) is installed and configured.
While on travel, use only Wi-Fi connections in known safe areas (e.g., hotel, business centers), avoid using Wi-Fi in areas of unknown security.
22.214.171.124. While on travel, if accessing DC Enterprise Network, use the DC Enterprise VP Client (e.g., Pulse Secure).
126.96.36.199. Before departure, review device to ensure removal of Agency or District sensitive data (e.g., Personal Identifiable Information (PII) or sensitive government business data).
188.8.131.52. Before departure, ensure the device has been encrypted using Full Disk Encryption (FOE) technology.
184.108.40.206. Before departure, ensure the device has the latest OCTO/Agency Management and Anti Virus software (e.g., LANDESK, McAfee ePO) and device updates and anti-virus have been applied.
220.127.116.11. Before departure, employees must ensure their password meets District guidelines for length and security.
18.104.22.168. While on travel, use only Wi-Fi connections in known safe areas (e.g., hotel, business centers), avoid using Wi-Fi in areas of unknown security.
22.214.171.124. While on travel, if accessing the DC Enterprise Network, use the DC Enterprise VP Client (e.g., Pulse Secure).
126.96.36.199. Ensure that the laptop is locked when not under employee direct control (e.g., hotel safe).
4.5. Cyber Security and Counter-Intelligence Threats
Cybersecurity and counter-intelligence threats are higher in the following countries and require higher-level security precautions: Russia, China (including Hong Kong), North Korea, [ran, Ira q, Afghanistan, Syria.
4.5.1. Personal travel: when traveling on personal leave, travel with and use of government-issued equipment (laptop, tablets, or smartphones) is not permitted.
188.8.131.52. Business travel: When traveling for business to the aforementioned countries, District issued equipment (laptop, tablet, or phone) may not be taken or utilized without Agency Director and OCTO CTO approval. Agency CIOs shall be responsible for forwarding the request to OCTO CTO, via the OCTO CISO, and shall implement a process to ensure employee compliance with requirements outlined in Sections 184.108.40.206 - 220.127.116.11. Historic reports indicate that users should not expect that devices outside of their direct control are secure, even when stored in hotel safes.
18.104.22.168. Employees will utilize a temporary device (laptop, tablet, phone; available through OCTOhelps or Agency IT Staff) with a tightly-secured, minimally capable operating system baseline for the duration of their travel. Agency or District privacy or sensitive information will not be installed on this device. Upon return, this device will be returned to the OCTO or Agency IT staff to be reimaged using secure erase techniques.
22.214.171.124. Before travel, employees shall ensure their password has been changed to meet District policy. Upon return from travel, the employee password shall be changed. Use of Multi-Factor Authentication (MFA) for personal accounts is advised.
126.96.36.199. While on travel, connection to the DC Enterprise Network or VPN is specifically disallowed.
188.8.131.52. Connection to District email clients (via OWA or Office 365) is allowed when using MFA (e.g., phone text with one-time access code).
184.108.40.206. Connections to other District online resources not hosted within the DC Enterprise Network (e.g., PeopleSoft, PASS, etc.) that do not use MFA are specifically disallowed.
4.6. Loss of Device
Employees who experience a loss of District-issued mobile computing device s (e.g., laptops, tablets, smartphones) or other mobile electronic communication equipment shall immediately report the loss to their Agency CIO and Director. The Agency CIO shall contact the OCTO CISO. The Agency CIO will work with the OCTO CISO and General Counsel to determine if there was a loss of District sensitive data (e.g., Personal Identifiable Information (PII) or sensitive government business data).
Exceptions to this policy shall be requested in writing to the Agency’s CIO and the request will be escalated to the OCTO Chief Information Security Officer (“CISO”) for approval.
The definition of the terms used in this document can be found in the Policy Definitions website.