Approved Date – 02/22/2021
Published Date – 02/22/2021
Reviewed Date – 03/13/2023
1. Purpose
To specify the requirements for connecting to the District of Columbia Government (“District”)’s information network from a remote (or offsite) location.
2. Authority
DC Official Code § 1-1401 et seq., provides the Office of the Chief Technology Officer (“OCTO”) with the authority to provide information technology (IT) services, write and enforce IT policies, and secure the network and IT systems for the District. This document can be found at https://code.dccouncil.us/dc/council/code/sections/1-1402.html.
3. Applicability
This policy applies to all District workforce members responsible for application identity and role definition on behalf of the District, and/or any District agency/District/entity who receive enterprise services from OCTO. In addition, this policy applies to any providers and third-party entities with access to District information, networks, and applications.
4. Policy
4.1. District Workforce:
4.1.1. Remote access connection to the District’s Network must only be used to perform the District’s business.
4.1.2. Users must protect their VPN login credentials and they MUST not share them.
4.1.3. All users must comply with the District’s Acceptable Use Policy (AUP), and not engage in any inappropriate activity.
4.1.4. All users connected to the District’s network from a remote location must take measures to ensure that the District’s data is protected.
4.1.5. All users must be automatically logged off the VPN after 30 minutes of inactivity. The user must be required to reauthenticate to reconnect to the District’s network.
4.1.6. All users connecting remotely to the DC Government network must not connect using a proxy or an anonymous IP.
4.1.7. All DC Government workforce members that need to access government resources to perform duties while traveling outside the United States must request approval from their agency's Director before their departure. The OCTO CISO and CTO must be notified of such approval.
4.1.8. Users must immediately notify the Security Operations Center (SOC) of any suspicious security event (e.g., suspected phishing attack, malware attack, unusual device behavior, etc.).
SOC can be contacted through the following means:
- Phone at (202) 724-2447
- Email at [email protected]
4.2. Third Parties
4.2.1. Access accounts used by remote vendors must only be enabled during the required period and must be disabled immediately thereafter.
4.2.2. Vendor accounts must be approved by the Agency’s CIO or his/her designee and closely monitored.
4.2.3. Authorized third-party users must be required to authenticate before being allowed to access restricted information.
5. Exemptions
Exceptions to this policy shall be requested in writing to the Agency’s CIO and the request will be escalated to the OCTO Chief Information Security Officer (“CISO”) for approval.
6. Definitions
The definition of the terms used in this document can be found in the Policy Definitions website.