Approved Date – 02/22/2021
Published Date – 02/22/2021
Revised Date – 02/23/2023
1. Purpose
Specify the requirements for securely connecting to the District of Columbia Government (“District”) Network through a Virtual Private Network (“VPN”).
2. Authority
DC Official Code § 1-1401 et seq., provides the Office of the Chief Technology Officer (“OCTO”) with the authority to provide information technology (IT) services, write and enforce IT policies, and secure the network and IT systems for the District government. This document can be found at: https://code.dccouncil.us/dc/council/code/sections/1-1402.html.
3. Applicability
This policy applies to all the District workforce members performing official functions related to the management of the Virtual Private Network tools and processes on behalf of the District government, and/or any District agency/entity that receives enterprise services from OCTO. In addition, this policy applies to any provider and third-party entity with access to the District information, systems, networks, and applications.
4. Policy
All the District agencies and departments must develop or adhere to a strategy which demonstrates compliance with this policy and its related standards.
The District Government's agencies must develop and review or update annually and/or after a change to the policy, a procedure in support of this policy with the following requirements.
4.1. The District network must only be accessed through the District VPN when a device is being used at an offsite location.
4.2. Only authorized devices must be able to connect to the District Network through the VPN.
4.3. Only devices with the most up-to-date anti-virus must be able to connect to the District network through the VPN.
4.4. VPN use must be controlled using multifactor authentication.
4.5. When connected to the District network from an offsite location, all traffic from and to the PC must be routed through the District VPN tunnel.
4.6. Remote access to the District network through the VPN must be logged and monitored to detect suspicious activities.
4.7. VPN sessions must be limited to a maximum of twelve (12) hours of absolute continuous connection time.
4.8. Only approved VPN clients must be used. (Please consult with OCTO to verify the current VPN client in use for the District).
5. Exemption
Exceptions to this policy shall be requested in writing to the Agency’s CIO and the request will be escalated to the OCTO Chief Information Security Officer (“CISO”) for approval.
6. Definitions
The definition of the terms used in this document can be found in the Policy Definitions website.