Network Access Control for Federal Employees and Contractors

Network access control supports the missions of federal agencies, both by preventing the loss of intellectual property through insider threat and by avoiding infections that could threaten government continuity. For these reasons, network access control is mandated by the Homeland Security Presidential Directive 12 (HSPD-12), in the Federal Information Processing Standards (FIPS) 201 guidelines, and in Department of Defense (DoD) regulations such as DoD 8500.2 and JTF-GNO CTO 06-02. Every network access control solution must identify and authenticate users and enforce that the device security posture complies with agency policy. Ideally, to maximize agency productivity, the solution should automatically remediate noncompliant devices without requiring action from either the user or the IT group.

Federal agencies have made progress in network access control by implementing solutions for identification verification, endpoint security, and network foundation security. Notably, agencies are in the process of implementing Personal Identification Verification (PIV) cards that comply with FIPS 201, and nearly all PCs and laptops are installed with antivirus software.

Despite this progress, today's approaches to network access control leave agency networks vulnerable to infection and insider threat. For example, PIV cards authorize users—but not their devices. Therefore, authorized employees can access the network even if they are using a laptop that is infected, lacks required software or patches, or otherwise does not comply with the agency security policy. Similarly, antivirus software mitigates the threat of viruses, spyware, and other malicious software, but it does not check a device for compliance with security policies intended to protect the device and agency network from future infection and attack. Agency security policies can stipulate the presence of required software, absence of unauthorized software, misconfiguration, software defects, and user account issues such as null passwords. Cisco Network Access Guardian, which includes McAfee Hercules Remediation Manager, is an all-in-one solution for HSPD-12 compliance and network access control in federal government agencies. It ensures that a user's identity is authenticated and the device is compliant with security policies before it is granted access to the network. When a user attempts to access the network using a PIV card, Cisco Network Access Guardian authenticates the user's identity, scans the device to determine if it complies with the agency's security policy, then automatically quarantines and remediates the device if required. With Cisco Network Access Guardian, agencies can choose from a rich set of compliance checks and more than 25,000 tested remedies to quickly create comprehensive, granular security policies.

This white paper, intended for federal agency business managers, describes the all-in-one solution for network access control for federal government employees and contractors. The first section explains the challenges of access control. The next section explains solution requirements to meet agency business needs and comply with HSPD-12. The white paper concludes with a scenario using Cisco Network Access Guardian and a description of how federal agencies can benefit from this solution.