I am rethinking how I would deal with elements of designs where a security control says agencies should…

I have been notionally sharing in the agencies should = do what you want because that seems to be how some folks read the guidance.

But of course, this is garbage, so today is the day where “agencies should” means “our risk assessment says…” at least when looking at my projects.

I’m thinking a few times it will really be “Computer says NO” or Agencies MUST.

Just thinking aloud

*** Update ***

To drive some context

“[–,IC-P,r] non-agency owned devices
6.8.9. Agencies should not allow devices not directly owned and controlled by the agency to be used with their systems.”

Generally speaking, there are many people who see the use of home computers for remote access as the only real method of large-scale remote access, allowing for remote workforce in times of emergency or pandemic ^{(Highlights for a 2020 readership)}. I would be concerned that this would quickly lead to “Bring your own computer” policies becoming more of a norm.

I would need serious convincing that BYO Computer is sensible but remote access on the other hand I can see being a necessity in the short term.

So, what would a risk assessment look like?