GAO to begin auditing response to expanded telework, continuity of operations

The move to maximum telework across federal agencies hasn’t been a painless one, and Congress wants to know just how it’s going. As part of the Coronavirus Aid, Relief and Economic Security (CARES) Act, it’s called upon the Government Accountability Office to oversee and audit how federal agencies are operating in this new telework environment.

“Part of that will be looking at telework, looking at continuity of operations activities, and then within both those efforts, looking at security,” said Nick Marinos, director of Information Technology and Cybersecurity at the Government Accountability Office, during a May 27 webinar from DefenseOne and Nextgov. “So this is definitely something that will build upon the work that we’ve done more generally looking at how federal agencies are approaching managing their cyber risk and probably taking it up a notch just in light of what we’re experiencing right now.”

Marinos and said Armando Quintananieves, director for the Security Operations Division of the Office of the Chief Information Officer at the General Services Administration, offered some tips for federal agencies on how to be proactive in securing their networks with the added wrinkle of a primarily remote workforce.

“The cloud needs to be treated like an extension of your internal network,” Marinos said. “So everything that you post, the security that you provide on your network, you need to also think of the same functionality outside of your network.”

Advertisement

Toward this end, Quintananieves said agencies should always defer to FedRAMP when evaluating cloud-based tools. There’s never one tool that fits every given situation, but every tool employees use needs to be evaluated from a security perspective.

“That’s where FedRAMP comes into play. Every agency can go and utilize the Fedramp.gov website to go to find out which are authorized solutions that have been vetted already and meet government requirements,” Quintananieves said. “GSA recently has communicated with [the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency] and actually came up with some guidelines. If you go to the CISA website, you’ll see a publication that GSA supports, that guideline for videoconference technology and best practices.”

But agencies themselves also need to be clear with their employees about guidance around technological resources. When an agency’s expectations or requirements aren’t clear, that’s when employees start cutting corners. One place where that’s particularly likely to happen is when federal employees want to use their own device.

“In a situation where you’re doing Bring Your Own Device, you always have to make the assumption that those environments are going to contain hostile threats,” Marinos said. “So approach it with an assumption that there is going to be security risk inherent in the remote working that one is going to do, whether it’s on their own devices or on government issued devices as well. So I think starting from there, then an agency really does have to make the trade-off decisions around how they want the individual users and employees to interact with their government resources.”

For example, some agencies may not allow employees to connect to the VPN unless they have a government-issued device with multi-factor authentication. On the other hand, it may allow employees to connect to a virtual desktop infrastructure (VDI) which then uses multifactor authentication. So there are different routes to internal resources, and agencies need to determine the level of risk they’re comfortable with.

It all comes back to effective communication between the employees and the policy-makers. Employees need to understand the guidelines as they’re exploring new ways to accomplish their work. They also need to know who to ask in the event that the guidelines aren’t clear.

“The best resources and the best awareness of what your own individual federal agency is comfortable with when it comes to risk is the agency itself,” Marinos said. “So I would say that if an individual user isn’t quite sure how best to approach telework from the most secure way possible, then they should reach out to their internal security folks to get guidance on that.”