NSF had secure telework down to a science years ago

One Friday in March, the 1,600 employees of the National Science Foundation (NSF) left the office and on the following  Monday they were all working from home. It’s a familiar story to so many across the country, but the NSF might have been a little more prepared to make the switch.

The NSF accepts electronic proposals from around the world and determines which ones merit funding. Over the years, panels of reviewers, from all over the U.S., have met to size up the researchers’ proposals.

“Some of that was done electronically, before COVID,” NSF Chief Information Officer Dorothy Aronson said on Federal Monthly Insights – Secure Remote Workforce.

Since that fateful day in March, all of the work done by those panels has been done entirely electronically.

“We were in the middle of testing out Zoom as our virtual interaction tool,” Aronson said on Federal Drive with Tom Temin. “We had been using a combination of Webex and BlueJeans before that. People were finding Zoom very easy to use, so we transitioned everyone away from Webex and BlueJeans more or less overnight. That was a fabulous benefit for the agency. Because before people had to understand how to use a variety of tools to interact and people were not all interacting in the same way, and getting everyone into a homogeneous methodology really worked well.”

Early into the office-to-home transition, there were concerns across the country about the security surrounding Zoom and other online chat services. The NSF avoided those concerns.

“We have been using a secure implementation of Zoom from the beginning. We had been working in the government cloud, we had been requiring passwords on meetings,” Aronson said. “So when the press started talking about the lack of security in Zoom, the Zoom they were talking about was not actually the configuration that we were using. So we just pressed forward and did not experience zoom bombing, or the other problems that we had heard about.”

Aronson said the transition from one online chat tool to another did not pose a problem because NSF had trained users on safety.

“Human behavior is very important. So the way we implemented Webex and BlueJeans before and the way we trained our customers to use those tools was an important factor in keeping things secure. We did not experience any more risk in using the Zoom product than we had with the others,” Aronson said.

In 2017, NSF moved its Northern Virginia offices from Arlington to Alexandria. That moved put them into and even more secure position than they could have imagined, as the pandemic hit in 2020, and telework became the new normal.

“At that time (three years ago), as a precaution, in order to ensure that work would not be impacted negatively or there wouldn’t be an outage for customers as they moved, we migrated to a laptop with a docking station and monitor when you were on site and the laptop was configured in such a way that it was secure, so when you were away from the office, you could take it home with you and securely access the NSF internal network through a virtual private network,” Aronson said.

So three years later, after the office relocation move, NSF avoided the pandemic problems that so many workplaces encountered.

“When we went to working 100% from home, there wasn’t a learning curve for most staff who were used to teleworking part time or even those who had working in the office, but maybe periodically just took their computer home for the weekend, which is kind of the way I did things. So we all were familiar with that setup,” Aronson said.

Aronson said they feel secure because they use “well-tested and well-understood” two-factor authentication.

“We really are not experiencing additional security risks as result of our distributed workforce. We do send out more training materials to people to heighten awareness about phishing campaigns and that might be floating around, but we have not really experienced tremendous impact security-wise.