When the pandemic hit, the Government Accountability Office was one of the agencies that was better-prepared to move to a maximum telework model. But it created new challenges in how best to work with agencies that were less prepared, or had jobs where telework wasn’t an option.
“For sensitive data, we often would rely on certain ways to do file transfer, but we sometimes would still use physical medium that was encrypted, and that was obviously not going to work,” said Vijay D’Souza, director of Information Technology and Cybersecurity at GAO during an Oct. 20 Fedinsider webinar. “So we’ve accelerated the development of a file transfer solution that we’re going to deploy to make it easier for agencies to exchange sensitive data with us.”
That was one of the bigger challenges, but it wasn’t the only one unique to the pandemic, which in some cases is forcing people to think in a different way, or reexamine assumptions about their own environment.
“I think we have to issue some internal guidance to folks since they were all working home so much,” D’Souza said. “Everyone has these smart speakers now sitting in their houses. And somebody raised the question: ‘Hey, if you’re on this phone call, and you’ve got Siri, or Alexa or whoever sitting there next to you, do you need to disable that?’ And we talked it through and I think we reminded people of that but it’s just not something that I think people would always think about.”
The pandemic has also come with its own unique workload for GAO. The Coronavirus Aid, Relief and Economic Security (CARES) Act called upon GAO to oversee and audit how federal agencies are operating in this new telework environment, especially the security components. D’Souza said those efforts are underway, and should result in a report in a few months.
But one thing that has helped some agencies improve their cyber posture during the pandemic is continuous diagnostics and mitigation. Chief Warrant Officer 5 William Robinson II, chief technology officer and senior technical advisor for the Department of the Army, said during the webinar that CDM provided the Army with more visibility into its new telecommuting environment, especially when it came to sharing data in a non-Defense Department, non-VPN environment like Commercial Virtual Remote, DoD’s Microsoft Teams instance.
Robinson said the Army isn’t using CDM dashboards per se, but something very similar.
“We need to be able to orient ourselves, decide and then react to whatever actions are happening on the network. And so that single pane of glass that you were looking at — or several panes of glass — to be able to have standardization, and getting everybody to look at a common picture, to understand the threats as well as your security posture is worth its weight in gold, regardless to how pretty or how ugly your actual dashboard may look,” he said. “But more importantly is integration. So as we have several tools, several types of sensors out there, being able to correlate all that data into a structured data and be able to present that information. And having several different vendors, several different tools, being able to correlate onto one pane of glass has always been our biggest challenge inside of the Department of the Army.”
D’Souza agreed, saying the dashboards are foundational to properly implementing and benefiting from CDM. GAO just released a report on CDM in August, and one of the issues it found was that agencies were having trouble implementing the dashboard due to data quality issues. Primarily, they were having difficulties keeping track of the hardware and software on their networks.
“The dashboard is a key feature of CDM, everyone wants to be able to look at something. But for our work at the point in time we looked at, the agencies we looked at actually weren’t using the dashboards at that time; they were aware of some of the data quality challenges,” D’Souza said. “So I think to the extent that DHS and agencies are really able to drive the dashboards as being actionable in providing actual information, I think that’s important. And one caveat I do want to add is, a lot of these agencies had other tools or have other tools to monitor their network. So I think we’re gonna see a transition, as they grow more comfortable with CDM, and they’re more comfortable with the underlying data quality, they’ll be able to transition to sort of the standard CDM tools and maybe phase out some of their agency-specific tools.”