The Government Accountability Office plans to review how agencies implemented remote work solutions.
As agencies fast-tracked telework in response to the pandemic, some took advantage of teleconferencing tools, such as Zoom, Teams and other programs. Others tapped into cloud solutions, virtual private networks and extending applications to employees to use on their own devices.
To see what worked, the Government Accountability Office plans to review how agencies have been implementing such solutions in the coming months, Nick Marinos, GAO's director of Information Technology and Cybersecurity, said on a May 27 NextGov virtual conference.
Armando Quintananieves, director of the Security Operations Division in the Office of the CIO at the General Services Administration, said that vetted solutions, like GSA's Federal Risk and Authorization Management Program, are the best.
"There are a lot of tools out there. It depends on the business need. No tool fits every situation. That's where FedRAMP comes into play," which signs off on security specs for government versions of popular business applications.
"Sometimes people cut corners," Marinos said, speaking about securing remote access and applications in favor of solving the immediate problem of getting their employees online. Simply getting bandwidth to people who haven't previously worked from home can be a basic issue, said Marino.
Quintananieves and Marino advised IT managers to ask their agency security officials before implementing unfamiliar technology, or opening up new capabilities such as allowing personal devices onto an agency network. Some agencies allow limited use of personal devices, provided they're only connected to the VPN and not to core network resources.
Marino and Quintananieves also warned that phishing, long a pernicious security risk, has only been inflamed by pandemic. It's important to sharpen employee skepticism of unfamiliar emails.
“It's also important to check the 'health' of end devices connected to the VPN,” Quintananieves said. He recommended ensuring those devices have all their security agents, limiting access to the VPN and implementing two-factor authentication for access.
"Pause before making a technology choice," Marino advised remote workers and IT managers. "This is a primetime for bad actors to exploit. Always ask your security people before you take an action. If an individual user isn't sure how to approach telework, they should reach out to their internal security department," he said.
This article was first posted to FCW, a sibling site to GCN.