What did agencies learn from telework’s high-speed rollout?
- By Mark Rockwell
- May 29, 2020
As agencies fast-tracked telework in response to the pandemic, some took advantage of teleconferencing tools, such as Zoom, Teams and other programs. Others tapped into cloud solutions, virtual private networks and extending applications to employees to use on their own devices.
To see what worked, the Government Accountability Office plans to review how agencies have been implementing such solutions in the coming months, Nick Marinos, GAO's director of Information Technology and Cybersecurity, said on a May 27 NextGov virtual conference.
Armando Quintananieves, director of the Security Operations Division in the Office of the CIO at the General Services Administration, said that vetted solutions, like GSA's Federal Risk and Authorization Management Program, are the best.
"There are a lot of tools out there. It depends on the business need. No tool fits every situation. That's where FedRAMP comes into play," which signs off on security specs for government versions of popular business applications.
"Sometimes people cut corners," Marinos said, speaking about securing remote access and applications in favor of solving the immediate problem of getting their employees online. Simply getting bandwidth to people who haven't previously worked from home can be a basic issue, said Marino.
Quintananieves and Marino advised IT managers to ask their agency security officials before implementing unfamiliar technology, or opening up new capabilities such as allowing personal devices onto an agency network. Some agencies allow limited use of personal devices, provided they're only connected to the VPN and not to core network resources.
Marino and Quintananieves also warned that phishing, long a pernicious security risk, has only been inflamed by pandemic. It's important to sharpen employee skepticism of unfamiliar emails.
“It's also important to check the 'health' of end devices connected to the VPN,” Quintananieves said. He recommended ensuring those devices have all their security agents, limiting access to the VPN and implementing two-factor authentication for access.
"Pause before making a technology choice," Marino advised remote workers and IT managers. "This is a primetime for bad actors to exploit. Always ask your security people before you take an action. If an individual user isn't sure how to approach telework, they should reach out to their internal security department," he said.
This article was first posted to FCW, a sibling site to GCN.
Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.
Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, tele.com magazine and Wireless Week.
Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.
Click here for previous articles by Rockwell.
Contact him at [email protected] or follow him on Twitter at @MRockwell4.