Tag Archives: teleworking

Telework Security Checklist

Standard
Image: National Institute of Standards And Technology.gov

WASHINGTON TECHNOLOGY

“What are the compliance implications of mass telework? Six questions to ask (and answer) to help you stay compliant while your employees are working remotely”

______________________________________________________________________________

“Government and contractors were unprepared for COVID-19 to so abruptly push so many employees to remote work. Even now, as businesses start to contemplate how to reopen their offices, the continued need for social distancing means many employees will be choosing or required to continue remote work for the foreseeable future. It’s a fundamental change in how organizations operate, fraught with inconsistencies, challenges and distractions.

Yet, while the pandemic is causing modifications and deviations to contracts and regulations, it will not serve as a “Get Out of Jail FREE” card. Government contractors must still comply with their contracts and protect government information.

What are the compliance implications of mass telework? Here are six questions to ask (and answer) to help you stay compliant while your employees are working remotely:

  1. Are your telework policies and procedures up to date?

Resist the temptation to ignore telework policies that are suddenly impractical. In the absence of clear guidance, employees will be inconsistent in their behavior and performance. Take the guesswork out of the mix by updating and publishing revised policies. Provide clear, concise direction for what employees should do under current conditions (and new conditions, as government guidance evolves).

  1. Is your IT infrastructure ready and secure?

A cyber-secure IT infrastructure built to support thousands of employees from a few offices will have vastly different loads and threats when most workers are suddenly piping in remotely. Is your VPN set up for the additional traffic? Do your security models and controls need to be adapted for the increased number of employees working remotely? Consider allowing access into the system for extended hours, so employees with family obligations have flexibility about when to do their work. Be sure your team fully appreciates the risks of relaxing some security controls (such as reducing keystroke monitoring) to improve your system’s responsiveness.


  1. Do employees have the technology and guidelines to work securely from home?

Most employees will do their best to serve government customers and be productive, even if they don’t have the same technology at home as at work. But the bad guys in cyberspace are exploiting this crisis and are increasingly determined to test the security boundaries of governments, businesses and citizens. Some employee “best effort” behaviors could introduce unwanted compliance and security issues.

Remind employees of how to protect sensitive information at home. Re-publish policies about home network security, strong passwords, use of personal email accounts, unknown email attachments and other best practices. Consider home burn bags to store confidential papers until employees return to the office. Remind employees to disengage smart speakers in spaces where work-related conversations are happening. Use passwords and other added security measures for all video conferencing.

  1. How are you managing and monitoring the productivity of remote workers?

Even veteran teleworkers have been disrupted by the sudden appearance of a spouse, children and/or roommates who are all competing for space, time, attention and internet bandwidth. Employees who are teleworking for the first time may have a home environment that is more casual, less vigilant, and filled with more distractions than an office setting.

It’s important, though, to proactively manage and document the work employees are doing. Be sure employees understand policies about work hours, time tracking and status updates. Share tips and expectations for productive and professional telework. Task your managers to understand obstacles their employees are facing – and to communicate clearly about whether any temporary job accommodations are approved. Then, closely monitor performance to ensure that you’re delivering on your contracts and billing the government appropriately for the completed work.

  1. Are key employees cross-trained?

Anticipate that key personnel may become unavailable to perform mission-critical duties at some point in the pandemic. If you haven’t already, identify and cross-train employees who can step in should the need arise. Remember to obtain your customer’s approval of these key employees, so work can continue uninterrupted. Keep an updated and centralized list or database to consult as your situation changes.

  1. Are you monitoring your procedures and controls, especially the updated ones?

When so much is new and changing, monitoring your controls is a must to ensure timely corrective actions and prevent material non-compliances. Periodically test your company compliance hotlines to verify that they are accessible, appropriately staffed and supported. Keep your governance program (board of directors and executive committees) active, engaged, and available to address anything that might go awry.

COVID-19 has created a remote working scenario that most government contractors never could have envisioned. While it’s different from anything we’ve experienced before, the government will not consider these changes an excuse for significant noncompliance. It is more challenging, but with planning, creativity and vigilance, companies, employees, and customers will be well served. In fact, you may find that some changes you make to accommodate the pandemic ultimately improve your operations and should endure after the crisis has resolved.”

https://washingtontechnology.com/articles/2020/04/30/insights-telework-compliance-questions.aspx

DOD’s Telework Surge Could Be Permanent

Standard
Image: Sarayut Tanerus Getty Images

FCW

A new emphasis on telework at the Defense Department in response to the COVID-19 pandemic could change work culture at the Pentagon, officials said.

DOD rolled out the CVR or Commercial Virtual Remote environment to handle the deluge of teleworkers March 27.

______________________________________________________________________________

“It now has 900,000 user accounts with 250,000 added in a single day, officials said at an April 13 briefing. CVR is a collaboration suite based on Microsoft Teams that enables video, voice and text communications.

“The department has always been telework-ready long before the pandemic,” DOD CIO Dana Deasy said, but noted full-time telework was the exception and not the rule, so that a lot of education about tools and best practices was needed.

“There will be some permanency to what we have here. Specifically, I think more on the network side, and we will also have to create a base of teleworking equipment that we’ll be able to, in some cases, reuse for other purposes,” Deasy said. “There is going to be an enhanced teleworking capability that will be sustained at the end of COVID-19,” he added.

About 2,000 DOD personnel have gotten additional devices, officials said, with virtual internet service provider connections increasing 30%. Call capacity in the Pentagon has increased 50% and the Defense Information Systems Agency has increased end point capability three-fold.

The Navy’s telework capacity has exploded with 65,000 new telework users on mobile and desktops. The Navy’s telework capacity grew 150% to 250,000 workers due to COVID-19 measures, and there are additional plans to bring the total to 500,000 remote workers. The Marines increased their virtual private network capacity to 60,000 simultaneous workers, up about 80%.

This activity is creating a surge of data, and it’s still unclear what happens to CVR information after the crisis.

“We recognize that a lot of data is being created, it’s going onto an unclassified environment,” DOD CIO Dana Deasy said, in response to a question about how CVR data will be treated after the COVID-19 crisis is over. “We are looking at options on how do we take this data and preserve it and-or port it into other collaboration environments, going forward. That decision has not been taken, but I would also not pre-conclude that we’ve taken the decision the data will just be flat-out destroyed.”

Cybersecurity concerns, and the increased data risk, have risen in tandem with teleworking and is compounded by DOD not implementing all of its cyber hygiene initiatives.

Air Force Lt. Gen. Bradford Shwedo, Joint Staff CIO, said DOD has seen a “surge of spearphishing related to COVID-19” across the organization.

Essye Miller, DOD’s principal deputy CIO, first noted the uptick in cyberattacks in March when the department began encouraging mass telework, discouraging personnel from using streaming services on DOD’s network and encouraging better cyber hygiene practices.

A Government Accountability Office report released April 13 found that DOD has fallen short when it comes implementing proper cyber hygiene methods across the organization.

The GAO said DOD had not fully implemented cyber training briefings for DOD leadership or developed educational and training requirements for cyber workers. Additionally, a component of Cyber Command charged with network operations, the Joint Force Headquarters Department of Defense Information Network, hadn’t developed a plan for scheduled and unannounced cybersecurity inspections, according to the report.

In a letter responding to the report, Deasy said DOD would combine existing scorecards to improve data needed for senior leadership’s decision making, but that it was not possible to eliminate risk.

“Risk is a function of multiple variables and these variables are continually evolving,” Deasy wrote to GAO. “Timely, relevant, and correlated information is the best that can be expected.”

https://fcw.com/articles/2020/04/14/dod-telework-permanent-williams.aspx?oly_enc_id=

U.S. Air Force Technology Empowering Teleworkers

Standard
Image: “Aerospace America

AEROSPACE AMERICA

Aerospace engineers and others will be able to access classified networks from home.

Air Force Research Laboratory accelerated the rollout of a new way for aerospace engineers, intelligence analysts, research physicists and others to securely access classified networks remotely.

_____________________________________________________________________________

“The coronavirus pandemic separated thousands of U.S. service members, Defense Department civilians and contractors from the highly classified information they need to do their jobs each day — data they can’t just bring home or access on the unsecured internet.

AFRL calls the initiative deviceONE. This month contractors authorized to handle classified equipment began home deliveries of jump kits consisting of modified off-the-shelf laptop computers. The laptops are loaded with software developed under a National Security Agency project to securely connect users to classified networks hosted on servers in Hawaii. About 20 kits have gone out so far from an initial batch of 40.

The uses will be myriad. At AFRL, for example, engineers or other professionals could log onto deviceONE to help prepare computer models of aircraft or projectiles for wind tunnel tests, said John Woodruff, the program manager for the SecureView laptops who is based at AFRL’s Rome, New York, site.

Thousands more deliveries will follow, as vendors such as Dell, HP and Panasonic deliver more laptops to AFRL for modification. Those won’t just go to AFRL workers, but also staff at dozens of other Air Force organizations, and possibly other military organizations, Woodruff told me in a phone interview.

The program could last far beyond the COVID-19 lockdowns, potentially giving airmen and troops who depend on classified data a convenient new way to access those networks at far-flung, austere locations in Afghanistan, countries in Africa and elsewhere.

DeviceONE is part of the Air Force’s Advanced Battle Management System effort, which seeks to find new ways to connect aircraft, satellites and operations centers and share data in the field. The initiative has three elements:

  • Virtual Desktop Information, or VDI, a series of cloud-type servers at Pacific Air Force’s Hawaii headquarters that store data and applications such as Microsoft Outlook — basically everything to run a user’s entire desktop remotely.
  • SecureView, the lightweight, thin client-style laptops that do little more than access the classified network and don’t allow anything to be saved to the hard drive.
  • Commercial Solutions for Classified, or CSFC, program, which connects the SecureView laptops with the VDI servers. CSFC, based on technology developed roughly six years ago by the National Security Agency, combines virtual private networks to process classified information.

AFRL was already working on combining those preexisting technologies, but the coronavirus pandemic made the need to get it into the field even more pressing.

AFRL hurried to release the latest version of SecureView, and then worked with several Air Force organizations to get deviceONE approved for rollout at the end of March. The approval process took place at “unprecedented speed,” Woodruff said. “What normally takes months was compressed to five days.”

Now that the first 40 kits have been prepared with the proper security and other software, Woodruff expects the next thousand laptops to arrive by late April.

The next phase of the project will lay the groundwork for deploying several thousand more deviceONE units. Each user’s computer costs less than $2,500, Woodruff said, and adding thousands of more users to Pacific Air Force’s infrastructure will likely cost between $6 million and $10 million.

A nontechnical roadblock could lie ahead, Woodruff suspects. Suitable laptops could become scarce as governments, schools and companies around the world shift to teleworking.

Woodruff said AFRL has kept good relationships with top officials at vendors such as Dell, to try to convince them to prioritize their orders as much as they can.

“We’re all trying to work remotely all of a sudden,” Woodruff said. “It’s very difficult to get the quantity of laptops that we’re discussing, quickly, from the manufacturers.”

https://aerospaceamerica.aiaa.org/meet-the-u-s-air-force-technology-thats-empowering-its-teleworkers/

FBI Warns On Zoom Conference Security

Standard
Image: “Threatpost.com

FCW

As telework expands across the U.S., new users unfamiliar with security precautions can unintentionally expose their videoconferences to unauthorized participants.

__________________________________________________________________________

“The FBI is warning Zoom video-conferencing platform users to guard against “VTC hijacking” and “Zoom-bombing” by outsiders intent on making threats and offensive displays.

According to the FBI’s Boston Division, two Massachusetts high schools reported separate instances of individuals breaking into online classes in late March being conducted via Zoom teleconferencing software. In one incident, said the FBI, an unidentified individual dialed into a videoconference class, yelled out a profanity and the teacher’s home address. In the other, a school reported an unidentified individual with swastika tattoos dialing into a Zoom videoconference class.

FBI Special Agent Doug Domin told FCW that unauthorized participants are not just an issue on the Zoom platform. “Other providers have similar platforms,” he said, that are just as vulnerable to such intrusion if they’re misused.

“Organizations should have policies for VTC” and its associated software, as well as training on how to use it, said Domin. Individual session passwords should be used, even for audio bridges, he said. “The bigger the group, the bigger the possibilities” for unauthorized entry.

“We take the security of Zoom meetings seriously and we are deeply upset to hear about the incidents involving this type of attack,” a Zoom spokesman told FCW in an email. “For those hosting large, public group meetings, we strongly encourage hosts to review their settings and confirm that only the host can share their screen. For those hosting private meetings, password protections are on by default and we recommend that users keep those protections on to prevent uninvited users from joining,” they said.

The Zoom for Government platform is on the General Services Administration’s buying schedule and also has that agency’s Federal Risk and Authorization Management Program moderate level approval. Zoom was sponsored in the FedRAMP approval process by the Department of Homeland Security, according to the company. The authorization allows federal agencies and contractors to securely use Zoom for government video meetings and API integrations, according to the company.

Typically, government-approved versions of commercial off-the-shelf products to not allow for data collection for marketing purposes.

Zoom’s standard product has many newer users in public school environments, since company CEO Eric Yuan removed time limits on the app for elementary and high schools as the COVID-19 pandemic closed down the facilities across the U.S.

The company’s video teleconferencing offering has raised the hackles of some privacy experts, including Consumer Reports, who say it collects and sells user data to online advertisers. It revised its privacy policy on March 29 to say it does not sell personal data.

Additionally, a company official told the Intercept in a March 31 report that Zoom does not offer end-to-end encryption as it is commonly understood – that is encrypting data between user end points. The content of a video conference hosted by Zoom is potentially visible to the company itself.

An IT manager FCW spoke with about Zoom said they were confident that with the FedRAMP moderate rating that conforms services to FISMA standards, a federal Authority to Operate, and familiarity with the platform, most federal users could be reasonably confident with the platform’s integrity.”

https://fcw.com/articles/2020/03/31/zoom-bombers-fbi-rockwell.aspx

Many Contractors Awaiting Pandemic Guidance From Government Agencies

Standard

FCW

Lawmakers want federal agencies to publicly post their contingency plans so everyone has a better idea of what to expect as more federal employees move to telework and other alternative operations. Official agency advice is scarce.”

______________________________________________________________________________

“Some agencies posted some contractor-specific contingency guidance in the last few days ahead of the March 19 letter from Senate lawmakers, but federal contractors FCW has spoken with in the last few days said official agency advice for contractors is scarce.

The Environmental Protection Agency and the U.S. Agency for International Development rolled out guidance for their contractors at the end of last week, telling them to keep in close contact with their agency contracting officers, as well as check their contracts’ language for information on how to move ahead.

In a March 19 letter to the acting directors of OMB and OPM, Sen. Mark R. Warner (D-Va.) and seven other senators called on those agencies to require all federal agencies to post their contingency plans for COVID-19 outbreaks, so the public knows what services to expect and federal contractors have some guidance on how to comply with their contracts.

“Making these [contingency] plans transparent and readily available is key to ensuring that our constituents understand what services are continuing in the midst of the uncertainty and disruption caused by COVID-19. It is also important for federal employees and contractors to understand and properly implement the required mitigation measures and for policymakers to ensure compliance with these measures,” said the letter.

The letter said posting the plans was in line with the way the government handles the plans during a non-Coronavirus related government shutdown.

Contractor telework

The Professional Services Council urged Russell Vought, acting OMB director, to extend telework to the contractor workforce where possible.

Many contractors are being sent and home told that “telework is not authorized under the contract,” PSC President and CEO David Berteau wrote in a March 18 letter to Vought.

“Sending contractors home without authorizing telework effectively ends the important work being done for the government by those contractors,” Berteau wrote. He said the lack of guidance also undermines the intent of the President when OMB told federal agencies to allow government workers the “maximum telework flexibilities.”

Additionally, the National Defense Industrial Association, the U.S. Chamber of Congress, PSC and other trade groups are urging Congress to include contractor telework and assistance for contractors who can’t work because of closed federal facilities in coming pandemic relief legislation.

Excusable delays

EPA and USAID rolled out guidance for their contractors on March 13 and March 12 respectively, telling the businesses to keep in close contact with their agency contracting officers, as well as check their contracts’ language for information on how to move ahead.

USAID told contractors in its notice that contractors shouldn’t begin any new work or change work plans without getting written approvals from agency contracting officers and managers.

It told contractors not to begin any new work or change approved work plans.

The agency also said it is considering setting up an expedited procedures package for disease emergency response.

USAID contracting officers, said the agency, will get in touch with contractors if it needs to redirect resources. It said it said it would consider additional contract implementation expenses due to the virus on a “case-by-case basis.”

USAID advised contractors with workers infected by the virus and temporarily unable to work to “continue to incur operating costs–to be able to restart activities immediately if circumstances or instructions change.”

On March 13, the EPA posted a Coronavirus FAQ for small businesses that answered some basic questions about how they should proceed. The guidance advised contractors to review their contracts to see how, and if, those documents offer any latitude for delays. It advised small business contract holders to look to the Federal Acquisition Regulation for further information on how federal contract performance is handled under extreme circumstances, including pandemics. It warned that “force majeure” clauses common in the language of many commercial contracts, are not the same under the FAR.

Contractors that have “Excusable Delays” provisions in their contracts that cover contingencies including epidemics.

EPA advised contractors to consult with customer agencies closely on whether specific federal workers or sites would be available or open for work. It said contractors might also get wind-down and startup costs covered if work can’t be done because of absent workers or closed sites.”

https://fcw.com/articles/2020/03/19/contractors-guidance-coronavirus-rockwell.aspx?oly_enc_id=

Secure Teleworking Guidance From National Institute Of Standards And Technology (NIST)

Standard

“FCW”

The National Institute of Standards and Technology has issued  advice for organizations that must communicate remotely, warning that the lackadaisical security policies of the past will no longer cut it as hackers and spies seek to take advantage of the increased attack surface created by the surge in nationwide remote work.

______________________________________________________________________________

“Workers across the country are being sent home and told to telework as the coronavirus outbreak continues to spread. As virtual meetings and other online interactions become a reality for many federal agencies and businesses, so too do the related cybersecurity threats.

“Unfortunately, if virtual meetings are not set up correctly, former coworkers, disgruntled employees, or hackers might be able to eavesdrop,” wrote Jeff Greene, director of NIST’s National Cybersecurity Center of Excellence. “Using some basic precautions can help ensure that your meetings are an opportunity to collaborate and work effectively — and not the genesis of a data breach or other embarrassing and costly security or privacy incident.”

Greene laid out a number of suggestions for keeping virtual work discussions private and safe, most of which are simple and likely to already be specified (if not always heeded) in an organization’s existing policies.

Limiting reuse of access codes for phone meetings along with one-time PINs and multifactor authentication can help ensure that only authorized users are on more sensitive calls. For virtual or web meetings, waiting rooms and dashboards can help monitor attendees and keep track of unnamed or generic visitors. They can also help an organization keep track of who is (and isn’t) supposed to be connected.

Not every work meeting will require the use of every step. Greene encouraged organizations to use different protocols for low-, medium- and high-risk calls, and NIST developed an easy-to-use graphic to help workers determine when to use what option. More sensitive work may require tactics like distributing PINs at the last minute, identifying all attendees and then locking the meeting and ensuring that all attendees are connecting from approved devices.

The Cybersecurity and Infrastructure Security Agency has also warned that widespread telework could open up new opportunities for digital compromise. The agency put out its own security guidance last week for organizations relying on enterprisewide virtual private networks, including testing VPNs for mass usage; ensuring VPNs, network infrastructure devices and end-user devices are patched and up to date; ramping up log reviews, attack detection and incident response and recovery activities; and implementing multifactor authentication wherever possible.”

https://fcw.com/articles/2020/03/17/nist-advice-virtual-online-meetings.aspx?oly_enc_id=

Spinning Up Telework Presents Procurement Challenges

Standard
Image: Eztalks.com

FCW

There’s good news and bad news for agencies looking to ramp up telework in the wake of the coronavirus pandemic, according to federal contracting experts.

The good news is federal acquisition contracts are set up for quick acquisition of essential telework equipment, such as laptops or tablets, said acquisition experts FCW spoke with. The bad news could be that online scammers are watching the expanding tele-workforce with great interest.

___________________________________________________________________________

“The emphasis on agency telework is growing, and although most agency employees are already assigned computers, there may be some hardware gaps to fill as workforces move to remote locations.

Federal governmentwide acquisition contracts, such as NASA’s Services for Enterprise-Wide Procurement, the General Services Administration’s ordering schedule and the National Institutes of Health Information Technology Acquisition and Assessment Center (NITAAC) are set up to help quickly fill laptops, tablets and other IT commodity orders, they said.

“In general, SEWP is an agile acquisition vehicle that allows for quick turn-around times for quotes and provides points of contacts for all contract holders to facilitate quick communications,” Joanne Woytek, SEWP manager told FCW. The GWAC, she said, has not seen any specific increase related to teleworking support, so far.

“For laptops, tablets, printers, agencies have purchase cards,” Alan Chvotkin, executive vice president and counsel for the Professional Services Council, told FCW. “Orders placed on SEWP and federal schedules can get responses within 24 hours,” he said, adding that speedier responses could pump up costs.

SEWP posted a warning on its webpage at the beginning of March saying delays in some order could result from stresses on the supply chain.

In an email to FCW on March 11, Woytek again noted that delivery of technology “is limited by the capacity of industry.” She said order delivery “is going to be on a case by case basis and greatly dependent on the complexity, configuration and size of an order.”

However, the demand for laptop and tablet computers from federal agencies during the next few weeks, probably won’t be too steep, said Roger Waldron, president of the Coalition for Government Procurement.

Agencies, however, should be working diligently to “level set” their computer and network needs for the coming weeks, as well as keep informed on their existing IT contracts and how to leverage GWACs, such as SEWP, to back fill last-minute IT and IT commodity needs.

Even though agencies will probably have the resources to get any necessary computers for new telecommuters, another acquisition expert said they face a sneaky obstacle — telework-savvy cyber adversaries.

Bad actors are on the lookout for new teleworkers, as those workers open up a vulnerability to protected networks, said Evan Wolff, a partner at Crowell & Moring, who co-chairs the firm’s Privacy & Cybersecurity Group and is a member its Government Contracts Group.

Targeted phishing emails and other cyber crime techniques could be a challenge for federal IT managers with increasing numbers of telecommuters, Wolff told FCW in an interview.

Federal IT managers, he said, may not have appropriately secure infrastructure in place to lock down all communications. Additionally, simple things, such as shared living space with non-government employee roommates, could also present issues, if the federal teleworker has a sensitive post, he said.

“We’re already seeing a focus on customized phishing” aimed at non-government telecommuters as the coronavirus spreads, said Wolff. That wave of targeted remote worker phishing email is probably coming to new federal telecommuters too.

“Bad actors understand a target’s leadership and the types of appropriate email” that could temp them into taking the bait, he said.”