The COVID-19 pandemic has driven Federal agencies to leap to maximum telework capacity on short notice. While many were able to kick telework into high gear in only a matter of days because of previous or ongoing IT modernization investments, the requirement to change fast and on the fly underscores the vital need for modernization – in the case of a pandemic or not.
Here are just a few of the many agencies that have done it right: The Department of Veterans Affairs has tripled the number of teleworking employees, the National Science Foundation has moved to 100 percent telework, and the Department of Defense has activated more than 900,000 remote user accounts.
Amid those successes, however, agencies still face challenges in the transition to telework – namely ensuring tight cybersecurity amid an expanded attack surface as workers use their home networks and potentially their own devices to conduct business.
CISA Pushes Agencies to Focus on Cyber
As agencies began to ramp up telework, the Cybersecurity and Infrastructure Security Agency (CISA) released interim Trusted Internet Connections (TIC) 3.0 guidance in early April to help agencies support wide-scale remote access. The guidance identified 18 universal security capabilities that agencies should consider when transitioning to telework, including configuration management, incident response planning, and situational awareness.
Back in December 2019, CISA released a draft of its TIC 3.0 guidance. While the goals of TIC 3.0 remain the same, the shift to “the new normal” of telework had a strong influence on CISA’s recommendations.
“The TIC 3.0 draft that came out last year accelerated some things, and the recent emergency guidance started to codify alternative access methods,” Sean Frazier, Advisory CISO for Federal at Cisco’s Duo Security told MeriTalk. “The interim guidance is meant to give agencies the ability to build architectures around things like BYOD (Bring Your Own Device), VPN (Virtual Private Network) access, multi-factor authentication (MFA), and alternative authentication methods.”
As agencies continue to adapt to increased telework, they must make sure that cybersecurity is baked into their IT strategies, not just bolted on as an afterthought.
Frazier offered guidance on what agencies should be focused on the most. “You need to look at the fundamentals – things like Domain Name System (DNS)-based security, MFA, the bare bones and connective tissue of security. When the world goes ‘back to normal,’ we want to make sure that everything we’ve done to improve remote access security during this time is reusable.”
While agencies have looked to incorporate CISA’s guidance, they must wrestle with new challenges alongside existing cybersecurity threats.
BYOD Policies Needed STAT
Federal agencies are well versed in keeping government devices secure on their networks. However, with the rise in telework, they are faced with not only keeping government devices secure on employees’ home networks, but also securing employee devices.
Increased telework rates heightened the importance of BYOD policies – which have been on the back burner for many agencies.
“In this environment, they’re forced to have a policy,” Dean Scontras, Vice President of Public Sector at Duo Security, explained to MeriTalk. “Previously, if the government-owned the device, you got full access, but if you were using a personal device, your access would be restricted, because most likely your agency had a semi-policy, or no policy at all. The interim emergency guidance from CISA specifically calls out that you’re going to need a BYOD policy because people are going to bring their own devices.”
In terms of what agencies need to keep in mind when developing a BYOD policy, Scontras said a consistent security model is essential.
“Even though employees may use their personal equipment, you still can’t say they have carte blanche, full open access, depending on the device,” he said. “You still need some kind of assessment or posture capability. You might say, ‘Yes, you can use your own device, but I’m going to need to check a few things before we let you on the network, and I may require you to make some updates before I grant you access.’”
The Right Technologies Needed for the Job
IT modernization has been top of mind for Feds for years, but moving to maximum telework has made their modernization wish-lists less of a long-term goal and more of a short-term necessity.
For telework security, Feds need to migrate to MFA and embrace the cloud. While the government has used Common Access Cards (CAC) and Personal Identity Verification (PIV) cards for years, Frazier highlighted their limitations.
“While the smart card has done a really good job over the last 15 years, that model requires you to bolt on innovative solutions to legacy technology,” he said. “Security is done best when it’s not bolted on, but actually integrated overall.”
To provide secure remote access with a solution more geared toward cloud and mobility, Feds may find another MFA option more attractive.
Scontras highlighted cloud-based MFA, which he said is already present within the Federal government. He noted cloud-based MFA is “particularly attractive in our current scenario.” He explained, “there’s no hardware to be shipped, so a FedRAMP-approved cloud-based MFA like Duo can fill that gap particularly well for agencies in this environment, especially in regards to speed to security.”
With employees in nearly every department – including IT – working from home, issuing security hardware can become a difficult obstacle to overcome.
“Not only are the IT people working from home, but the people that issue CAC and PIV cards are too,” Frazier noted. “People can’t go see someone to verify their identity to get that card in the first place.”
Agencies Need a Marathon Mindset
While many are itching to return to pre-pandemic normal, Scontras said that agencies need to prepare for telework to be a long-term change.
“We’re going to be in this remote workforce state, in one form or fashion, for probably about a year,” he said. “And even when we’re on the other side, there will always be drivers that require us to be more agile. We need to bake security into our plans on an ongoing basis.”
Outside of adjustment to a majority remote workforce, both Scontras and Frazier agree that agencies need to take a long-term view of IT modernization and build their IT infrastructure in a way that will stand the test of time.
“It’s all about innovation and consistency. As an agency, you don’t want to stand up a one-time thing and then go back to the old way later,” Frazier said. “You want to make sure that you’re building something that has legs, that you can use for the next 20 years, and you need to have that elastic mindset of cloud and mobility.”
When it comes to their modernization mindset, Scontras offered some advice for agencies. “Make sure you’re building a platform that you can innovate on top of,” he counseled.