Millions of federal workers are now working from their homes because of the Coronavirus pandemic. This expansive telecommuting activity has increased the potential of sensitive government projects and information being exposed to unauthorized individuals.
The CIO Council’s Federal Mobility Group recognizes the importance of secure telework and is taking this opportunity to share the secure best practices for teleworking and using video collaboration tools that were compiled by the cybersecurity experts at the National Institute for Standards and Technology (NIST), Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency (NSA). Federal employees and contractors can use these best practices to work safely and securely online.
NIST Secure Telework Guidance:
NIST’s cybersecurity experts are offering several valuable tips to improve telework security, including the following:
- Find out if your organization has rules or policies for telework, and if so, make sure you read and comply with them.
- If you’re seeing unusual or suspicious activity on any device you’re using to telework—computer, mobile device or home network—ask for help from your organization’s help desk or security operations center.
- Download the NIST telework tip guide.
- Additionally, NIST offers secure teleworking and video conferencing tips in the following publications:
NSA, CISA Telework Best Practices
NSA and CISA experts have compiled a comprehensive list of teleworking “Do’s” and “Don’ts” that will make online work-related activities more safe and secure. Among the telework best practices are the following:
- Only use agency-approved video conferencing, collaboration tools and methods to share files.
- Whenever possible, only use laptops and smartphones owned, managed and protected by your agency.
- Store work-related content on Government Furnished Equipment (GFE) and agency-approved cloud services.
- Only connect GFE to a network you are in complete control of (e.g., home network).
- Don’t forward work emails to a personal account.
- Don’t store work-related content on personally owned equipment (e.g., laptops and cell phones).
- Don’t print work-related content at home (unless explicitly approved by your agency).
- Don’t use your GFE or government desktop session for nonwork-related activities such as social networking, audio and video streaming or personal shopping.
View the complete list of NSA-CISA Telework Best Practices.
CISA Telework Resources
As the nation’s risk advisor, CISA brings its partners in industry and the full power of the federal government together to improve American cyber and infrastructure security. CISA provides the following resources to assist organizations and teleworkers to be secure when working remotely:
CISA Video Conferencing Guidance
Advances in information technology such as the increased availability of video conferencing software products are key enablers for telework. It is critical that product cybersecurity requirements and risk exposure are counterbalanced appropriately against remote access benefits such as convenience, usability, speed and stability. CISA offers the following guidance for agencies:
- Assess your agency’s needs and determine the appropriate product to use in the enterprise; or cloud services, agencies should use FedRAMP-authorized products.
- Establish an agency virtual-meeting policy or recirculate an existing policy.
- Limit and minimize the number of collaboration tools authorized for use in the enterprise and prohibit end-users from installing client software.
CISA also offers guidance for end-users and recommendations regarding how to secure the most popular video conferencing products at: cisa.gov/telework.
TIC 3.0 Interim Telework Guidance
CISA’s Trusted Internet Connections (TIC) Program Management Office has produced the TIC 3.0 Interim Telework Guidance document to support OMB Memorandum 20-19 and the surge in teleworking. This document provides security capabilities for remote federal employees securely connecting to private agency networks and cloud environments.
The guidance is short-term for Calendar Year 2020 and is expected to be incorporated into a Remote User Use Case later. Additional information about the TIC program is available on the TIC’s program's webpage.
Teleworking allows the government to carry on its critical mission to serve the public. Following the security best practices outlined above by NIST, CISA, and NSA cybersecurity experts will help boost the security of the federal workforce’s day-to-day activities as increased telework operations continue into the foreseeable future.