The Public Eye with Eric Chabrow

Telework Law Next Step: Securing IT

NIST Guidelines Provide Feds with a Head Start
Telework Law Next Step: Securing IT

The easy part was President Obama affixing his signature to a bill last week to encourage federal agencies to allow employees to work remotely. The hard part is for those charged with protecting the government's IT systems to make sure teleworkers do so securely.

The Telework Enhancement Act of 2010 requires the head of each executive agency to establish a policy in which eligible employees may telework. The new law obliges the director of the Office of Management and Budget, working with the Department of Homeland Security and the National Institute of Standards and Technology, to issue guidelines to ensure IT systems remain safe when remotely accessed by teleworkers.

The guidelines, at a minimum must include requirements essential to:

  • Control access to agency information and information systems;
  • Protect agency information, including personally identifiable information, and information systems;
  • Limit the introduction of vulnerabilities;
  • Protect information systems not under the control of the agency that are used for teleworking;
  • Safeguard wireless and other telecommunications capabilities that are used for teleworking; and
  • Prevent viewing, downloading or exchanging pornography, including child pornography.

Safeguarding IT systems and data isn't new to NIST. Last year, NIST issued Special Publication 800-46 Revision 1: Guide to Enterprise Telework and Remote Access Security.

When NIST issued the guide last year, I spoke with one of its authors, then NIST computer scientist Karen Scarfone, who characterized the government's move to encourage telework as a "real philosophy shift" from the recent past. She said government information security managers must take for granted the fact that people who would do the government and its citizens harm will exploit remote access systems designed for telecommuting government employees and contractors. "You should assume external environments contain hostile threats," Scarfone said.

Scarfone offered five steps managers supporting government telework programs should take to keep their systems and data safe:

  1. Assume hostile threats will occur;
  2. Develop policy defining telework, remote access;
  3. Configure remote access servers to enforce policies;
  4. Secure telework client devices against common threats; and
  5. Employ strong encryption, user authentication.

Securing information systems for telework is just another daily challenge government IT security specialists face.



About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.