GAO Assesses Response to the Cybersecurity Risks of Federal Agency Teleworking
Telework is essential to the continuity of federal operations in emergencies—but it also brings added cybersecurity risks. The CARES Act contains a provision for the Government Accountability Office (GAO) to monitor the federal response to the pandemic. GAO has recently examined federal agencies’ preparedness to support expanded telework during the COVID-19 pandemic.
GAO looked at 12 agencies and found that they all had the technology to support remote access for telework. But not all agencies had fully addressed relevant guidance for securing their remote access systems.
Each of the 12 agencies GAO selected for review had information technology (IT) in place to support remote access for telework during the COVID-19 pandemic. Although the agencies initially experienced IT challenges in supporting remote access for maximum telework, they generally overcame them. For example, seven agencies were challenged in providing sufficient bandwidth to provide remote access for teleworkers, but they increased bandwidth as needed to ensure networks could handle additional remote connections. In addition, while the increased number of remote connections brings additional cybersecurity risks, all of the selected agencies reported that they continued activities intended to help ensure the security of their information and systems.
While the selected agencies had documented elements of a telework security policy, such as permitted telework devices and forms of remote access, GAO found that not all agencies had fully addressed other relevant federal guidance for securing their systems that support remote access for telework. Specifically, two agencies had not fully documented relevant IT security controls to protect those systems. In addition, assessments for systems that five agencies relied upon for remote access did not address all relevant controls to ensure the controls were operating effectively. Further, four selected agencies had not fully documented remedial actions to mitigate weaknesses they had previously identified.
Although one of the selected agencies subsequently resolved its shortcomings, others had not. For the agencies that did not fully follow federal information security guidance, agency IT security officials stated that these conditions existed for various reasons, such as out-of-date documentation, among others.
GAO has made a total of nine recommendations to six agencies. For example, the government watchdog recommends that the Department of Homeland Security should consistently monitor progress toward the completion of remedial actions for the system that provides remote access for telework.
Gloss