As the Obama administration and Congress intensify efforts to ramp up telework in the government, federal IT managers will likely see greater demands to facilitate and improve telework infrastructures at their agencies.
As soon as you do teleworking you're taking the equipment out of ... layers of protection. So you need to be compensating for that. That's really the big challenge.
Karen Scarfone, NIST
The status of federal telework to date can be summarized as lots of talk, not much action. But the administration has made telework a major priority, calling for a 50% increase by 2011 in the number of federal employees eligible for telework. This past July, the House passed a bill, similar to legislation approved by the Senate in May, that would require federal agencies to establish a federal telework managing officer position, a move intended to drive more teleworking across the government.
Proponents are adamant that developing an enduring telework infrastructure is crucial to the government's continuity of operations planning, giving civil servants the ability to telecommute from home or remote locations during times of crisis.
A recent study by the Partnership for Public Service (PPS) and Booz Allen Hamilton found that concerns about technology and government cybersecurity are among the principal barriers to the growth of federal telecommuting. The Office of Personnel Management defines telework as work arrangements in which an employee regularly performs officially assigned duties at home or other work sites geographically convenient to the residence of the employee.
In PPS's study, On Demand Government: Deploying Flexibilities to Ensure Service Continuity, agency officials were particularly uneasy about unsecured networks and the review of classified information in non-secure locations.
"Part of what makes telework harder to secure is that in the enterprise you have physical security controls and you have all the technical controls, [such as] enterprise network-based firewalls and encryption protection systems," said Karen Scarfone, a computer scientist at the National Institute of Standards and Technology and an IT security specialist. "As soon as you do teleworking you're taking the equipment out of those layers of protection. So you need to be compensating for that. That's really the big challenge."
In its Guide to Enterprise Telework and Remote Access Security (.pdf), NIST generally recommends that agencies use an encrypted tunnel, such as virtual private network, to establish secure communications between a teleworker's client device and their network.
Scarfone, co-author of NIST's telework guide, suggested that agencies take a risk-management approach to what types of work are appropriate for teleworkers to do at home. "Certainly, if you're doing classified work, you're not going to be doing telework," she said. "You're going to come in and do that in a secure facility."
But for data that is unclassified but sensitive, agencies should determine the risk involved in letting a teleworker access that information from home. "Maybe that's a job function that you simply cannot mitigate enough risk to do through teleworking," Scarfone said. "Every agency has to consider that and determine what makes sense for them."
Whether to provide teleworkers with equipment or let them use their own computers also is a question of risk assessment, she added. "We don't make a firm recommendation one way or the other," she said. "A lot just depends on the sensitivity of the work being done."