For continuity, build telework into operations

When the Centers for Medicare and Medicaid Services began planning for a desktop PC refresh in 2007, agency leaders decided to move to laptops with built-in security that could enable remote access for telework.

The decision appeared expensive at first, costing about 30 percent more than updating desktop PCs. But it turned out to be a bargain, CMS CIO Julie Boughn said.

“When the snowstorms happened,” she said, referring to the infamous Snowmageddon of February, “it made me look like a genius. We came pretty close to actually paying for that 30 percent” during the storms.

CMS’ experience is a lesson for agencies that are counting on remote access for employees in their continuity-of-operations plans. The technology is available to enable secure telework for COOP plans. But to make it work, agencies must plan ahead.

Related stories:

Big telework savings trumps butts in the seats

“It has to be built into your standard operating procedures,” said Cindy Auten, general manager of the Telework Exchange. “Saying ‘I want you to telework tomorrow’ is not going to work.”

The benefits to building telework into standard operations can be significant, said Rod Turk, chief information security officer at the U.S. Patent and Trademark Office, one of the leaders in government telework. In addition to supporting continuity of operations during emergencies, telework can cut auto emissions by reducing commutes, improve employee morale and reduce stress, increase productivity, make employee recruiting and retention easier, and save money on real estate. USPTO is saving millions by reducing its need for office space, Turk said.

“It seems like a no-brainer,” Auten said. But many agencies are still struggling to implement robust telework programs. “There is a resistance to change by management at work. That’s where most of the resistance is.”

Security Concerns

One of the enduring concerns about telework is security. Agencies must overcome the tension between providing convenient remote access to agency resources and protecting sensitive information.

“Administrators are nervous about opening firewalls, even for legitimate use,” said Tom Quillin, director of security initiatives and technology at Intel’s architecture group.

But there is a need to accommodate that access even before an emergency sends workers home. “The reality is that this is the way people want to work today, and it is important to be able to facilitate that,” he said.

However, security doesn't have to be a deal breaker. Virtual private networks, network access controls and virtualization, which can separate data from the hardware using it, can provide adequate security. “The technology is mature at this point, but it is still relatively recent,” Quillin said.

Virtualization can be a powerful tool for enabling secure remote access because network administrators can create a managed environment on a device that is trustworthy for connecting to agency resources. It also can isolate those agency resources from malware on a user's device.

Virtualization also can help control bandwidth requirements, said David Smith, chief technology officer of Citrix Federal. Virtualization minimizes traffic between a remote device and data center because the user is working with an image rather than downloading data.

That does not mean agencies don't need to plan for bandwidth needs for telework. As more employees expect to be able to access enterprise resources at any time from anywhere on any device, bandwidth demands will increase. And that's especially true during emergencies when COOP plans are put into action.

“Agencies already have VPNs” and servers to support them, said Martin Hack, executive vice president of NCP Engineering. But there will need to be capacity available to support them when they are needed most. “The key to this is being prepared.”

However, critical factors in provisioning bandwidth might not be under an agency’s control. Turk said that in the USPTO’s experience during this year’s snowstorms, agency capacity was not a problem, though workers experienced delays.

“Latency was due to the volume of traffic going to the ISP,” he said. When COOP plans go into effect, there are likely to be not only more employees working remotely but also more students at home accessing online games, Facebook and YouTube.

Agencies must plan to have sufficient capacity to support COOP during emergencies and ensure that services are enabled so that those workers who do not routinely work remotely will be able to when they need to telework.

“The last thing you want is to have to say, ‘We’ll have to set you up first,’ ” Hack said. “The key is management.”

Overcoming Resistance

Management resistance to telework could be challenged by new requirements in the Telework Enhancement Act of 2010, now awaiting final passage in Congress. Agencies already are increasingly accepting telework, Auten said. “Things are better than they were five years ago.” But “I don’t think anybody wants to be a pioneer.”

USPTO is one of the pioneers. The agency has been promoting telework for 10 years, and as of Sept. 30, 5,654 of its employees regularly worked outside the office. Speaking at a recent conference hosted by the Telework Exchange, Turk said 75 percent of the agency’s workforce is eligible to telework, and 80 percent of those eligible employees are doing it.

USPTO has had success partially because many agency workers have a defined process for their jobs — examining patent applications — that adapts well to telework and allows managers to assess results. Turk said USPTO carefully planned to expand its communications infrastructure to support remote workers. The agency budgets for an additional 500 teleworkers each year on its network. To ensure security, teleworkers use remote desktop connections and save their work in USPTO's data center rather than on their laptops.

“There should be nothing from work on the laptop they use,” Turk said. The laptops also are encrypted so that any information on them is inaccessible. “It’s a defense-in-depth process. Our risk from loss of a laptop is small.”

Boughn, also speaking at the telework conference, said security improved when CMS moved to support telework.

“Security was a big deal for us” because of the sensitive personal information that the agency maintains. “But it turned out that there was better security on the laptops than anything we could have gotten on the desktops.” 

The Dell laptops that CMS uses have webcams built for videoconferencing, in addition to VPN clients, hard-drive encryption and support for two-factor authentication, including the government’s Personal Identity Verification card.

The equipment cost about $3 million more than the estimate for doing a desktop PC refresh, Boughn said, and the CMS network was designed to support an additional 5,000 people who could access it from outside CMS offices. “We did do some upgrade in the networking infrastructure, but we didn’t have to do too much behind the firewall.”

Despite the extra expense, the total cost of supporting telework was such a small percentage of the payroll budget, and it was offset by the projected increases in productivity, so she had no trouble building a business case for the program, Boughn said.

Not everything is perfect, of course. Not all employees will be happy that they must use a token as an additional method of authentication. “We’re going to make it a little harder to log in,” Boughn said. “But that’s a fact of life.”