IG: DHS risks leaving remote workers stranded

The Department of Homeland Security is taking a closer look at how it handles telework support capabilities at its data centers after an audit by the inspector general.

The IG's office released a report in late March that said officials did not have an adequate plan for backing up the systems used to provide workplace as a service (WPaaS) in the event of a disaster, primarily because the department had not designated how the data centers being used for the service would support them in a crisis.

Without a contingency plan, DHS employees who rely on WPaaS would not be able to work until the data center supporting the service was restored, the report states.

DHS is using two contractors to implement WPaaS as part of its effort to move to cloud-based services. In 2011, DHS asked the contractors, which operate DHS' Data Center 1 (DC1) and Data Center 2 (DC2), to implement WPaaS. According to the IG, the contractors were instructed to provide complete physical environments that would offer the same functionality as DHS-issued laptops and desktops. In addition, the contractors were required to make workplace environments accessible from all DHS components and organizations, from anywhere within the DHS OneNet and from any location where employees conduct work.

However, the IG said the contractors did not provide alternate processing capabilities at their DHS data centers. Furthermore, neither contractor carved out space at its location for the other contractor because no DHS component agencies paid for contingency processing capabilities.

To complicate matters further, the IG said DHS had discontinued funding for DC2 because of delays stemming from technical issues that cropped up during WPaaS development at that data center. DHS postponed WPaaS implementation at DC2 in June 2013 because of the difficulties.

The auditors concluded that DHS' CIO must ensure that WPaaS has a disaster recovery capability, including an alternate processing site.

Jim Crumpacker, director of DHS' Departmental GAO-OIG Liaison Office, told the IG that officials had improved their contingency plans for WPaaS to address the concerns.

Crumpacker responded to a draft of the report in a Feb. 28 memo to Richard Harsche, acting assistant IG in the Office of Information Technology Audits at DHS. In the memo, Crumpacker said the CIO's office had designated DC2 as the alternate processing site for WPaaS and was revising the WPaaS contingency plan for DC1 to officially name DC2 as the alternate site for system recovery.