GAO plans review of telework tech

The Government Accountability Office plans to examine agency lessons learned from ramping up telework as part of pandemic response.

Nick Marinos, GAO's director of Information Technology and Cybersecurity, said on a May 27 virtual conference that the oversight body plans on reviewing how agencies implement such solutions in the coming months, to find how effective they are.

"It will be a bit of time before the review," said Marino during the NextGov event. "We're starting up that work in the next couple of weeks. It depends on agencies and how deep we go. Audits typically go nine to18 months. We do pulse checks, but it's a little too early to tell," Marinos said.

Agencies have been ramping up use of teleconferencing tools, such as Zoom, Teams and other programs. They're also using cloud solutions, virtual private networks and extending applications to employees to use on their own devices.

Armando Quintananieves, director, Security Operations Division, Office of the CIO at the General Services Administration. GSA's Federal Risk and Authorization Management Program, or FedRAMP, said that vetted solutions are the best.

"There are a lot of tools out there. It depends on the business need. No tool fits every situation. That's where FedRAMP comes into play," which signs off on security specs for government versions of popular business applications.

"Sometimes people cut corners," Marinos said about securing remote access and applications in favor of solving the immediate problem of getting their employees online. Simply getting bandwidth to people who haven't previously worked from home can be a basic issue, said Marino.

Quintananieves and Marino advised IT managers to ask their agency security officials before implementing unfamiliar technology, or opening up new capabilities such as allowing personal devices onto an agency network. Some agencies allow limited use of personal devices, provided they're only connected to the vpn and not to core network resources.

Marino and Quintananieves also warned that phishing, long a pernicious, everlasting security risk, has only been inflamed by pandemic. It's important to sharpen employee skepticism of unfamiliar emails.

It's also important to check the 'health' of end devices connected to the VPN,” said Quintananieves. He recommended insuring those devices have all their security agents, limiting access to the VPN and implementing two-factor authentication for access.

"Pause before making a technology choice," Marino advised remote workers and IT managers. "This is a primetime for bad actors to exploit. Always ask your security people before you take an action. If an individual user isn't sure how to approach telework, they should reach out to their internal security department," he said.