A sampling of Federal agencies’ efforts to provide remote access for telework during the COVID-19 pandemic shows that each of the agencies was able to put the right technologies in place to accomplish that goal, but that several had not fully addressed relevant guidance for securing remote access systems, the Government Accountability Office (GAO) found.
GAO said in a new report that it looked at 12 agencies to examine their preparedness to support expanded telework. Each had the IT in place to support telework during the pandemic, and generally overcame initial challenges to supporting remote work.
The agencies selected for review include:
- The Food and Nutrition Service at the Department of Agriculture;
- Bureau of Indian Affairs and National Park Service at the Department of Interior;
- Federal Highway Administration at the Department of Transportation (DOT);
- Federal Law Enforcement Training Centers and the Secret Service at the Department of Homeland Security (DHS);
- Securities and Exchange Commission (SEC);
- Social Security Administration (SSA);
- Office of Personnel Management; and
- The Executive Office for Immigration Review and FBI at the Department of Justice.
GAO noted that the increased number of remote connections necessary for telework entails additional cybersecurity risks, and said that “all of the selected agencies reported that they continued activities intended to help ensure the security of their information and systems.”
Nonetheless, “while the selected agencies had documented elements of a telework security policy, such as permitted telework devices and forms of remote access, not all agencies had fully addressed other relevant Federal guidance for securing their systems that support remote access for telework,” wrote GAO.
“Specifically, two agencies had not fully documented relevant IT security controls to protect those systems,” the government watchdog agency said.
Additionally, assessments for five agencies’ systems that relied on remote access did not address all relevant controls to ensure the controls were operating effectively. Four of the selected agencies also had not fully documented remedial actions to mitigate weaknesses they had previously identified.
GAO made nine recommendations to six of the agencies that it reviewed, including:
- The SEC and SSA both should ensure that the agencies document relevant IT security controls and enhancements in their security plans for the systems providing remote telework access, and ensure they assess and sufficiently document relevant IT security controls and enhancements for the systems providing remote telework access;
- DOT should ensure it assesses all relevant IT security controls and enhancements for the system that provides remote telework access, and ensure it consistently monitors progress toward the completion of remedial actions by including estimated completion dates in its plan of action and milestones for the system providing remote telework access;
- DHS should ensure it consistently monitors progress toward the completion of remedial actions for the system providing remote telework access;
- FBI should ensure it consistently monitors progress toward the completion of remedial actions for the relevant IT security controls and enhancements for the system providing remote telework access; and
- OPM should ensure it documents risks and monitors progress in completing remedial actions by including estimated completion dates in its plans of action and milestones and keeping them up to date with current information for the system that provides remote telework access.
The agencies have agreed with all the recommendations, GAO said.