GAO finds agencies mostly manage telecommuting network security with a few holes

During the pandemic, agencies were generally successful in securing networks for remote access, but a sample of a dozen organizations found some cyber vulnerabilities were being ignored.

A recent report from the Government Accountability Office indicated that the greatest need for improvement was to assess all relevant IT security controls and improvements, and fully document corrective actions where necessary. Agencies have better documented both their remote work security policies and relevant IT security controls and enhancements.

In the agencies’ documentation, GAO searched for system security plans, results of security control assessments, corrective action plans, and whether or not the agencies followed the National Institute of Standards’ cybersecurity guidelines. and technology – especially SP 800-53.

“If agencies do not sufficiently document relevant security controls, assess controls, and fully document corrective actions for identified weaknesses in security controls, they are at increased risk that vulnerabilities in their View systems GAOs that provide remote access can be exploited,” GAO wrote. .

A month before the report’s release, Jennifer Franks, GAO’s director of information technology and cybersecurity, said the agency would expand its reviews to take into account recent efforts to improve supply chain risks. , citing the SolarWinds incident and Microsoft Exchange vulnerabilities as examples.

The GAO studied actions taken by 12 agencies and ultimately recommended actions to six: the Securities and Exchange Commission, the Social Security Administration, the FBI, the Office of Personnel Management, and the Departments of Transportation and Homeland Security. . The agencies studied for the report all support national essential functions that must continue in an emergency, have at least 1,000 employees and at least 20% of their workforce are eligible to work from home.

To keep workers connected, all agencies used virtual private networks while seven of them used direct application access. Five agencies used application portals and only one offered remote desktop access to teleworkers. According to the report, half of them have allowed employees to use personal devices, and all allow employees with secure tokens. Most agencies said they got around the challenges of the short expiration times of these tokens by creating more temporary credentials.

SEC, SSA and Transportation each received a combination of the following recommendations:

  • Document relevant IT security controls and enhancements in the system security plan that provides remote access for telecommuting;
  • Assess all IT security controls and enhancements relevant to the system that provides remote access for telecommuting;
  • Assesses and sufficiently documents the assessment of relevant IT security controls and enhancements for the system that provides remote access for teleworking; and
  • Constantly monitor progress towards completion of corrective actions by including estimated completion dates in its action plan and system milestones that provides remote access for telecommuting.

“For example, since May 2021, [SSA] had not documented approximately half of the plan’s relevant controls and improvements. SSA IT security officials told us that the agency was in the process of revamping the components that make up the system that provided remote access to agency employees and that due to the revamp, they ‘hadn’t updated the system security plan since 2016,’ the GAO wrote. “SSA asserted, however, that controls and improvements were in place.

He warned the SSA and SEC that until these agencies systematically document network cybersecurity controls, managers will not have the information they need to make “credible, risk-based decisions about their information system”.

Other agencies studied but which did not elicit recommendations were the Department of Agriculture’s Food and Nutrition Service; the Bureau of Indian Affairs, National Park Service, Federal Highway Administration, IRS, Federal Law Enforcement Training Centers, and US Secret Service at DHS; and the Executive Office for Immigration Review at the Department of Justice.

GAO conducted the study between April 2020 and September 2021, under a provision of the CARES Act that requires the oversight agency to report on its ongoing monitoring and surveillance efforts related to the coronavirus pandemic. COVID-19.

Kevin M. Risinger