December 9, 2022

News

News Network

COVID-19: Selected Agencies Overcame Technology Challenges to Support Telework but Need to Fully Assess Security Controls

4 min read
<div>What GAO Found Each of the 12 agencies GAO selected for review had information technology (IT) in place to support remote access for telework during the COVID-19 pandemic. Although the agencies initially experienced IT challenges in supporting remote access for maximum telework, they generally overcame them. For example, seven agencies were challenged in providing sufficient bandwidth to provide remote access for teleworkers, but they increased bandwidth as needed to ensure networks could handle additional remote connections. In addition, while the increased number of remote connections brings additional cybersecurity risks, all of the selected agencies reported that they continued activities intended to help ensure the security of their information and systems. While the selected agencies had documented elements of a telework security policy, such as permitted telework devices and forms of remote access, not all agencies had fully addressed other relevant federal guidance for securing their systems that support remote access for telework (see figure). Specifically, two agencies had not fully documented relevant IT security controls to protect those systems. In addition, assessments for systems that five agencies relied upon for remote access did not address all relevant controls to ensure the controls were operating effectively. Further, four selected agencies had not fully documented remedial actions to mitigate weaknesses they had previously identified. Extent to Which 12 Selected Agencies Followed Federal Information Security Guidance in Implementing Their IT Systems That Support Remote Access for Telework Although one of the selected agencies subsequently resolved its shortcomings, others had not. For the agencies that did not fully follow federal information security guidance, agency IT security officials stated that these conditions existed for various reasons, such as out-of-date documentation, among others. If agencies do not sufficiently document relevant security controls, assess the controls, and fully document remedial actions for weaknesses identified in security controls, they are at increased risk that vulnerabilities in their systems that provide remote access could be exploited. Why GAO Did This Study In response to the onset of the COVID-19 pandemic, in March 2020 the Office of Management and Budget directed federal agencies to maximize their use of telework to enable the workforce to remain safe while ensuring that government operations continue. Telework is essential to continuity of operations but also brings added cybersecurity risks. The CARES Act contains a provision for GAO to monitor the federal response to the pandemic. GAO was also asked to examine federal agencies' preparedness to support expanded telework. GAO's objectives were to determine (1) selected agencies' initial experiences in providing the IT needed to support remote access for maximum telework and (2) the extent to which selected agencies followed federal information security guidance for their IT systems that provide remote access. GAO selected 12 agencies for review that varied in their percentages of reported employee telework use and sent a questionnaire to solicit these agencies' perspectives on the use of IT in transitioning to maximum telework. GAO also reviewed the selected agencies' information security documentation and interviewed relevant officials.</div>
United States Securities and Exchange Commission The Chair of SEC should ensure that the agency documents relevant IT security controls and enhancements in the security plan for the system that provides remote access for telework. (Recommendation 1)

Open

When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Social Security Administration The Commissioner of SSA should ensure that the agency documents relevant IT security controls and enhancements in the security plan for the system that provides remote access for telework. (Recommendation 2)

Open

When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Department of Transportation The Secretary of Transportation should ensure that the agency assesses all relevant IT security controls and enhancements for the system that provides remote access for telework. (Recommendation 3)

Open

When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

United States Securities and Exchange Commission The Chair of SEC should ensure that the agency assesses and sufficiently documents the assessment of relevant IT security controls and enhancements for the system that provides remote access for telework. (Recommendation 4)

Open

When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Social Security Administration The Commissioner of SSA should ensure that the agency assesses and sufficiently documents the assessment of relevant IT security controls and enhancements for the system that provides remote access for telework. (Recommendation 5)

Open

When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Department of Homeland Security The Secretary of Homeland Security should ensure that the agency consistently monitors progress toward the completion of remedial actions for the system that provides remote access for telework. (Recommendation 6)

Open

When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Department of Transportation The Secretary of Transportation should ensure that the agency consistently monitors progress toward the completion of remedial actions by including estimated completion dates in its plan of action and milestones for the system that provides remote access for telework. (Recommendation 7)

Open

When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Federal Bureau of Investigation The Director of the FBI should ensure that the bureau consistently monitors progress toward the completion of remedial actions for relevant IT security controls and enhancements for the system that provides remote access for telework. (Recommendation 8)

Open

When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Office of Personnel Management The Director of OPM should ensure that the agency documents risks and monitors progress toward the completion of remedial actions by including estimated completion dates in plans of action and milestones and keeping them up to date with current information for the system that provides remote access for telework. (Recommendation 9)

Open

When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

More from:

Hits: 0

Crime ACN News Network

Network News © 2005 Area.Control.Network™ All rights reserved.
All Rights Reserved © ACN 2020

ACN Privacy Policies
ACN TOS
Area Control Network (ACN)
Area Control Network
Area Control Network Center