U.S. Agencies Need Documentation, Continuous Improvement for Remote Work Cybersecurity

So you shifted to telework. But did you manage your expanded cyber risk profile?

According to a report from the U.S. Government Accountability Office (GAO), federal agencies have some work to do on that score.

After a review of 12 agencies, the GAO found that while all of them invested in the technology needed to support remote work, four had not fully documented their plans to mitigate weaknesses found in IT security controls, and others had not fully addressed guidance for securing remote access systems.

COVID-19: Selected Agencies Overcame Technology Challenges to Support Telework but Need to Fully Assess Security Controls https://t.co/3xCZg51GuP

— U.S. GAO (@USGAO) September 30, 2021

The report, COVID-19: Selected Agencies Overcame Technology Challenges to Support Telework but Need to Fully Assess Security Controls, found that federal agencies faced some initial telework challenges—including providing sufficient bandwidth—and eventually overcame them. However, not all agencies fully addressed relevant federal guidance for securing remote work systems. In particular, two agencies had not fully documented relevant IT security controls to protect remote access, and five agencies’ assessments of remote work systems did not access all relevant controls to ensure they were operating effectively.

According to the GAO, “If agencies do not sufficiently document relevant security controls, assess the controls, and fully document remedial actions for weaknesses identified in security controls, they are at increased risk that vulnerabilities in their systems that provide remote access could be exploited.”

The GAO made nine recommendations to six agencies as a result of its findings, including that agencies should document relevant IT security controls and enhancements around telework and that they consistently monitor progress taken on remedial cyber risk management enhancements.