In a report that could throw some cold water on bids to make extensive teleworking the new normal, the DoD inspector general’s office has raised a number of security concerns related to the IT being used as well as the practices of managers and individual employees.
“Maintaining a high level of cybersecurity while teleworking is critical because the inherent security measures present when at a DoD worksite may not be fully practiced while working remotely. As the DoD workforce continues to maximize the use of telework capabilities, personnel should be especially alert and attentive to cyber attacks, malware, phishing attempts, and network security protocols that may threaten government information stored on telework devices and transmitted across external networks,” it says.
“As the COVID 19 pandemic has brought a significant increase in teleworking, attacks from malicious cyber actors have also increased. In addition, the use of potentially vulnerable services, amplifies the threat to individuals and organizations in a maximized telework environment,” it adds.
Despite those risks, it says, DoD personnel were “allowed to telework without approved telework agreements or required telework training” that outline security requirements and responsibilities for protecting information. “Users with completed telework agreements and training are more likely to maintain the same discipline, awareness, and security standards that are required for on site work environments,” it says.
The publicly released version of the report contains numerous and sometimes lengthy redactions, many of them apparently referring to specific technologies. However, even without those details, the report cites other concerns including that vulnerabilities in virtual private networks “Were Not Mitigated in a Timely Manner”; The Navy Did Not Disable or Remove Inactive User Accounts in a timely way; and that the DoD did not impose sufficient controls to prevent the storage and transmission of “controlled but unclassified information” to non-government equipment.
The IG’s recommendations and DoD management’s replies also were heavily redacted but show that the IG is not fully satisfied with the responses.