CHAPTER 5, PART 3
Telework & Remote Access Security
1 BACKGROUND
The existing
government-wide telework initiative, formerly called Flexiplace, has been in
place since 1990. Flexiplace was
established in response to workforce concerns first documented by the Hudson
Institute and later by the Department of Labor. The essence of these concerns was the turn-of-the-century drop in
the quality of the labor pool and the consequent fear that federal
recruitment/retention would not be able to compete with the private sector
salaries. The plan was that initiatives
such as Flexiplace would help boost the labor market value of a federal
government job.
Despite its
chronological age, federal telework is still a relatively new program because
of its slow evolution in the federal bureaucracy. For purposes of this policy, the terms “telework”,
“telecommuting” and Flexiplace are synonymous and interchangeable. Each is defined as a work arrangement in
which an employee regularly works at an alternate worksite such as the
employee’s home, a telecommuting center, or other alternate worksite. Public Law 106-346, Section 359, requires
that each executive agency implement a telework program and establish the goal
of 25 percent each year for eligible agency employees to be given the
opportunity to telework. 100 percent of
eligible employees are to be given the opportunity to telework by the end of
2005. Home-based telework, work at a
telecenter or alternate worksite presents unique managerial, organizational,
technological and cultural challenges for USDA.
Telecommuting
is gaining wide acceptance by all levels of management as a tool with many
benefits to the agency. The benefits
include: attracting new applicants and retaining current employees; reducing
worker’s compensation; reducing sick leave usage and an alternative to
relocating employees in crisis or emergency situations. Other benefits include contributing to the
community by reducing air pollution and traffic and providing a mechanism to
assist employees in balancing work and family life responsibilities. In spite of the many attractive benefits,
opening up an organization’s information systems to dial-in and other forms of
remote access present significant security risks. One risk is that intruders will be able to access government
systems without having to be on site (remote access). Another risk of telecommuting is that government information can
be read, and potentially modified, while in transit. Additional risks include the loss of information and resources
while they are outside the protective shell of the organization. In a telework environment, USDA needs to
implement security controls commensurate with the sensitivity of the
information and importance to the mission.
Goal One: Introduce no additional risk to the department. Goal Two: Identify remote users adequately;
implement the accesses needed to perform official duties and protect USDA IT
resources. Goal Three: Identify the
Cyber Security Rules of Behavior for managers and employees participating in
the Telework Program.
2 POLICY
All
USDA agencies and staff offices establishing telework arrangements will review
the security issues for each telecommute position in their organization. The Telework Security/IT Checklist Roles and
Functions, Table 1, will be used to identify individuals responsible for
completing the telework checklist. Each
agency will use the Telework Checklist, Table 2, to ensure that they have
addressed all relevant Security and Information Technology (IT) issues before
any arrangement is finalized. Waivers
will be obtained for telework arrangements that do not meet the requirements of
this policy. Each job deemed portable
will undergo scrutiny to determine the type of information used in the job in
terms of mission criticality and sensitivity.
Government owned equipment (GOE) will be issued to individuals who work
with Sensitive But Unclassified/ Sensitive Security Information (SBU/SSI). SBU/SSI will not be stored on Employee Owned
Equipment (EOE) or non-USDA computers used in Telecenters. SBU information may be accessed if required
and approved for official duties but will not be saved on these machines. The security requirements of this policy
apply to episodic telework arrangements as well.
Policy exception requests must be submitted if EOE will be used in telework arrangements. EOE must be maintained and properly secured by USDA personnel prior to commencement of the arrangement. A waiver will also be submitted if a USDA laptop with SBU is transported into the Telework Center for use during duty hours. Each agency and staff office will ensure that teleworkers have received Computer Security Awareness Training and understand their responsibilities for properly safeguarding GOE. All telework arrangements will be planned in Information Technology (IT) budgets and detailed in the General Support System (GSS) Security Plan used to support the arrangements. Each agency will establish procedures to ensure all US Government property and sensitive but unclassified information residing offsite is retrieved in the event of an employee transfer, resignation, retirement or death.
Agencies and staff offices will establish appropriate remote access arrangements to ensure that access is obtained through secure firewalls/gateways and robust authentication is used. Robust Authentication methods are required for all dial-up connections (dial-in, DSL, Cable Modem) to include PINs or Tokens. Approved authentication procedures for remote users must be established and the remote access service must be located at the outermost perimeter of the USDA De-Militarized Zone (DMZ). SBU/SSI will encrypted using department approved encryption protocols prior to transmission. Secure Socket Layer (SSL) and Virtual Private Network (VPN) tunneling are recommended. Dial-up connections and remote access will be centrally managed by each agency/ mission area to ensure integrity of network security. Individual modems connecting directly to internal networks, systems, or computers are not authorized.
Policy
Exception Requirements –
Agencies will submit all policy exception requests directly to the ACIO for
Cyber Security. Exceptions to policy
will be considered only in terms of implementation timeframes; exceptions will
not be granted to the requirement to conform to this policy. Exceptions that are approved will be interim
in nature and will require that each agency report this Granted Policy
Exception (GPE) as a Plan of Action & Milestone (POA&M) in their
FISMA reporting, with a GPE notation, until full compliance is achieved. Interim exceptions expire with each
fiscal year. Compliance exceptions that
require longer durations will be renewed on an annual basis with an updated
timeline for completion. CS will
monitor all approved exceptions.
3
RESPONSIBILITIES
a The
Associate CIO for Cyber Security
will:
(1)
Assist
agencies and staff offices in the secure implementation of telework and remote
access arrangements;
(2)
Provide
Cyber Security policy and guidance to the Office of Human Capital Management
(OHCM) and other activities involved in telework programs; develop checklist
tools to assist agencies in security telework and remote access environments;
(3)
Review
agency and staff office policy exception requests concerning this policy in a
timely manner;
(4)
Review
telework and remote access provisioning in Security Plans for agency General
Support Systems and Security Budgets for sufficiency; and
(5)
Conduct
periodic reviews of agency telework and remote access arrangements to ensure
they comply with this policy.
b Agency Chief Information Officer will:
(1)
Implement this policy, including use of the checklists, into any agency
Telework or Remote Access arrangements;
(2)
Ensure that each position identified for telework is screened for
information sensitivity and mission criticality;
(3)
Plan telework program expenses and needed upgrades as part of the agency
IT Budget and System Life Cycle;
(4)
Ensure that GSS Security Plans are updated to include all agency Telework
and Remote Access arrangements, as appropriate;
(5)
Ensure that telework and remote access based Computer Security Awareness
Training is provided to employees and managers participating in this program;
(6)
Complete and retain a Telework/IT Security Checklist for all agency
telework and remote access arrangements;
(7)
Ensure that all existing telework and remote access arrangements are
reviewed again the Checklist and that security vulnerabilities identified are
corrected; and
(8)
Take action to request a formal waiver for arrangements that do not comply with this policy.
c Agency
Information System Security Program Managers (ISSPM) will:
(1)
Support this policy and assist agencies or staff offices in completing
the Telework/IT Security Checklist;
(2)
Review all existing telework and remote access arrangements periodically
and work with the managers to ensure that they are secure;
(3)
Assist in the set up of new arrangements to provide security guidance, as
required;
(4)
Update the GSS and Overall Agency Security Plans to accurately reflect
telework and remote access arrangements, as required; and
(5)
Assist in the preparation of agency waivers, as required.
-END-
Table 1: Telework Security/IT
Checklist Roles & Functions
|
|
|
GROUP
|
DESCRIPTION
|
ROLE & FUNCTIONS
|
Executives
|
Senior Mgmt, CIOs |
Provide
support and Buy-In Remove
Telework Barriers Approve IT
Funding |
Program/Functional Mgrs. |
Business Owners/Program Mgrs. |
Plan Telework/IT Budget Complete Checklist (Gen.) with supervisor |
Security & Investment Managers |
Info. Sys. Sec. Prog. Mgrs Investment Managers Budget Analysts |
Assist AIS personnel in completing Checklist;
train teleworkers & managers; update GSS & Overall Security Plans;
estimate security costs; ensure security controls are in place, review final
checklist for completeness Update I-TIPS Overall IT Program (Security Costs) Participate in cost development |
IRM, Automated Info. Sys. Mgrs. |
System Owners System Administrators/Devel. HELP Desk Technicians |
Provision hardware, software Configure system Develop security controls with ISSPM Complete Checklist (each arrangement) |
End User
|
Teleworkers |
Adhere to telework security requirements; protect
information and equipment |
Telework Managers |
Functional Supervisor |
Perform Job Suitability Review Determine Information Sensitivity Brief on Privacy Restrictions Complete Checklist (General) Arrange Security & IT Training |
Table 2 TELEWORK SECURITY/IT
CHECKLIST In a Telework Environment, USDA needs to implement Security Controls commensurate with the sensitivity of the information and importance to the mission. Goal One: Introduce no additional risk to the department. Goal Two: Identify remote users adequately; implement the accesses needed to perform official duties and protect USDA IT resources. Goal Three: Identify the Cyber Security Rules of Behavior for managers and employees participating in the Telework Program. |
Date: |
General
Support System Used: |
Agency
or Staff Office Name: |
Cyber
Security POC: |
Checklist
Questions |
YES |
NO |
PENDING
or NOT
APPLIC. |
WAIVER RECV’D |
COMMENTS |
GENERAL |
|
|
|
|
|
** (Job
Sensitivity, Privacy, Planning and Budget) |
|
|
|
|
|
·
Has the GOE and services for telework been included or planned in the
IT Budget? If not is surplus
equipment available? Does long range
planning include funding to phase out use of employee owned equipment
(mandatory requirement)? |
|
|
|
|
|
· Has the Security Plan for the General Support System (s) used to support this arrangement and Overall Agency Program Plan been updated to reflect the following? Physical Security, Encryption requirements, Office Automation Support (setup, maintenance, monitoring) requirements, Software requirements, Identification of Operating System, Connection Type (Dial, DSL, Cable Modem), Protection of Official Files, Identification of system’s accessing the USDA Networks |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
·
Will the teleworker access E-mail?
If so, all E-mail access needs to be encrypted.
|
|
|
|
|
|
· Have all proper software licenses been purchased for the workstation? a. Does the agency have Software Management and Software Use policies? b. Does the agency have a Software Acquisition policy? c. Does the agency have a Software Manager? |
|
|
|
|
|
·
Does the employee understand that
access to USDA’s networks can be blocked if there is any indication of
intentional or unintentional security breaches that affect the overall
security posture of the department? SEE NIST
800-46, APPENDIX A |
|
|
|
|
|
Government
Owned Equipment Arrangements |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
See NIST 800-46, Appendix A |
|
|
|
|
|
Employee
Owned Equipment Arrangements |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Has a spyware removal tool been installed? Has the
teleworker certified in writing that no Peer-to-Peer software is installed on
their personal computer? Will the
system be made available for periodic scanning as required by DM 3500-2,
Vulnerability Scan Procedures? |
|
|
|
|
|
See NIST
800-46, Appendix A |
|
|
|
|
|
Telework
Center Arrangements |
|
|
|
|
|
In a Telework Center, follow the instructions for set up of GOE in terms of Security considerations, with the following additional questions. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
CYBER SECURITY REFERENCES DM3525-002, Chapter 5, Part 2, Internet Use and Copyright Restrictions DM 3530-004, Chapter 6, Part 4, Firewall Technical Security Standards DM 3530-005, Chapter 6, Part 5, Security Encryption Standards DM 3545-001, Chapter 9, Part 1, Computer Security Awareness and Training DM 3550-002, Chapter 10, Part 2, Sensitive But Unclassified (SBU) Information Protection DM3565-001, Chapter 14, Part 1, Annual Security Plans for Information Technology (IT) Systems NIST Special Publication 800-46, Security for Telecommuting and Broadband Communications, August 2002 |