This report presents the results of our subject evaluation. Telework, also referred to as telecommuting or flexiplace, has gained widespread attention over the past decade in both the public and private sectors as a human capital flexibility that offers a variety of potential benefits to employers, employees, and society. The term telework refers to work that is performed at an employee’s home or at a work location other than a traditional office. Congress and the executive branch have shown interest in telework, primarily based upon the belief that its use will benefit the federal government. Benefits of telework include reducing traffic congestion and pollution, improving recruitment and retention of employees, increasing productivity, and reducing the need for office space. Employees also can realize benefits from teleworking, including reduced commuting time; lowered costs in areas such as transportation, parking, food, and wardrobe; removal of barriers for those with disabilities who want to be part of the workforce; and improvement in the quality of work life and morale accruing from the opportunity to better balance work and family demands.

EVALUATION OBJECTIVE AND APPROACH

Our objective was to assess the extent to which the Corporation has established and implemented a telework program that is consistent with applicable federal standards and guidelines and recognized best practices.

To accomplish our objective, we:

• Evaluated relevant FDIC policy and program elements against applicable government-wide guidance and recognized best practices,
• Interviewed program officials about the status of the telework program,
• Verified that the FDIC complied with the Office of Personnel Management (OPM) telework reporting requirements,
• Performed analysis of telework participation information to identify trends and usage among divisions and offices,
• Evaluated the efficiency of the FDIC’s administration of the telework program, and
• Assessed the FDIC’s guidance and efforts to ensure adequate security over information used by employees when teleworking.

We also engaged the accounting firm of KPMG, LLP (KPMG) to assess the FDIC’s guidance and efforts to ensure adequate security over information that is processed, stored, and transmitted while teleworking. KPMG’s engagement primarily involved:

• Evaluating the FDIC’s four methods of remote access,
• Interviewing program officials about the status of initiatives intended to automate encryption of sensitive information stored on mobile computers and devices,
• Verifying that the time-out function for remote access methods functioned properly, and
• Assessing the FDIC’s progress in logging data extractions and erasing them when no longer needed.

Appendix I describes in detail the objective, scope, and methodology of this evaluation.

BACKGROUND

Through a number of legislative actions, Congress has indicated its desire that federal agencies: create telework programs that establish program leadership; think broadly in setting eligibility requirements; allow employees, if eligible,¹ to participate in telework; and track and report telework program results. The most significant congressional action related to telework was the October 2000 enactment of Section 359 of Public Law No.106-346, which mandates that each executive branch agency establish a policy under which eligible employees may participate in telework to the maximum extent possible without diminishing employee performance. The legislation also requires agencies to designate telework coordinators who are responsible for overseeing the implementation of telework programs and serving as points of contact.

The legislative framework also assigns responsibility for leading the government-wide telework initiative to the OPM and the General Services Administration (GSA). Jointly, OPM and GSA manage a federal Web site² for telework, which is designed to provide access for employees, managers, and telework coordinators to a range of information related to telework, including announcements, guides, laws, and available training. OPM has primarily provided expertise in human resources issues and, in that regard, published A Guide to Telework in the Federal Government, dated August 2006, to guide implementation of the program. OPM has also determined that telework is an essential element in continuity of operations and pandemic³ preparedness and incorporated Federal Emergency Management Agency (FEMA) guidance into its guide. GSA has generally addressed technical, equipment, and telework center issues and issued Federal Management Regulations (FMR) Bulletin 2007-B1 entitled, Information Technology and Telecommunication Guidelines for Federal Telework and Other Alternative Workplace Arrangement Programs, dated March 2007.

With regard to technical issues, the Office of Management and Budget (OMB) issued Memorandum M-06-16, dated June 23, 2006, to the heads of federal departments and agencies entitled, Protection of Sensitive Agency Information. OMB issued the memorandum in response to several data security breaches. The memorandum recommends that the departments and agencies implement a series of controls for safeguarding the remote access, transport, and storage of sensitive information. Effective implementation of these controls becomes particularly important to ensuring adequate information security as the Congress encourages greater participation in telework programs.

Consistent with its legislative mandate to track and report on the status of telework programs, the OPM requests telework data from all federal agencies by way of an Annual Telework Survey. Jointly, OPM and GSA use the information to provide a yearly snapshot of the federal government telework initiative that is published in an annual report to the Congress entitled, The Status of Telework in the Federal Government (Annual Telework Status Report).

In its A Guide to Telework in the Federal Government, OPM defined telework as any arrangement in which an employee regularly performs officially assigned duties at home or at another work site geographically convenient to the residence of the employee. In 2005, OPM and GSA established a more restrictive definition of telework that defined qualifying frequencies of at least 3 days a week, 1-2 days a week, or at least once per month. Previously, even if an employee teleworked less than once a month, the employee was included in the number of teleworkers reported to Congress. The 2005 Annual Telework Status Report indicated that 1.3 million of the 1.8 million federal employees in 78 Federal agencies were eligible to telework. Of the 1.3 million eligible employees, 119,248 or 9.51 percent, employees actually teleworked.

In May 2001, the FDIC introduced a Telework Pilot Program to give employees greater work/life flexibility while continuing to meet the Corporation's mission. In May 2003, the Corporation established a permanent program that allows for participation based on the specific nature and content of the work to be performed rather than on position, grade, or work schedule.

FDIC Circular 2121.1, dated May 16, 2003, entitled, FDIC Telework Program, provides the policy, program guidelines, general provisions, and responsibilities associated with the telework program. The FDIC’s WorkLife Program Manager, who is part of the Division of Administration’s (DOA) Human Resources Branch, is designated as the Telework Coordinator and is responsible for providing management advisory services related to the telework program.

EVALUATION RESULTS

The FDIC has established a telework program that offers a means of supporting the Corporation’s goal of enhanced employee flexibility and improved work/life balance, provided that the efficiency of the FDIC and its mission are not adversely impacted. The FDIC’s program is generally consistent with OPM’s A Guide to Telework in the Federal Government as it relates to:

• Appointing a telework coordinator;
• Establishing telework policy, including determining eligibility, delineating responsibilities of managers and employees, creating and managing signed telework agreements, documenting denials, and applying uniform performance practices;
• Establishing policies on information systems and technology security;
• Establishing guidelines for equipment and support to be provided to teleworkers; and
• Providing, to a limited extent, telework training.

Further, in 2003, the FDIC established the Examiner's Option program wherein eligible examiners are permitted to work out of their homes or at approved alternative work sites when not working at an insured depository institution or at another required site. Under this program, the FDIC provides the employee with a one-time maximum reimbursement of up to $500 for costs associated with equipment not otherwise provided by the Corporation, and an annual reimbursement of up to $480 for costs associated with multiple telephone lines and/or high speed data transmission access.

In the 2006 Federal Human Capital Survey, conducted by OPM, FDIC employees reported an overall satisfaction rate with the Corporation’s telework program of 56.6 percent compared to 21.8 percent government-wide.

Finally, in 2006, the FDIC received an award from the Telework Exchange, a public-private partnership focused on eliminating telework gridlock, for the Corporation’s innovative use of technology to support employees who teleworked. The award was based primarily on the fact that the FDIC provides a variety of remote access services to support its telecommuting and mobile users and an access control method that enables virtually every eligible FDIC employee with access to a computer to participate in the FDIC’s telework program.

EMPLOYEE PARTICIPATION IN THE FDIC’S TELEWORK PROGRAM

In 2004, the FDIC reported that 43.1 percent of its employees had teleworked. However, in 2005, following the establishment of a more restrictive definition of telework, OPM calculated the FDIC’s participation at 4.56 percent in its Annual Telework Status Report.⁴ For 2006, based on the statistics submitted to the OPM, we calculated an increase in participation to 5.16 percent. According to OPM’s 2007 Annual Telework Status Report, the FDIC’s participation level ranks relatively low among other federal agencies. Specifically, we compared the FDIC’s standing with 77 other federal agencies that reported telework participation to OPM in 2005. Our analysis showed that the FDIC’s participation level of 4.56 percent was among the bottom 25 percent of those agencies.

We also analyzed the impact that the more restrictive definition had on other agencies. We determined that 46 of the 67 agencies that reported telework statistics in both 2004 and 2005 had decreases in telework participation while the remaining 21 had increased participation. For agencies with employee populations under 20,000, the change in reported participation ranged from an increase of 3.42 percent at the Department of Housing and Urban Development to a decrease of 54.4 percent at OPM.

FDIC Employees Participating in Telework

We conducted analyses to gain additional insights into the extent of employee participation in the FDIC’s telework program. For example, using the statistics that the FDIC provided to OPM, we determined that 47 percent of all FDIC employees participated in telework to some degree in 2006 and that the extent of participation varied by grade-level categories. (See Table 1 below.)

We also determined that, based on the source data provided to OPM, 440 of 1,747, or 25 percent, of all eligible headquarters employees participated in the telework program in 2006. Figure 1 below provides a breakdown of the participation by headquarters activity.

DOA noted that beyond the OPM participation level criteria, DOA also has its own views about the success of its telework program, such as employees being able to practice partial day telework to attend medical appointments or other non-work events in order to achieve a better work life balance. While such telework events may not meet the OPM criteria, DOA believes they are important in gauging the success of the Corporation's telework program.

Several issues bring into question the reliability of the telework statistics that were reported to OPM, and the FDIC’s participation levels and ranking must be viewed in the context of these issues.

• When OPM redefined telework in 2005, OPM was not clear regarding what constituted a “day” of teleworking. According to OPM, neither OPM nor anyone else has defined what constitutes a “day” of telework and OPM has received questions on the definition from various agency representatives. As a result, agency reporting of telework participation is likely to be inconsistent.
• When the FDIC provided telework statistics to OPM in 2005 and 2006 regarding the number of employees who teleworked on a regular, recurring basis, the Corporation only included examiners who were participating in the previously discussed Examiner Option program as teleworkers. The Corporation did so because it determined that these examiners best fit OPM’s new telework definition and because CHRIS T&A was not configured to capture the type of telework data that OPM requires. DOA representatives stated that as a result, FDIC under-represented telework participation levels to OPM.
• The FDIC relies on the CHRIS T&A system to determine telework participation. Employees must select one of the 12 “telework” transaction codes when coding their time and attendance in order to be counted as teleworking. The FDIC lacks assurance that employees are coding their time and attendance in such a manner; thus, the Corporation may be underreporting the number of employees actually teleworking.

At first glance, the FDIC’s reported levels of participation should be of concern to management as the Corporation should be following the lead of the Congress and Executive Branch in promoting and increasing telework in the federal government. Further, the FDIC may be missing opportunities to improve the quality of work life and morale of its employees. However, it is unclear whether the Corporation has sufficiently reliable data to draw valid conclusions regarding the extent to which employees are participating in its telework program. Statistics submitted are being included in a statutorily-required report to the Congress and do get attention from its members, other federal agencies, and the public.

We recommend that the Director, Division of Administration:

1. Take steps to improve the quality and reliability of data collected for the purposes of determining the extent of telework participation by FDIC employees.

EVALUATION OF THE TELEWORK PROGRAM

The FDIC could do more to evaluate the success and status of its telework program to ensure the program is meeting management’s expectations. In this regard, neither the WorkLife Program Manager nor any of the nine divisions and offices we included in our review has conducted an evaluation of the telework program.⁵ Instead, the FDIC has principally relied on time charges in the FDIC’s time and attendance system as a gauge of the telework program’s success. Prior to OPM’s 2005 revised definition of telework, the FDIC’s statistics showed the number of employees teleworking was approaching 50 percent. This figure was based on any time charged as telework by an employee in the CHRIS T&A system regardless of the number of hours worked. With such a high percentage of participation, management apparently determined there was not a need to perform a program evaluation.

Circular 2121.1, Section 10, Evaluation, states that to adequately assess the impact and success of the telework program, both employees and managers or supervisors are expected to participate in the evaluation. The evaluation may include the collection of both quantitative and qualitative data (including participation rates, office space needs, and other issues impacted by program use) requiring the completion of surveys or responses to interview questions. The Circular does not clearly address who should lead or conduct the evaluations or the required frequency.

DOA officials advised us that they were not aware of an overall evaluation of the program since it became permanent in 2003. Further, none of the nine divisions and offices we included in our review has conducted evaluations of their administration of the telework program. Division of Insurance and Research officials told us although they have not performed a formal evaluation, their senior management periodically discusses the division's stance on telework, how it is administered, and the fairness of its application. Division of Finance (DOF) management indicated they are working with representatives from DOA to gather statistics on DOF’s participation in the telework program and to conduct a survey of their employees.

Finally, the FDIC has not established measurable telework program goals. Such goals can be used in conducting program evaluations for telework in such areas as productivity, operating costs, employee morale, recruitment, and retention.

Without a comprehensive program evaluation and measurable goals, it is difficult to assess whether the Corporation’s telework participation meets management’s expectations and is reasonable considering the various factors that can impact the extent of telework at the FDIC. In conducting such an evaluation, the FDIC should address the following areas.

Leadership Attention

On June 12, 2007, the Government Accountability Office testified before the Subcommittee on Oversight of Government Management, the Federal Workforce, and the District of Columbia, Committee on Homeland Security and Governmental Affairs, U.S. Senate, (GAO-07-1002T), that the Telework Enhancement Act of 2007, S.1000, recognizes the importance of leadership in promoting an agency’s telework program by requiring the appointment of a senior-level management official to perform several functions to promote and enhance telework opportunities. There is no consensus at this time regarding the specific duties of such an individual in relation to the duties of the agency officials currently designated as telework coordinators.

At the FDIC, oversight of the telework program has been made a part of the duties assigned to the WorkLife Program Manager. The WorkLife Program Manager also has responsibility for providing management advisory services relating to alternative work schedules, leave, dependent care, employee assistance, and other programs. In addition, the WorkLife Program Manager could be assigned to assist in issues related to classification and compensation, staffing and placement, and human resources development. The FDIC’s approach to leadership of the program —a mid-level manager devoted part-time—may fall short of what is being contemplated in the pending legislation discussed previously and may need to be revisited.

Publicity and Training

We met with the WorkLife Program Manager to gain an understanding of recent efforts to promote and provide training on the telework program. The following examples were provided:

• DOA presented a program on telework in October 2006,
• New employee and Corporate Employee Program orientations address telework,
• Presentations are made at DSC regional conferences and other division conferences, and
• Presentations at certain WorkLife Program seminars include telework information when appropriate.

OPM guidance, as well as telework literature and guidelines, states that informing employees and managers of the program and publicizing it are key telework practices for implementation of successful federal telework programs. Training and information on the following aspects of telework may be beneficial to FDIC employees:

• Types of assignments and circumstances that are suitable for teleworking,
• Coding of time and attendance data,
• The types of information that would be appropriate for teleworkers to be handling and how sensitive information should be protected when teleworking,
• Home safety and technology considerations, and
• The role that telework plays in continuity of operations (as discussed later in this report).

There is continuing Congressional interest to expand teleworking in the federal government, and the FDIC’s policy encourages use of the telework program for those projects/duties that are well suited for completion at an alternative work site. Therefore, the FDIC should assess whether its program and participation level meet corporate expectations and are reasonable considering the various factors that can impact the extent of telework at the FDIC.

We recommend that the Director, Division of Administration:

2. Conduct an evaluation consistent with Circular 2121.1 to determine whether the FDIC’s telework program is meeting management’s expectations and desired outcomes. The evaluation could address, among other things:
   • Whether goals and objectives exist against which the success and impact of the program can be measured,
   • Fairness and consistency across the Corporation in how managers are administering the program,
   • Sufficiency of leadership and management attention, and
   • Extent of promotion, publicity, and training.

INCORPORATING TELEWORK INTO BUSINESS CONTINUITY AND PANDEMIC PREPAREDNESS

Telework is a key component of being prepared for and continuing operations during emergency situations. The FDIC could more fully and expressly incorporate telework into its business continuity planning and pandemic preparedness efforts. Doing so would provide the FDIC with greater assurance that its employees and infrastructure can maintain uninterrupted operations or be fully functional within the time frames prescribed by FEMA in the event of an emergency or pandemic event.

The FEMA’s Federal Preparedness Circular (FPC) 65, Section 9. Planning Requirements for Viable Coop Capability, revised as of June 15, 2004, is applicable to all Federal Executive Branch departments, agencies, and independent organizations. FPC 65 defines Continuity of Operations (COOP) planning as an effort to ensure that the capability exists to continue essential agency functions across a wide range of hazard emergencies. COOP capability is intended to be short-term; it must be functional within 12 hours and may last up to 30 days.

Section 9 further states that the COOP must include regularly scheduled testing, training, and exercising of agency personnel, equipment, systems, processes, and procedures used to support the agency during a COOP event. Section 10, Elements of a Viable Coop Plan, states that tests and exercises serve to assess, validate, or identify for a subsequent corrective action program, specific aspects of COOP plans, policies, procedures, systems, and facilities used in response to an emergency situation. Training familiarizes COOP personnel with the procedures and tasks they must perform in executing COOP plans.

The OPM incorporates portions of FPC 65 guidance into its A Guide to Telework in the Federal Government, which states that telework should be part of all agency emergency planning and that management must be committed to implementing remote work arrangements as broadly as possible to take full advantage of the potential of telework to ensure that:

• Equipment, technology, and technical support have been tested.
• Employees are comfortable with technology and communications methods.
• Managers are comfortable managing a distributed workgroup.
• Expectations are communicated both to the Emergency Response Team (ERT) and non-ERT employees regarding what steps they need to take in case of an emergency.
• Business Continuity Plan (BCP) expectations are integrated into telework agreements as appropriate.
• Essential personnel who might telework in case of an emergency are allowed to telework regularly to ensure functionality.

The section of the OPM Guide entitled, Practice, Practice, Practice, states that the success of an organization’s telework program depends on regular, routine use. Experience is the only way to enable managers, employees, IT support, and other stakeholders to work through any technology, equipment, communications, workflow, and associated issues that may inhibit the transparency of remote work. The OPM Guide concludes that individuals expected to telework in an emergency situation should, with some frequency, telework under non-emergency circumstances.

The FDIC stated in its report to OPM in the 2006 Call for Telework Data that telework has been fully integrated into its emergency preparedness/COOP plans. However, neither the Washington, D.C., area’s 2006 BCP, dated January 2007, nor the divisional BCPs contain references to telework, although some divisions require their staff to remain at home during emergency situations. We discussed the need to incorporate telework in the BCPs with the FDIC’s Assistant Director, Security Management Section. The Assistant Director agreed that telework is not specifically mentioned in the BCPs but stated that Corporation employees understand that telework will be the means they use to continue or resume operations.

With regard to pandemic preparedness, the Assistant Director confirmed that telework is the cornerstone of the FDIC’s pandemic plan but added that there are many telework-related issues that must be addressed before the Pandemic Influenza Preparedness Plan (PIPP) is completed and implemented. We discuss the FDIC’s progress in completing a pandemic preparedness plan later in this report under the section entitled, “Other Matters.”

Finally, we noted that Form 2121/05, Employee/Supervisor Telework Agreement, does not specifically address the Corporation’s expectation that telework will be a key component of employees continuing or resuming operations.

As discussed earlier in our report, the FDIC’s telework training has concentrated on the benefits derived from teleworking and has not addressed telework in the context of continuity of business operations. None of the training provides hands-on experience that ensures an employee is capable of teleworking from a remote site. Further, the FDIC’s Corporate University (CU) does not offer technical telework training specifically designed for FDIC employees. DOA should coordinate with CU to ensure that telework training addresses the role that telework plays in maintaining continuity of operations as discussed in recommendation 2.

In 2005, the FDIC reported to the OPM that 3,784 of its 4,515 employees that were eligible to telework were equipped, trained, and ready to telework in the case of a long-term crisis.⁶ In 2006, the FDIC reported that 4,570 employees were eligible and 4,435 were prepared to telework. These statistics represented all employees that had received a SafeWord® authenticator token. While the number of tokens issued was a valid indicator of the FDIC’s progress toward preparing its employees to telework, it was not necessarily representative of the actual number of employees who successfully participated in the telework program.

On our behalf, DOA researched this issue and found that from July 1 through August 31, 2007, 3,414 unique user accounts, or 77 percent of all user accounts, were used to access the FDIC network through one or more of the remote access systems. By refining the list, the Division of Information Technology (DIT) determined that there were 822 headquarters accounts and 2,592 regional/field office accounts on the list of remote access users for this period. The high number of field accounts (86 percent of all field accounts) was expected because examiners generally use remote access methods to obtain access to the FDIC’s network. With regard to the headquarters accounts, 822 accounts represent 53 percent of headquarters accounts.

The FDIC’s employees have not been required to practice telework under simulated emergency conditions. The Assistant Director, Security Management Section, confirmed that the FDIC has not conducted practice tests of the emergency operations. In October 2006, the FDIC sponsored a Corporate Telework Week. Employees were encouraged to telework, at a minimum, one day during that week. The number of teleworkers was measured through the FDIC Time and Attendance system. During this event 870 FDIC employees teleworked, making this period of participation the highest for all of 2006.

According to KPMG, DIT has asserted that the FDIC has a fully redundant remote access solution that is able to support all FDIC employees. Specifically, DIT has deployed a Remote Computing Network (RCN) solution for its primary back-up site – the Richmond Data Center – with a software configuration that is nearly identical to the one used on a regular basis at Virginia Square. DIT also asserted that the Richmond Data Center RCN solution is capable of supporting 5,000 users. However, this assertion is based upon the technical designs of the RCN solution created during the 2003 or 2004 time frame. KPMG indicated that actual testing of 5,000 concurrent sessions should be conducted to ensure that the original RCN architecture remains capable of supporting such a large number of concurrent users with the addition of new applications and newer versions of Microsoft Office.

DIT acknowledged that the capacity of its remote access network had not been stress tested with remote workers but stated that in the event of a major business interruption that impacted multiple federal agencies, the true "Achilles heel" of agency business continuity planning would be the ability of the local telecommunications infrastructure to handle increased activity from thousands of remote workers. While this may be true, we believe there is merit in stress testing the FDIC's remote access network and verifying FDIC employees' technical ability to connect to the FDIC network remotely. Such a test could be as simple as requiring all, or a large number of, FDIC headquarters employees to work from home on a particular day and attempt to remotely log on to FDIC's network at a particular time.

The FDIC recognizes that telework is a key component to resuming or continuing operations in the event of an emergency or pandemic event and has taken some steps to ensure that its employees are sufficiently prepared and its technology solution is adequately designed to that end. However, consistent with OPM and FEMA guidance, the Corporation would benefit from taking further action to communicate and integrate telework into its business continuity and pandemic preparedness planning, ensure managers and employees are comfortable with telework arrangements, and validate that its technology solution works under simulated emergency circumstances.

We recommend the Director, Division of Administration:

3. Revise the FDIC BCPs and pandemic preparedness plans to more specifically describe the role telework plays in those plans.
4. Identify personnel who would be expected to telework during an emergency and include corporate expectations into their telework agreements.
5. Implement periodic testing of equipment, technology, and technical support associated with large numbers of employees concurrently teleworking in an emergency situation and require individuals expected to telework in an emergency situation to periodically telework under non-emergency circumstances.

SECURITY CONTROL REQUIREMENTS FOR TELEWORK

KPMG evaluated the security controls for telework and found that the FDIC has implemented a number of controls and has an on-going effort to fully address all of the security requirements of OMB Memorandum M-06-16, Protection of Sensitive Agency Information, dated June 23, 2006 (M-06-16). The FDIC has met the two-factor authentication requirement for user identification, and remote network sessions are encrypted. Also, the FDIC specifically addresses the telework program and provides guidance on protecting sensitive information when teleworking in its Annual Security Awareness Training that is required for all employees and contractors and has issued extensive guidance related to information security. However, work remains for the FDIC to complete its planned deployment of an enterprise-wide automated encryption solution for laptops, removable Universal Serial Bus (USB) devices, and Personal Digital Assistantws (PDA) to provide increased assurance that sensitive data stored on such equipment and devices will be appropriately protected. Further, the FDIC could take additional steps to protect data from unauthorized access during telework sessions on non-FDIC computers.

The FDIC provides four methods for remote users (e.g., teleworkers) to access the FDIC network. These services include Ascend Dial-In, RCN, FastAccess, and WebVPN.

Ascend dial-in is available for use with FDIC laptops. The service provides dial-in access to the FDIC network using standard analog telephone lines to connect via a local access or national 800 number.

RCN is a secure, Web-based remote access system available for use with home computers or FDIC laptops. Remote users access an FDIC secure gateway over the Internet, log in, and establish a remote session with an RCN server running a limited set of office applications.

FastAcess is a Web-based remote access service intended to provide mobile users basic access to FDIC computing resources without having to install certificates or specialized software.

Web/VPN is a secure remote access system intended to provide full network access to employees using FDIC laptops. A VPN is a network that can provide remote offices or individual users with secure access to an organization's network via the Internet.

OMB Memorandum M-06-16 recommends the following security controls for safeguarding information removed from, or accessed from outside of agency locations: (1) encrypt all sensitive data on mobile computers and devices; (2) allow remote access only with two-factor authentication; (3) use a ‘‘time-out’’ function requiring user re-authentication after 30 minutes of inactivity for remote access and mobile devices; and (4) log all computer-readable data extracts from databases holding sensitive information and verify that each such extract has been erased within ninety 90 days or that its use is still required.

OMB M-06-16 recommends encryption of all data on mobile computers and devices that carry sensitive agency data. FDIC Circular 1360.9, Protecting Sensitive Information, dated April 30, 2007, requires that sensitive information stored on end-user IT equipment (e.g., laptop and desktop computers) as well as on removable media (e.g., diskettes, CD/DVD, USB flash drives, external removable hard drives) are to be encrypted. In addition, sensitive information should only be stored on corporate IT equipment. The current data encryption methods (Entrust, PKZIP, and Microsoft EFS⁷) are manual.

When employees telework and perform tasks using applications and data on the FDIC’s laptops and network, the information is adequately protected regardless of which of the four available access methods they use—as long as the information remains within the network and is not downloaded to a home computer or storage device. In addition, the FDIC is working on an automated solution to ensure that sensitive information stored on mobile computers and devices is encrypted. In that regard, DIT initiated the Enterprise Encryption Project (EEP) in August2006 with separate phases for encryption of laptops, removable media, and PDA devices. In our October 11, 2007 draft report, we reported that:

• The FDIC had selected Pointsec as the tool to encrypt data on laptops and as of September 20, 2007, DIT had installed encryption software on 2,500 of the approximately 3,800 agency laptops as part of Phase I of the EEP. The remaining laptops were scheduled to be encrypted as part of the Corporate Laptop Replacement Project by October 19, 2007.
• The FDIC was in the inception stage of Phase II of the EEP, the objective of which was to identify a software tool to encrypt removable storage devices that connect to a computer (such as USB drives). Phase II was scheduled to be implemented on January 25, 2008.
• Phase III of the EEP was scheduled to begin in January 2008 and entailed identifying an encryption solution for PDA devices. At the time of our draft report issuance, the completion date for Phase III had not been determined.

We concluded that manual data encryption methods could not ensure that all sensitive data stored on FDIC-provided mobile computers, storage devices, and PDAs was encrypted because these methods are prone to human errors and omissions. We reported that until the EEP is completed, sensitive data stored on FDIC IT equipment would be more vulnerable to unauthorized access if the media was lost or stolen.

DIT provided updated milestone information for the EEP project in November 2007. The FDIC completed Phase I encryption of all corporate laptops in November 2007. Regarding Phase II, encryption of removable media, DIT provided a project plan with detailed milestones which estimated completion of the encryption for USB drives in January 2008 and CDs by March 2008. Regarding Phase III encryption of PDA devices, DIT implemented a pilot in late November and anticipated full implementation of PDA encryption by the end of December 2007.

OMB M-06-16 recommends that agencies allow remote access only with two-factor authentication where one of the factors is provided by a device separate from the computer gaining access.

KPMG tested all four of the FDIC’s remote access methods, Ascend Dial-in, RCN, FastAccess®, and WebVPN, and found that the four access methods meet the two-factor authentication requirement set forth in M-06-16. Remote access users are required to enter their network user identification and accompany it with their network password, a one-time key generated by a Safeword® authenticator token, and a 4-digit user-selected PIN before being granted access to the FDIC network.

NIST Special Publication 800-53, Rev. 1, Recommended Security Controls for Federal Information Systems (NIST 800-53), requires that the information system automatically terminates a remote session after a maximum of 30 minutes of inactivity for remote access and portable solutions.

KPMG tested the time-out function for all four of the FDIC’s remote access methods. The testing showed that the FDIC has instituted several functional time-out configurations for its four remote access methods that will automatically time out or disconnect the user after 30 minutes of inactivity. However, as shown in Table 2, several situations exist where remote connections are not successfully timed out after 30 minutes of inactivity as required by M-06-16.

The FDIC is experiencing technical difficulties in implementing the 30 minute time-out configurations for Ascend Dial-in, FastAccess®, and WebVPN. Specifically, the network is not able to discern between actual user activity and background software services running on the computer such as antivirus and personal firewall computer processes.

Abandoned remote access connection sessions that do not properly time out after a period of user inactivity may be accessed by unauthorized users to gain access to sensitive agency data. As a compensating control, DIT has implemented a 15-minute password-protected screensaver on all FDIC computers. Testing revealed that FastAccess® failed to time out after 30 minutes of inactivity on a non-FDIC computer with an open session of Microsoft Outlook for e-mail service.

OMB Memorandum M-06-16 recommends that agencies “log all computer-readable data extracts from databases holding sensitive information and verify each extract including sensitive data has been erased within 90 days or its use is still required.” In addition, NIST 800-53 requires that organizations increase the level of audit monitoring and analysis activity within the information system whenever there is an indication of increased risk to organizational operations [or] organizational assets. Organizations are to employ automated mechanisms to integrate audit monitoring, analysis, and reporting into an overall process for investigation and response to suspicious activities.

The FDIC has not implemented a solution to automatically log all computer-readable data extracts from databases holding sensitive information and confirm its subsequent deletion within 90 days for data that is no longer needed. The FDIC is currently researching potential software solutions that will satisfy this M-06-16 requirement. Although DIT has initiated an effort to identify a data extract logging software solution that meets the technical and functional requirements for logging sensitive data extracts, DIT indicated that the commercial software market has not developed a suitable product to meet the FDIC’s needs. DIT also indicated that this requirement is proving to be a challenge for most federal agencies.

With respect to extraction of sensitive data, if such activity is not logged, monitored, and its deletion confirmed after 90 days following its extraction, the extracted sensitive data could be vulnerable to unauthorized electronic copying and sending by individuals with malicious intent. In addition, RCN and FastAccess® could allow users to store sensitive information unencrypted on home computers that are vulnerable to unauthorized access.

Through discussions and limited testing, KPMG determined that as a compensating control, the FDIC’s Enterprise Information Management (EIM) group is restricting the ability to copy production data to non-production environments by implementing a set of procedures for data requests. EIM has also published policy limiting access of production data for testing, quality control, and deployment preparation purposes to 45 days, at which point, access to the data is automatically removed.

In addition to KPMG’s work on IT security, we determined that divisions and offices had not developed specific guidance identifying sensitive information related to their respective activities and operations that may not be appropriate for telework. Instead, the divisions and offices were relying on corporate-wide information security guidance. To better ensure that sensitive information is properly safeguarded when employees are teleworking, requests to telework should identify the data that will be used and its source, and that information should be considered in making decisions to approve or disapprove requests.

The FDIC has issued extensive guidance related to information security, for example:

• FDIC Circular 1300.4 – Acceptable Use Policy for Information Technology Resources
• FDIC Circular 1310.3 – Technology Security Risk Management Program
• FDIC Circular 1310.5 – Encryption and Digital Signature for Electronic Mail
• FDIC Circular 1360.1 – Automated Information Systems (AIS) Security Policy
• FDIC Circular 1360.9 – Protecting Sensitive Information

FDIC Form 2121/05, Employee/Supervisor Telework Program Agreement, states that applicable policies and directives related to equipment and information security, such as those mentioned above, apply to the telework program. Further, Form 2121/05 cautions that employees may be held responsible for security breaches or equipment damage due to negligence. Circular 2121.5, FDIC Telework Program, Section 7. Paragraph d., states that employees must comply with all security and record keeping measures outlined in established policies and directives. Further, the Circular states that all FDIC records and data shall be protected against unauthorized disclosure, access, mutilation, obliteration, and destruction.

We contacted representatives of nine divisions and offices to determine if any had issued supplemental guidance specifically identifying data that should not be removed from the FDIC and used during telework sessions. Representatives of the five divisions and offices that responded indicated that they had not issued such guidance and were relying on existing corporate-wide guidance related to data security or encryption.

While DSC had not issued specific guidance related to data used during telework sessions, we noted that DSC had issued a memorandum dated August 15, 2006, entitled, Safeguarding Examination Information (Transmittal No. 2006-025), which states that examination information is broadly defined as all documentation involved in a bank examination. It includes the Report of Examination, examination work papers, and bank information received during the examination process. Attachment A of the memorandum states that the protection of examination information will require technical, physical, and administrative safeguards. The attachment states, for example, that all examination information stored on laptops, retained on CDs, DVDs, flash drives, or any other storage media shall be encrypted. Finally, the attachment states that staff on travel status or telework status must ensure confidential information is secure when unattended.

We also noted that DRR had issued guidance entitled, DRR’s Guidelines for Protecting Sensitive Data, to help its employees and contractors better understand how to protect sensitive information. The guidelines describe: the types of data, when combined, which can be deemed as sensitive; responsibilities and methods for protecting sensitive information; and DRR systems that contain sensitive information.

The security goal of all federal agencies is to minimize the chance that unauthorized access to their network will occur. The FDIC continues to make progress in complying with OMB M-06-16 by identifying and resolving security weaknesses related to telework and remote access. Some risks remain associated with providing employees remote access to the FDIC’s network and information systems. We are mindful in making recommendations as the FDIC faces similar challenges securing its information systems as do other agencies and must strike a balance between business needs, risk, and cost.

We recommend the Director, Division of Information Technology:

6. Pursue improvements in security controls associated with telework, when deemed cost effective, in the following areas:
   • Continuing to work toward an enterprise-wide automated encryption solution for data stored on laptops, removable USB devices, and Personal Digital Assistants.
   • Working to resolve technical issues that prevent FastAccess® with an open Outlook session from timing out after 30 minutes of inactivity in order to be consistent with the user re-authentication requirement of OMB Memorandum 06-16.
   • Restricting user capability to extract and store sensitive data on non-FDIC computers while using RCN or FastAccess®.

We recommend the Director, Division of Administration:

7. Modify the FDIC Form 2121.5, Employee/Supervisor Telework Program Agreement, for regular or recurring telework situations to include identifying any sensitive data that may be used during telework and its source in order to assist management in making the decision to approve or disapprove a telework request.

OTHER MATTERS

INFLUENZA PANDEMIC PREPAREDNESS PLANNING

The Corporation’s task force formed in February 2006 to develop the PIPP has neither completed the plan that will provide guidance for handling a pandemic event, nor has it set a target date for its completion.

To address the pandemic issue, the FDIC created a task force led by the Assistant Director, Facilities Operations Section. The task force is assigned to address the challenges of the pandemic influenza and to develop a PIPP that specifically includes preventive hygiene; social distancing or telework; and limiting movement in accordance with OPM’s A Guide to Telework in the Federal Government. The PIPP is to be incorporated as an addendum to the FDIC Emergency Preparedness Plan.

According to task force members, the task force has:

• Drafted a “Decision Point” memorandum to the Human Resources Committee that the Assistant Director, Facilities Operations Section, expects to finalize by the end of September or early October;
• Conducted demonstrations of the Department of Treasury Web-based Pandemic Flu awareness-level training;
• Held discussions regarding a draft Pandemic Flu Plan;
• Participated in the Financial Banking Information Infrastructure Committee’s pandemic flu table-top exercise.⁸

The Assistant Director confirmed that telework is the cornerstone of the FDIC’s pandemic plan; however, he added that there are many telework-related issues that must be addressed before the PIPP is completed and implemented. For example, task force members are conducting discussions with FDIC management and union representatives to:

• Clarify Information Technology (IT) limitations and constraints, which include determining whether all employees can successfully activate their Safeword® authenticator tokens,
• Establish laptops in reserve for teleworkers,
• Ensure the FDIC population is telework-ready, and
• Determine how employees will be paid in a pandemic scenario.

While some progress has been made in developing the PIPP, additional management attention to the project may be beneficial to expediting its completion. Completing the PIPP and training FDIC managers and employees on its implementation will provide greater assurance that the FDIC can remain fully functional during a pandemic event.

We recommend the Director, Division of Administration:

8. Establish milestones for completing the FDIC’s Pandemic Influenza Preparedness Plan and its incorporation, as an addendum, to the FDIC Emergency Preparedness Program.

SUBMISSION OF TELEWORK AGREEMENTS AND HOME SAFETY SELF-CERTIFICATIONS

The FDIC may be able to more efficiently administer the telework program. Specifically, the Corporation should pursue having employees participating in the FDIC telework program submit their Employee/Supervisor Telework Agreement (FDIC 2121/05) and their Home Safety Self-Certification (FDIC 2121/04) forms for approval and filing in an electronic format rather than in hard copy as currently required.

The FDIC has incorporated guidance from A Guide to Telework in the Federal Government regarding telework agreements and home safety self-certification into its Circular 2121.1 FDIC Telework Program. Section 5, Program Guidelines, of Circular 2121.1, states that supervisors must maintain a current form FDIC 2121/05 and form FDIC 2121/04. The supervisor is required to review these forms and keep a copy of each for their records. The Employee/Supervisor Telework Program Agreement provides needed contact information and outlines rights, responsibilities, and general program provisions. Section 8, Responsibilities, states that employees must update these documents annually or as otherwise required. Both forms are currently available electronically on the FDIC Intranet.

At our request, the FDIC’s Legal Division reviewed the requirement for employees to submit FDIC 2121/05 and FDIC 2121/04. The Legal Division concluded that the requirement stems from negotiated provisions in the national Collective Bargaining Agreement (CBA) between the FDIC and National Treasury Employees Union (NTEU), which states that both forms must be current and updated by January 31 of every calendar year.

Further, the FDIC’s Legal Division stated that both the negotiated national CBA between the NTEU and the FDIC (at section 4E) and Circular 2121.1 (at section 8b), which was also negotiated with NTEU, require that employees participating in the FDIC telework program submit form 2121/04. This form is required to ensure that an employee’s alternative work site complies with general safety standards and because an employee will be compensated under the Federal Employees Compensation Act if injured while actually performing official duties at the alternate work site.

As a result of its review, the Legal Division concluded that new requirements for electronic submission of forms 2121/05 and 2121/04 would be subject to negotiations with NTEU.

We recommend the Director, Division of Administration:

9. Evaluate the cost/benefit of employees electronically submitting forms 2121/05 and 2121/04, and if deemed cost-beneficial, negotiate with the NTEU to institute electronic submission and approval of the forms.

CORPORATION COMMENTS AND OIG EVALUATION

The DOA and DIT Directors provided a written response, dated November 29, 2007, to a draft of this report. The response is presented in its entirety in Appendix II. Management concurred with recommendations 1, 2, 3, 7, and 8, concurred with the intent of recommendation 4, and partially agreed with recommendations 5 and 6. Management did not agree with recommendation 9, but offered a reasonable explanation for not taking action on the recommendation at this time. A discussion of management’s response to recommendations 5, 6, and 9 follows:

Recommendation 5: Implement periodic testing of equipment, technology, and technical support associated with large numbers of employees concurrently teleworking in an emergency situation and require individuals expected to telework in an emergency situation to periodically telework under non-emergency circumstances.

DOA deferred to DIT on this recommendation. DIT partially agreed with this recommendation and proposed an alternative action. DIT noted there is no requirement to support a large number of users to telework in an emergency. However, DIT agreed to stress test RCN, which is the most heavily used remote access method, to enhance the current engineering estimates of the projected number of users that can be supported on this technology.

DIT also noted that FDIC employees and contractors routinely use remote access tools to log into the FDIC network and that current usage results in thousands of remote connection sessions each month to the FDIC’s network and systems, providing evidence that employees are capable of remotely accessing the network.

We accept DIT’s alternative action to this recommendation; however, we continue to believe that it would be prudent to periodically require employees to practice telework under simulated emergency conditions. Doing so would also be consistent with FEMA and OPM guidance.

• Continuing to work toward an enterprise-wide automated encryption solution for data stored on laptops, removable USB devices, and Personal Digital Assistants.
• Working to resolve technical issues that prevent FastAccess® with an open Outlook session from timing out after 30 minutes of inactivity in order to be consistent with the user re-authentication requirement of OMB Memorandum 06-16.
• Restricting user capability to extract and store sensitive data on non-FDIC computers while using RCN or FastAccess®.

DIT provided updated milestone information for the EEP project in November 2007. The FDIC completed Phase I encryption of all corporate laptops in November 2007. Regarding Phase II, encryption of removable media, DIT provided a project plan with detailed milestones, which estimated completion of the encryption for USB drives in January 2008 and CDs by March 2008. Regarding Phase III encryption of PDA devices, DIT implemented a pilot in late November and anticipated full implementation of PDA encryption by the end of December 2007. This additional information is sufficient to address and close this portion of the recommendation.

DIT partially agreed with Bullet 2 above, regarding time-out of network sessions. DIT representatives were unaware of any technical solution that would prevent Outlook Web access from remaining open beyond the 30 minute time-out window when new email traffic is sent to the client by the exchange server. DIT agreed to complete an Acceptance of Risk memorandum by November 30, 2007 for this situation.

DIT partially agreed with Bullet 3 above, regarding logging data extracts and restricting downloads to non-FDIC computers. However, DIT representatives indicated that there is no tool in the current market place that will log data extracts and erase them after 90 days. DIT has implemented compensating controls to mitigate these risks. Further, DIT agreed to continue to look for and evaluate new solutions should they become available. The OIG considers DIT’s response sufficient to resolve the recommendation.

Regarding restricting downloads to non-FDIC computers, DIT indicated that this is a risk for RCN, but not for Fast Access®. DIT is not aware of a solution to this situation, short of prohibiting access to the data, which DIT does not view as a viable business solution. DIT has made a business decision to accept this risk, and DIT has again agreed to complete an Acceptance of Risk memorandum by November 30, 2007.

The OIG considers the first portion of this recommendation (encryption) closed. The remaining portions of this recommendation (system time-out and logging of extracts/downloads of sensitive data) are resolved, but will remain open pending receipt of DIT Acceptance of Risk memoranda.

Recommendation 9: Evaluate the cost/benefit of employees electronically submitting forms 2121/05 and 2121/04, and if deemed cost-beneficial, negotiate with the NTEU to institute electronic submission and approval of the forms.

DOA did not agree with this recommendation. DOA indicated that the cost of the evaluation may exceed any savings derived from filing forms 2121/05 and 2121/04 electronically. DOA described the volume of paper generated through annual submissions as de minimis.

DOA also stated that, in the future, if such changes are to be determined to be in the Corporation’s interest, they could be included as an agency proposal to be bargained over with NTEU when the national Collective Bargaining Agreement is next renegotiated. We accept management’s decision on this recommendation, and we consider the recommendation closed.

This table presents the management response on the recommendations in our report and the status of the recommendations as of the date of report issuance.