Experts say government-issued devices like phones, computers and even email accounts face heightened security risks during a federal shutdown.
Federal agencies are racing to release guidance for staff as a looming government shutdown threatens to furlough thousands of employees, disrupt critical services and reduce national cyber operations to skeleton crews.
Federal employees are learning whether they will be considered exempt and remain on staff, or if they will be forced into furloughs — as well as what to do with their government-issued devices during an unpredictable time.
"In most cases, the machines that furloughed employees use remain at the office and remain online," Jake Williams, a veteran cybersecurity expert and security researcher with IANS Research, told Nextgov/FCW. He added that keeping devices on during a shutdown "makes sense from a security perspective" since critical security patches could be missed if they were powered down for an extensive period of time.
Most agency staff put on unpaid furlough are typically restricted from using government devices during a shutdown, including laptops, cellphones, government-issued email accounts, tablets and secure communication devices.
The Department of Homeland Security released a contingency plan this week that said essential personnel can continue performing normal functions on their agency-issued IT resources, while furloughed employees should periodically check their government devices for status updates and emergency notifications.
DHS employees should "passively monitor their DHS-issued electronic devices" for updates on when the shutdown has ended and when they can return to work, according to the guidelines.
Some federal contingency plans for a lapse in appropriations include details about how agencies will notify employees to return to work without government devices.
The General Services Administration also released its guidelines this week, which said essential managers will use a telephone alert system to instruct furloughed employees to return to work on their regular next day following the shutdown.
The Office of Management and Budget maintains a repository of the most recently updated contingency plans for federal agencies.
Cybersecurity experts and technology leaders meanwhile warn that those contingency plans are lacking in detail and adequate security measures, leaving federal devices and networks open to major vulnerabilities if Congress fails to pass a budget before the start of the new fiscal year this weekend.
John Harmon, regional vice president of cyber solutions for the software firm Elastic, told Nextgov/FCW that government networks and devices would be more vulnerable during a shutdown since the employees tasked with maintaining their security "won’t be as focused or have all of their ordinary work supports in place."
"Those charged with securing government networks are typically labeled as essential personnel, though they are still vulnerable humans," Harmon said. "They will be focused on human stressors, such as the worry of not getting paid, further weakening their abilities to keep operations secure."