The Case for Using Commercial Tools to Allow Classified Telework
Programs like the National Security Agency’s Commercial Solutions for Classified could be a path to transmit classified information without specialized hardware.
As many as 4 million Defense Department military and civilian workers are now teleworking, in part fueled by the rollout of commercially-available tools such as Commercial Virtual Remote, a DoD-only implementation of Microsoft Teams that is now approaching 1 million user accounts.
CVR is just one example of how DoD is shifting telework—at least temporarily—from Defense networks to commercial networks, not to mention bring-your-own-device programs. The scale and speed at which DoD has re-architected its workforce and network for mass teleworking are staggering and impressive. At an April department briefing, Chief Information Officer Dana Deasy cited “unprecedented” demand for new tablets, laptops and network equipment. Approximately 2,000 Pentagon personnel have been provided with additional devices, with Deasy adding that 65,000 additional users were equipped to work remotely with mobile and desktop services.
A shared and undeniable theme to emerge in comments from DoD and civilian agency leaders is that the current experience with teleworking will have a lasting impact—one that might see a significant percentage of the workforce remote for months to come. However, enabling military and civilian workers to operate in both unclassified and classified environments securely is another matter. And it is why Commercial Solutions for Classified, or CSfC, solutions are in the spotlight.
Expanding the Case for CSfC
To enable mobility for classified communications, the National Security Agency established a program (with a set of guidelines) called “Commercial Solutions for Classified.” Through the program, DoD organizations can transmit classified information using commercial-grade encryption solutions, eliminating the need for expensive, difficult-to-use controlled classified hardware.
CSfC has been typically used to secure comms for specialized applications in tactical environments for mobile operations and partner communications prior to COVID-19. The rapid expansion of telework positions underscores CSfC as the ideal solution for a workforce that needs to share classified information and reduces the need for workers to travel to secure facilities.
Enabling Classified for the Remote Workforce
DoD has remained nimble over the past several weeks to ensure continuity of operations without compromising security. For example, permitting employees to renew their common access cards remotely—a process that historically was done in person—was essential so that workers could access DoD devices while working from home.
That said, both DoD and civilian agencies face a challenge to clearly communicate what workforces can and can’t do remotely with classified, unclassified, and controlled but unclassified (CUI) information. Confusion across government and contractor workforces can create security risks if each employee doesn’t understand what their position and function allows.
At a virtual conference earlier this month, Essye Miller, principal deputy in the office of the DoD chief information officer, noted the diversity of security requirements across the department: “Obviously we’ve got people working in various environments, classified [and] unclassified. Organizations will have to figure out what’s important to them: what has to be accomplished inside a physical facility and what can be done remotely; how we need to measure those outcomes; and, not to mention, what we need to equip our workforce with to accomplish that.”
When it comes to unclassified environments, BYOD and bring-your-own-approved-device programs make a lot of sense and follow a model that has proven successful—particularly in the commercial market. BYOD technology has sufficiently matured to keep cybersecurity risks manageable when it comes to downloading DoD-approved software on commercially available and authorized personal mobile devices. That said, there is an additional part of the story for DoD organizations that also have classified networks both internally and with coalition partners—it requires organizations to follow CSfC requirements.
BYOD is currently not permitted with CSfC. BYOD can meet the mobility needs of a large percentage of expanded remote DoD workforce, but classified access requires CSfC to ensure the necessary controls for classified access are in place. As it stands without CSfC, workers cannot easily perform classified work at home and need to travel to a secure facility.
While it is possible for individual agencies to build their own CSfC solutions, it is a significant undertaking and difficult to scale, manage and maintain. For that reason, the most rapid and cost-feasible path to CSfC-enabled remote work is to leverage industry innovation focused on creating standardized enterprise-sized CSfC solutions using proven technologies with integrated management systems.
At the previously referenced April DoD briefing, Lt. Gen. B.J. Shwedo outlined the balance DoD organizations must strike between productivity and security as they scale telework: “To appreciate the scope and scale of our task, our work is to enable productive collaboration for over four million military and civilian worldwide teleworkers with innovative tools that are both cutting-edge and secure, often with overnight demands.” Now, CSfC solutions can serve as a critical component in these efforts by enabling access to the most mission-critical information—ensuring remote workers have the same situational awareness at home as on base.
Charlie Kawasaki is chief technical officer at PacStar.