Lawmakers Want IGs to Include Telework Vulnerabilities in Upcoming FISMA Audits

As employees—including the federal workforce—start going back to the office, a group of Democratic lawmakers want agency inspectors general to look at the cybersecurity weaknesses “created or exacerbated” by teleworking.

Federal employees have been teleworking en masse for more than a year after agencies shuttered their physical offices last spring to stem the spread of COVID-19. Employees connecting from home—some for the first time—created a challenge for most federal agencies, which needed to ensure the connections and any data being shared across networks were secure.

Members of the House Oversight and Reform Committee and its respective subcommittees sent letters Wednesday to 10 IGs asking for audits of cybersecurity vulnerabilities directly related to mass teleworking, including issues that were known prior to the pandemic and those created as a direct result.

The letters were signed by Democratic leaders from all of the Oversight subcommittees, including Committee Chair Carolyn Maloney, D-N.Y., National Security Subcommittee Chair Stephen Lynch, D-Mass., Government Operations Subcommittee Chair Gerry Connolly, D-Va., Economic and Consumer Policy Subcommittee Chair Raja Krishnamoorthi, D-Ill., Civil Rights and Civil Liberties Subcommittee Chair Jamie Raskin, D-Md., and Environment Subcommittee Chair Ro Khanna, D-Calif.

In the letters, lawmakers asked the heads of the major departments’ watchdog offices to include an assessment of “any vulnerabilities created or exacerbated by the department’s use of remote-access software to facilitate telework during the coronavirus pandemic, and whether any such vulnerabilities were effectively mitigated.”

Rather than request a separate audit, the signatories asked the inspectors general to wrap these investigations in with the annual Federal Information Security Modernization Act, or FISMA, reports agencies are required to file each year.

“Even before the pandemic began, the National Institute of Standards and Technology warned that ‘major security concerns’ associated with telework ‘include the lack of physical security controls, the use of unsecured networks, the connection of infected devices to internal networks, and the availability of internal resources to external hosts,’” lawmakers wrote.

The letters point to recent hacks as evidence, including the SolarWinds and Microsoft Exchange vulnerabilities that affected at least nine federal agencies, and the breach of remote-access software Pulse Connect.

“The proliferation and growing sophistication of malicious state and non-state cyber actors requires federal departments and agencies to be able to maintain and protect the integrity of their information technology systems—particularly if they adopt more flexible telework policies after the coronavirus pandemic subsides,” the letters state.

Oversight Committee members asked the IGs to include eight areas for evaluation in the upcoming FISMA reports:

• The acquisition, deployment, management and security of remote connections to department networks, including those facilitated by VPNs and/or virtual network controllers.
• The acquisition, deployment, management and security of collaboration platforms such as Microsoft Teams, Zoom, Slack and Cisco Webex.
• Whether the department, and all components, has implemented security controls to prevent the unauthorized dissemination of controlled unclassified information, personally identifiable information, or sensitive but unclassified information via third-party collaboration platforms.
• The identity, credential and access management of users that permit remote access to department networks, including the extent to which the department has enabled multi-factor authentication and implemented procedures to disable inactive and potentially unauthorized user accounts.
• The distribution and management of virtual and physical assets that facilitate telework, including laptop computers, smartphones and RSA tokens.
• The department’s adherence to Trusted Internet Connection 3.0 guidance.
• Whether the department’s chief information officer and all component chief information officers implemented additional security policies in response to coronavirus-related telework and how they are enforcing those policies.
• Whether the department has implemented continuous monitoring and scanning of networks to identify vulnerabilities.