The
Government Accountability Office (GAO) has issued a report on telework security at several agencies, including Social Security. The report is short on specifics, probably to avoid pointing out areas to attack, but Social Security comes in for mild criticism. I can’t tell whether it’s quibbles over the dotting of i’s and crossing of t’s or whether there have been substantive dangers.
ReplyDeleteIt's probably that SSA is doing well with keeping our networks safe during telework, that is why the GAO report only had mild criticism for the agency. Let's give credit where credit is due.
Having worked in that area, the 2 recommendations are critical of the documentation, not necessarily the actual controls or systems. It's that the systems have been assessed internally and by outside auditors to comply with FISMA and OMB et al and documented for them already, and GAO had issues with portions of the documentation. Frankly, given the moving target of compliance documentation, that's likely more prevalent than not. 90% of the time it's a paperwork issue. Unlikely that in doing the paperwork a deficiency will arise.
ReplyDeleteQuote from the report:
ReplyDeleteOfficials from the 12 selected agencies reported that they had IT in place to allow employees to remotely access agency resources during the COVID-19 pandemic. While the selected agencies reported that they faced challenges in providing the IT needed to support remote access for maximum telework in response to the pandemic, they also reported that they had overcome most of the challenges quickly and were successfully supporting maximum telework.
Three Impressions:
First, this is not a comprehensive report on how the agencies performed but, from their self-reporting, they did ok with telework.
Second, this report was mostly about the cybersecurity risks. Glad to see they are reviewing that vital area.
Third, fortunately the federal agencies already had the infrastructure in place for remote work. Had that not been the case, the challenges would have been greater. As someone who works for an older attorney who hates telework as much as Charles Hall, I can report that we had more significant challenges when we first went to telework in the beginning of the pandemic.
The largest threat to security (besides our people) isn't in our telework infrastructure. It's shared printers. The vast majority of personal information sent to the wrong sources comes from the fact that SSA is cheap on buying printers, and can have dozens of employees sending documents to the same printing source. Documents get intermingled, and sent to the wrong person.
ReplyDelete