October 19, 2021

News

News Network

COVID-19: Selected Agencies Overcame Technology Challenges to Support Telework but Need to Fully Assess Security Controls

10 min read
<div>What GAO Found Each of the 12 agencies GAO selected for review had information technology (IT) in place to support remote access for telework during the COVID-19 pandemic. Although the agencies initially experienced IT challenges in supporting remote access for maximum telework, they generally overcame them. For example, seven agencies were challenged in providing sufficient bandwidth to provide remote access for teleworkers, but they increased bandwidth as needed to ensure networks could handle additional remote connections. In addition, while the increased number of remote connections brings additional cybersecurity risks, all of the selected agencies reported that they continued activities intended to help ensure the security of their information and systems. While the selected agencies had documented elements of a telework security policy, such as permitted telework devices and forms of remote access, not all agencies had fully addressed other relevant federal guidance for securing their systems that support remote access for telework (see figure). Specifically, two agencies had not fully documented relevant IT security controls to protect those systems. In addition, assessments for systems that five agencies relied upon for remote access did not address all relevant controls to ensure the controls were operating effectively. Further, four selected agencies had not fully documented remedial actions to mitigate weaknesses they had previously identified. Extent to Which 12 Selected Agencies Followed Federal Information Security Guidance in Implementing Their IT Systems That Support Remote Access for Telework Although one of the selected agencies subsequently resolved its shortcomings, others had not. For the agencies that did not fully follow federal information security guidance, agency IT security officials stated that these conditions existed for various reasons, such as out-of-date documentation, among others. If agencies do not sufficiently document relevant security controls, assess the controls, and fully document remedial actions for weaknesses identified in security controls, they are at increased risk that vulnerabilities in their systems that provide remote access could be exploited. Why GAO Did This Study In response to the onset of the COVID-19 pandemic, in March 2020 the Office of Management and Budget directed federal agencies to maximize their use of telework to enable the workforce to remain safe while ensuring that government operations continue. Telework is essential to continuity of operations but also brings added cybersecurity risks. The CARES Act contains a provision for GAO to monitor the federal response to the pandemic. GAO was also asked to examine federal agencies' preparedness to support expanded telework. GAO's objectives were to determine (1) selected agencies' initial experiences in providing the IT needed to support remote access for maximum telework and (2) the extent to which selected agencies followed federal information security guidance for their IT systems that provide remote access. GAO selected 12 agencies for review that varied in their percentages of reported employee telework use and sent a questionnaire to solicit these agencies' perspectives on the use of IT in transitioning to maximum telework. GAO also reviewed the selected agencies' information security documentation and interviewed relevant officials.</div>
United States Securities and Exchange Commission The Chair of SEC should ensure that the agency documents relevant IT security controls and enhancements in the security plan for the system that provides remote access for telework. (Recommendation 1)

Open

When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Social Security Administration The Commissioner of SSA should ensure that the agency documents relevant IT security controls and enhancements in the security plan for the system that provides remote access for telework. (Recommendation 2)

Open

When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Department of Transportation The Secretary of Transportation should ensure that the agency assesses all relevant IT security controls and enhancements for the system that provides remote access for telework. (Recommendation 3)

Open

When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

United States Securities and Exchange Commission The Chair of SEC should ensure that the agency assesses and sufficiently documents the assessment of relevant IT security controls and enhancements for the system that provides remote access for telework. (Recommendation 4)

Open

When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Social Security Administration The Commissioner of SSA should ensure that the agency assesses and sufficiently documents the assessment of relevant IT security controls and enhancements for the system that provides remote access for telework. (Recommendation 5)

Open

When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Department of Homeland Security The Secretary of Homeland Security should ensure that the agency consistently monitors progress toward the completion of remedial actions for the system that provides remote access for telework. (Recommendation 6)

Open

When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Department of Transportation The Secretary of Transportation should ensure that the agency consistently monitors progress toward the completion of remedial actions by including estimated completion dates in its plan of action and milestones for the system that provides remote access for telework. (Recommendation 7)

Open

When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Federal Bureau of Investigation The Director of the FBI should ensure that the bureau consistently monitors progress toward the completion of remedial actions for relevant IT security controls and enhancements for the system that provides remote access for telework. (Recommendation 8)

Open

When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Office of Personnel Management The Director of OPM should ensure that the agency documents risks and monitors progress toward the completion of remedial actions by including estimated completion dates in plans of action and milestones and keeping them up to date with current information for the system that provides remote access for telework. (Recommendation 9)

Open

When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

More from:

News Network

  • Joint Statement on Extended “Troika” on Peaceful Settlement in Afghanistan
    In Crime Control and Security News
    Office of the [Read More…]
  • Lesotho National Day
    In Crime Control and Security News
    Michael R. Pompeo, [Read More…]
  • Secretary Blinken’s Meeting with Israeli Foreign Minister Lapid and the UAE Foreign Minister Sheikh Abdullah bin Zayed
    In Crime Control and Security News
    Office of the [Read More…]
  • U.S. Sanctions International Network Enriching Houthis in Yemen
    In Crime Control and Security News
    Antony J. Blinken, [Read More…]
  • Briefing with Special Presidential Envoy for Climate John Kerry
    In Climate - Environment - Conservation
    John Kerry, Special [Read More…]
  • Florida Doctor Charged in Massive $681 Million Substance Abuse Treatment Fraud Scheme
    In Crime News
    A Palm Beach County, Florida doctor was arrested and charged with conspiring to commit health care fraud and wire fraud for his alleged participation in a massive years-long health care fraud scheme throughout Palm Beach County, billing for fraudulent tests and treatments for vulnerable patients seeking treatment for drug and/or alcohol addiction.
    [Read More…]
  • Former DEA Special Agent Sentenced to Over 13 Years in Prison for Corruption-Related Charges
    In Crime News
    A former Drug Enforcement Administration (DEA) Special Agent was sentenced today to 160 months in prison for nine crimes related to official misconduct, including perjury, obstruction of justice, and theft.
    [Read More…]
  • Secretary Michael R. Pompeo With Hugh Hewitt of The Hugh Hewitt Show
    In Crime Control and Security News
    Michael R. Pompeo, [Read More…]
  • Jury convicts valley resident on meth charges
    In Justice News
    A federal jury has [Read More…]
  • Veterans Affairs: Ongoing Financial Management System Modernization Program Would Benefit from Improved Cost and Schedule Estimating
    In U.S GAO News
    What GAO Found The Department of Veterans Affairs (VA) Financial Management Business Transformation (FMBT) program has begun implementing the Integrated Financial and Acquisition Management System (iFAMS), with the first deployment of certain capabilities at the National Cemetery Administration (NCA) on November 9, 2020. FMBT program officials identified various challenges, such as FMBT program funding shortfalls, which represent the difference between VA's original requirement and the President's budget request, and coordination with other major initiatives. VA has taken various steps to address its challenges. For example, because of the COVID-19 pandemic, VA postponed the initial NCA deployment 4 months and converted planning, training, and testing activities to virtual events. In addition, the FMBT program and Veterans Health Administration (VHA) worked together to address the FMBT program funding shortfall by postponing iFAMS implementation at VHA for at least 2 years to coordinate with the implementation of a new logistics system. Following information technology (IT) management best practices on major transformation efforts, such as the FMBT program, can help build a foundation for ensuring responsibility, accountability, and transparency. VA has generally met such practices for program governance, Agile project management, and testing and defect management. However, it has not fully met certain best practices for developing and managing cost and schedule estimates. As a result, its estimates were not reliable. Specifically, VA's estimates substantially met one, and partially or minimally met three of the four characteristics associated with reliable cost and schedule estimates, respectively. For example, VA minimally met the “credible” characteristic associated with reliable cost estimates, in part, because it did not compare its cost estimate to an independently developed estimate. GAO Assessment of VA Cost and Schedule Estimates against Best Practice Characteristics Cost estimate characteristic Assessment of cost estimate Schedule estimate characteristic Assessment of schedule estimate Comprehensive Partially met Comprehensive Partially met Well-documented Substantially met Well-constructed Partially met Accurate Partially met Credible Partially met Credible Minimally met Controlled Substantially met Legend: substantially met = VA provided evidence that satisfies a large portion of the criterion; partially met = VA provided evidence that satisfies about one-half of the criterion; minimally met = VA provided evidence that satisfies a small portion of the criterion Source: GAO assessment of the Department of Veterans Affairs Financial Management Business Transformation program documentation. | GAO-21-227 Reliable cost and schedule estimates provide a road map for project execution and are critical elements to delivering large-scale IT systems. Without reliable estimates, VA management may not have the information necessary for informed decision-making. Further, following cost and schedule best practices helps minimize the risk of cost overruns and schedule delays and would better position the FMBT program for effective and successful implementation on future deployments. Why GAO Did This Study VA's core financial system is approximately 30 years old and is not integrated with other relevant IT systems, resulting in inefficient operations and complex work-arounds. The FMBT program is VA's current effort and third attempt to replace its aging financial and acquisition systems with one integrated system. The first two attempts were unsuccessful after years of development and hundreds of millions of dollars in cost. GAO was asked to review the progress of the FMBT program. This report (1) describes the status of the FMBT program, including steps VA has taken to address challenges it has identified, and (2) examines the extent to which VA has followed certain IT management best practices. GAO summarized FMBT program risks and challenges that VA identified, reviewed FMBT program documentation and compared it with relevant guidance and best practices, and interviewed cognizant VA officials.
    [Read More…]
  • 7 Things to Know About the Mars 2020 Perseverance Rover Mission
    In Space
    NASA’s next rover [Read More…]
  • Fiscal Year 2022 Budget Request: U.S. Government Accountability Office
    In U.S GAO News
    In fiscal year (FY) 2020, GAO's work yielded $77.6 billion in financial benefits, a return of about $114 for every dollar invested in GAO. We also identified 1,332 other benefits that led to improved services to the American people, strengthened public safety, and spurred program and operational improvements across the government. In March 2021, GAO reported on 36 areas designated as high risk due to their vulnerabilities to fraud, waste, abuse, and mismanagement or because they face economy, efficiency, or effectiveness challenges. In FY 2020 GAO's High Risk Series products resulted in 168 reports, 26 testimonies, $54.2 billion in financial benefits, and 606 other benefits. In this year of GAO's centennial, GAO's FY 2022 budget request seeks to lay the foundation for the next 100 years to help Congress improve the performance of government, ensure transparency, and save taxpayer dollars. GAO's fiscal year (FY) 2022 budget requests $744.3 million in appropriated funds and uses $50.0 million in offsets and supplemental appropriations. These resources will support 3,400 full-time equivalents (FTEs). We will continue our hiring focus on boosting our Science and Technology and appropriations law capacity. GAO will also maintain entry-level and intern positions to address succession planning and to fill other skill gaps. These efforts will help ensure that GAO recruits and retains a talented and diverse workforce to meet the priority needs of the Congress. In FY 2022, we will continue to support Congressional oversight across the wide array of government programs and operations. In particular, our science and technology (S&T) experts will continue to expand our focus on rapidly evolving (S&T) issues. Hallmarks of GAO's (S&T) work include: (1) conducting technology assessments at the request of the Congress; (2) providing technical assistance to Congress on science and technology matters; (3) continuing the development and use of technical guides to assess major federal acquisitions and technology programs in areas such as technology readiness, cost estimating, and schedule planning; and (4) supporting Congressional oversight of federal science programs. With our requested funding, GAO will also bolster capacity to review the challenges of complex and growing cyber security developments. In addition, GAO will continue robust analyses of factors behind rising health care costs, including costs associated with the ongoing COVID-19 Pandemic. Internally, the funding requested will make possible priority investments in our information technology that include the ability to execute transformative plans to protect data and systems. In FY 2022 GAO will continue to implement efforts to increase our flexibility to evolve IT services as our mission needs change, strengthen information security, increase IT agility, and maintain compliance. We will increase speed and scalability to deliver capabilities and services to the agency. This request will also help address building infrastructure, security requirements, as well as tackle long deferred maintenance, including installing equipment to help protect occupants from dangerous bacteria, viruses, and mold. As reported in our FY 2020 financial statements, GAO's backlog of deferred maintenance on its Headquarters Building had grown to over $82 million as of fiscal year-end. Background GAO's mission is to support Congress in meeting its constitutional responsibilities and to help improve the performance and ensure the accountability of the federal government for the benefit of the American people. We provide nonpartisan, objective, and reliable information to Congress, federal agencies, and to the public, and recommend improvements across the full breadth and scope of the federal government's responsibilities. In fiscal year 2020. GAO issued 691 products, and 1,459 new recommendations. Congress used our work extensively to inform its decisions on key fiscal year 2020 and 2021 legislation. Since fiscal year 2000, GAO's work has resulted in over: $1.2 trillion dollars in financial benefits; and 25,328 program and operational benefits that helped to change laws, improve public services, and promote sound management throughout government. As GAO recognizes 100 years of non-partisan, fact-based service, we remain committed to providing program and technical expertise to support Congress in overseeing the executive branch; evaluating government programs, operations and spending priorities; and assessing information from outside parties. For more information, contact Gene L. Dodaro at (202) 512-5555 or dodarog@gao.gov.
    [Read More…]
  • Owners/Managers of Florida Labor-Staffing Companies Indicted for Immigration Fraud and Money Laundering
    In Crime News
    An indictment was unsealed today charging three men who operated labor-staffing companies in Florida with conspiracy to harbor non-resident aliens and induce them to remain in the country and with conspiracy to commit money laundering.
    [Read More…]
  • Special Presidential Envoy for Climate John Kerry’s Participation in “The Low Carbon City for All”
    In Crime Control and Security News
    Office of the [Read More…]
  • Hospital Researcher Sentenced to Prison for Conspiring to Steal Trade Secrets and Sell to China
    In Crime News
    An Ohio man was sentenced yesterday to 33 months in prison for conspiring to steal exosome-related trade secrets concerning the research, identification and treatment of a range of pediatric medical conditions.
    [Read More…]
  • Foreign National Sentenced for Money Laundering Funds to Promote Turtle Trafficking
    In Crime News
    A Chinese citizen was sentenced today to 38 months in prison and one year of supervised release on a federal money laundering conviction.
    [Read More…]
  • Used Motor Vehicle Dealers Sentenced in Odometer Tampering Scheme
    In Crime News
    Yesterday, in federal court in Brooklyn, Shmuel Gali was sentenced by U.S. District Judge Kiyo A. Matsumoto to 60 months’ imprisonment for his role in a long-running odometer tampering and money laundering scheme and ordered to pay $3,936,000 in restitution. The defendant pleaded guilty in August 2020 to conspiracy to commit money laundering, conspiracy to commit odometer tampering, making false odometer statements and securities fraud.
    [Read More…]
  • Readout of Attorney General Merrick B. Garland’s Call with the United Kingdom’s Home Secretary Priti Patel
    In Crime News
    Attorney General Merrick B. Garland spoke by phone yesterday with Priti Patel, the United Kingdom’s Home Secretary. In this inaugural conversation, the Attorney General and Home Secretary reaffirmed their shared commitment to deepening cooperation on countering common threats, including those posed by international terrorism.
    [Read More…]
  • Facial Recognition Technology: Federal Law Enforcement Agencies Should Better Assess Privacy and Other Risks
    In U.S GAO News
    What GAO Found GAO surveyed 42 federal agencies that employ law enforcement officers about their use of facial recognition technology. Twenty reported owning systems with facial recognition technology or using systems owned by other entities, such as other federal, state, local, and non-government entities (see figure). Ownership and Use of Facial Recognition Technology Reported by Federal Agencies that Employ Law Enforcement Officers Note: For more details, see figure 2 in GAO-21-518. Agencies reported using the technology to support several activities (e.g., criminal investigations) and in response to COVID-19 (e.g., verify an individual's identity remotely). Six agencies reported using the technology on images of the unrest, riots, or protests following the death of George Floyd in May 2020. Three agencies reported using it on images of the events at the U.S. Capitol on January 6, 2021. Agencies said the searches used images of suspected criminal activity. All fourteen agencies that reported using the technology to support criminal investigations also reported using systems owned by non-federal entities. However, only one has awareness of what non-federal systems are used by employees. By having a mechanism to track what non-federal systems are used by employees and assessing related risks (e.g., privacy and accuracy-related risks), agencies can better mitigate risks to themselves and the public. Why GAO Did This Study Federal agencies that employ law enforcement officers can use facial recognition technology to assist criminal investigations, among other activities. For example, the technology can help identify an unknown individual in a photo or video surveillance. GAO was asked to review federal law enforcement use of facial recognition technology. This report examines the 1) ownership and use of facial recognition technology by federal agencies that employ law enforcement officers, 2) types of activities these agencies use the technology to support, and 3) the extent that these agencies track employee use of facial recognition technology owned by non-federal entities. GAO administered a survey questionnaire to 42 federal agencies that employ law enforcement officers regarding their use of the technology. GAO also reviewed documents (e.g., system descriptions) and interviewed officials from selected agencies (e.g., agencies that owned facial recognition technology). This is a public version of a sensitive report that GAO issued in April 2021. Information that agencies deemed sensitive has been omitted.
    [Read More…]
  • Chemical Assessments: Annual EPA Survey Inconsistent with Leading Practices in Program Management
    In U.S GAO News
    The Environmental Protection Agency's (EPA) Integrated Risk Information System (IRIS) Program has not produced timely chemical assessments, and most of its 15 ongoing assessments have experienced delays. As we reported in March 2019, the IRIS Program has taken some actions to make the assessment process more transparent, such as increasing communication with EPA offices and releasing supporting documentation for review earlier in the draft development process, but the need for greater transparency in some steps of the assessment process remains. Specifically, the IRIS Program does not publicly announce when assessment drafts move to certain steps in their development process or announce reasons for delays in producing specific assessments. Without such information, stakeholders who may be able to help fill data and analytical gaps are unable to contribute. This could leave EPA without potential support that could help overcome delays. Delays of Milestones by Quarter for a Selection of the Integrated Risk information System's Assessments in Development 2019 - 2024 In mid-2018, EPA's Office of Research and Development (ORD) instituted changes to the way it solicits nominations for chemical assessments prepared by the IRIS Program but did so without providing sufficient guidance or criteria, raising questions about its ability to meet EPA user needs. For example, ORD issued a new survey to EPA program and regional offices but did not provide them with guidance for selecting chemicals for nomination, and ORD did not make explicit the criteria it was using for selecting nominations to include in the IRIS Program's list of assessments in development. Furthermore, despite a significant decline in survey participation between 2018 and 2019, EPA did not indicate whether the agency has assessed the quality of information generated by the survey. Leading program management practices state that agency management should internally communicate the necessary, quality information to achieve the entity's objectives and should monitor and evaluate program activities. Without evaluating the quality of the information produced by the survey, ORD cannot know if the survey is achieving its intended purpose and whether ORD has the information necessary to meet user needs. EPA's IRIS Program prepares chemical toxicity assessments that contain EPA's scientific position on the potential human health effects of exposure to chemicals; at present, the IRIS database contains more than 570 chemical assessments. In March 2019, GAO reported on the IRIS Program's changes to increase transparency about its processes and methodologies, including the use of systematic review. However, GAO also found that EPA decreased the number of ongoing assessments in December 2018 from 22 to 13 and continued to face challenges in producing timely assessments. This report evaluates (1) EPA's progress in completing IRIS chemical assessments since 2018; and (2) EPA's recent actions to manage the IRIS Program, and the extent to which these actions help the Program meet EPA user needs. GAO reviewed and analyzed EPA documents and interviewed officials from EPA; GAO also selected three standards for program management, found commonalities among them, and compared ORD's management of the IRIS Program against these leading practices. GAO is making five recommendations, including that EPA provide more information publicly about where chemical assessments are in the development process; and issue guidance for selecting chemicals for nomination and criteria for selecting nominations for assessment. EPA partially agreed with two of our recommendations and disagreed with the other three. For more information, contact J. Alfredo Gómez at (202) 512-3841 or gomezj@gao.gov.
    [Read More…]
Network News © 2005 Area.Control.Network™ All rights reserved.