What is important to understand first and foremost, is what the law requires of you with regards to data security and protection. Only from there can we begin to understand how we can stay within those requirements while changing the way our workforce connects, communicates and collaborates.
As a government agency, as a DoD contractor, or contractor for the government, there are a few types of data which may flow through your systems that are important to classify and understand. Beyond that, who handles your data and how it is transmitted becomes very important in securing each different type of data.
As a Government agency or contractor, you will have to deal with the typical data classifications that all organizations are subject to, along with a specific set of classifications that are specific to the government.
General data types that every organization should be aware of include:
Personally identifiable information: this can be personal or identifying data about your customers or other employees.
Intellectual Property or Trade secrets: anything that is vital to how your organization or its customers or partners works that would be negative if it found itself in the hands of your competitors.
Health data: any health or personal data protected by HIPAA regulations.
Financial data: information about finances for your company, your clients, partners or your customers including bank details and login information.
As a party that deals with government-related data, there are a whole set of data classifications that you may or may not deal with:
Classified information: Classified information is defined as any information or material that has been determined by the United States Government to require protection against unauthorized disclosure for reasons of national security. Within the category of “Classified” data, there are three subcategories that define the level of sensitivity of the data.
Top Secret information: Top Secret is the highest security classification and is defined as classified information that could be expected to cause “exceptionally grave damage” to national security.
Secret information: The second-highest classification within the Classified category, Secret information is defined as information that would cause “serious damage” to national security. Most classified information is considered Secret and sits in this category.
Confidential information: As the lowest subcategory within Classified data, Confidential information is defined as information that would simply “damage” national security if made public.
Controlled Unclassified Information: Controlled Unclassified Information (CUI) is defined as unclassified information that is still to be protected from public disclosure. This designation was created to replace "sensitive but unclassified" and other similar (and numerous) confusing data classifications. The National Archives are responsible for overseeing and managing the implementation and management of the CUI framework.
Federal Contract Information (FCI): Information provided by or generated for the Government under contract not intended for public release.
Security laws and regulations.
As a government agency or contractor, there is a specific set of laws and regulations that govern the access and transmission of these data types which may or may not apply to you.
DFARS: The Defense Federal Acquisition Regulation Supplement (DFARS) is a set of restrictions on materials used in DoD applications that protects the US defense industry from being dependent upon supply from foreign countries. There is a clause, DFARS 252.204-7012, which specifically focuses on the cybersecurity controls that must be in place for those who contract or supply to the DoD.
NIST: The National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity is the standard by which every government agency or contractor measures their cybersecurity posture. All those who touch government data must prove compliance or adherence to NIST at a minimum. NIST has released a standard specifically on what cybersecurity measures are to be taken for remote work.
NIAP: The National Information Assurance Partnership (NIAP) certification is a commercial cybersecurity product certification that is mandated by federal procurement requirements (CNSSP 11) for use in U.S. National Security Systems (NSS). Its primary purpose is to certify commercial technology or products which will be used to handle classified data.
CSfC: The NSA/CSS's Commercial Solutions for Classified (CSfC) Program has been established to allow for the use of commercial products to be used in solutions for transmitting or handling of classified NSS data while keeping it secure and protected according to approved standards. Products on the Commercial Solutions for Classified (CSfC) Components List have all been approved for use with classified data.
FIPS: Federal Information Processing Standards (FIPS) are a set of standards that are applicable to any computer systems used by non-military government agencies and contractors. The standard was developed by the National Institute of Standards and Technology.
CMMC: The Department of Defense’s (DoD) new Cybersecurity Maturity Model Certification (CMMC) itself builds upon DFARS, clause DFARS 252.204-7012, which is specifically about safeguarding defense information and cyber incident reporting. The CMMC framework measures cybersecurity maturity using five levels and has a corresponding set of processes and best practices that should be put in place based on the type and sensitivity of the information being protected.
Who handles data in your organization?
Government agencies that deal with highly classified information have classifications for personnel that handle different levels of data. Individuals are categorized into two different classifications: Essential and Non-Essential personnel.
Essential personnel are employees who are required to work when an office closing is authorized, potentially in operations that must provide round the clock services. The designation of essential can depend upon the employees’ duties, as well as the circumstances for the closing or shut-down. In terms of national security, an essential employee would be one that is considered mission-critical in keeping important activities moving.
Non-essential employees are those employees who are not needed or required to work during an office closing. Again, in terms of national security, this would be employees who aren’t mission-critical to “keeping the lights on.”
These two designations often extend to the type of data an employee might touch. Typically the more “essential” an employee, the more sensitive of data they need access to.
What equipment does your staff use?
For the majority of all government agencies, and particularly any government agency or contractor that touches Classified data of any kind, there are specific rules about the actual equipment you use to do your work.
For unclassified information, government agencies will still require that employees use a government-issued laptop or device. Working from a personal device will not be allowed for anyone within a government organization. The government issued device will have already been set up and certified to meet government security requirements according to NIST 800-171.
Government contractors who handle unclassified data will similarly have to have certified according to DFARS and NIST 800-171 that their devices meet standards.
For agencies that handle or require access to classified information, only NIAP Approved or CSfC Certified devices are acceptable to access that data.
What does this mean for remote work?
Ok, so bottom line, what does this mean for your ability to set your staff up for remote work as a government agency or contractor?
Let’s start with government agencies. If you find yourself in this category, you will quite honestly have very few options. The best way to start is to take a look at what you already had set up. If you already have a work from home program, and your staff has government-issued devices, your only concern will be to secure the communication from that device over the public internet.
If you didn’t have a work from home program set up, and your staff doesn’t currently have government-issued devices, then you’ll have a more difficult time. If you have enough government-issued devices to cover your mission-critical staff, they can continue to work from home. For those that are non-critical, you’ll most likely place them on administrative leave during this time.
At this point in time, it is unlikely that you’ll want to call your IT staff back into the office to set up additional or new devices and then ship that hardware to employees, however, should this last long enough, that may be something you consider.
The important thing for you in this time is ensuring that device connectivity back to the home network over the public internet (and connections you won’t be able to control) is fully secure. A strong and secure VPN is the only way to achieve this.
Devices already set up with work from home capability may have this, and users who already know how to work from home will likely already have been trained on how to use it. The tricky part will be with shifting devices that were not previously meant to connect from outside the network to safe for external connection. And the even trickier part will be with ensuring that users know how to do this safely.
If you need assistance with a solution that is secure enough for most types of government data (CSfC approved), that can be outfitted on any device quickly and is easy for users to adopt, Attila’s GoSilent Cube may be able to help.
Learn More About GoSilent
Secure any user or device simply by connecting to a GoSilent cube. Compatible with any IP-enabled device (no matter how old) and effective over any connection (no matter how public) with near zero configuration required. Security so simple, “it just works.”
There are two types of government contractors to consider. Those that are in-house contractors for government agencies, and companies that contract or provide products or services for the government.
As an in-house contractor for a government agency, you’ll be following the rules for government agencies above and whatever the agency itself chooses for remote work.
As a company that contracts for the government, you are in a somewhat simpler position. Prior to this event, you were already accessing and transmitting government data from outside the network. This means you already had to have devices and systems set up for external remote access that adhere to the proper standards.
Your challenge will now simply be in ensuring all of your employees can access this information from outside your office. This will most likely involve extending your secure VPN capabilities beyond just your own network to a solution that is portable and secure over the open internet. You may already have this capability if you have been allowing remote work for your team, in which case you are set.
However, any devices not set up for remote work, without a VPN solution configured will need a secure one, and quick. Similar to the example above, Attila’s GoSilent Cube may be able to help you deploy a solution quickly.