The Secure Remote Work Guide

What is important to understand first and foremost, is what the law requires of you with regards to data security and protection. Only from there can we begin to understand how we can stay within those requirements while changing the way our workforce connects, communicates and collaborates.

As a government agency, as a DoD contractor, or contractor for the government, there are a few types of data which may flow through your systems that are important to classify and understand. Beyond that, who handles your data and how it is transmitted becomes very important in securing each different type of data.

Data Types

As a Government agency or contractor, you will have to deal with the typical data classifications that all organizations are subject to, along with a specific set of classifications that are specific to the government.

General data types that every organization should be aware of include:

Personally identifiable information: this can be personal or identifying data about your customers or other employees.

Intellectual Property or Trade secrets: anything that is vital to how your organization or its customers or partners works that would be negative if it found itself in the hands of your competitors.

Health data: any health or personal data protected by HIPAA regulations.

Financial data: information about finances for your company, your clients, partners or your customers including bank details and login information.

As a party that deals with government-related data, there are a whole set of data classifications that you may or may not deal with:

Classified information: Classified information is defined as any information or material that has been determined by the United States Government to require protection against unauthorized disclosure for reasons of national security. Within the category of “Classified” data, there are three subcategories that define the level of sensitivity of the data.

Top Secret information: Top Secret is the highest security classification and is defined as classified information that could be expected to cause “exceptionally grave damage” to national security.

Secret information: The second-highest classification within the Classified category, Secret information is defined as information that would cause “serious damage” to national security. Most classified information is considered Secret and sits in this category.

Confidential information: As the lowest subcategory within Classified data, Confidential information is defined as information that would simply “damage” national security if made public.

Controlled Unclassified Information: Controlled Unclassified Information (CUI) is defined as unclassified information that is still to be protected from public disclosure. This designation was created to replace "sensitive but unclassified" and other similar (and numerous) confusing data classifications. The National Archives are responsible for overseeing and managing the implementation and management of the CUI framework.

Federal Contract Information (FCI): Information provided by or generated for the Government under contract not intended for public release.

Security laws and regulations.

As a government agency or contractor, there is a specific set of laws and regulations that govern the access and transmission of these data types which may or may not apply to you.

DFARS: The Defense Federal Acquisition Regulation Supplement (DFARS) is a set of restrictions on materials used in DoD applications that protects the US defense industry from being dependent upon supply from foreign countries. There is a clause, DFARS 252.204-7012, which specifically focuses on the cybersecurity controls that must be in place for those who contract or supply to the DoD.

NIST: The National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity is the standard by which every government agency or contractor measures their cybersecurity posture. All those who touch government data must prove compliance or adherence to NIST at a minimum. NIST has released a standard specifically on what cybersecurity measures are to be taken for remote work.

NIAP: The National Information Assurance Partnership (NIAP) certification is a commercial cybersecurity product certification that is mandated by federal procurement requirements (CNSSP 11) for use in U.S. National Security Systems (NSS). Its primary purpose is to certify commercial technology or products which will be used to handle classified data. 

CSfC: The NSA/CSS's Commercial Solutions for Classified (CSfC) Program has been established to allow for the use of commercial products to be used in solutions for transmitting or handling of classified NSS data while keeping it secure and protected according to approved standards. Products on the Commercial Solutions for Classified (CSfC) Components List have all been approved for use with classified data.

FIPS: Federal Information Processing Standards (FIPS) are a set of standards that are applicable to any computer systems used by non-military government agencies and contractors. The standard was developed by the National Institute of Standards and Technology.

CMMC: The Department of Defense’s (DoD) new Cybersecurity Maturity Model Certification (CMMC) itself builds upon DFARS, clause DFARS 252.204-7012, which is specifically about safeguarding defense information and cyber incident reporting. The CMMC framework measures cybersecurity maturity using five levels and has a corresponding set of processes and best practices that should be put in place based on the type and sensitivity of the information being protected.

Who handles data in your organization?

Government agencies that deal with highly classified information have classifications for personnel that handle different levels of data. Individuals are categorized into two different classifications: Essential and Non-Essential personnel.

Essential personnel are employees who are required to work when an office closing is authorized, potentially in operations that must provide round the clock services. The designation of essential can depend upon the employees’ duties, as well as the circumstances for the closing or shut-down. In terms of national security, an essential employee would be one that is considered mission-critical in keeping important activities moving.

Non-essential employees are those employees who are not needed or required to work during an office closing. Again, in terms of national security, this would be employees who aren’t mission-critical to “keeping the lights on.”

These two designations often extend to the type of data an employee might touch. Typically the more “essential” an employee, the more sensitive of data they need access to.

What equipment does your staff use?

For the majority of all government agencies, and particularly any government agency or contractor that touches Classified data of any kind, there are specific rules about the actual equipment you use to do your work.

For unclassified information, government agencies will still require that employees use a government-issued laptop or device. Working from a personal device will not be allowed for anyone within a government organization. The government issued device will have already been set up and certified to meet government security requirements according to NIST 800-171.

Government contractors who handle unclassified data will similarly have to have certified according to DFARS and NIST 800-171 that their devices meet standards.

For agencies that handle or require access to classified information, only NIAP Approved or CSfC Certified devices are acceptable to access that data.

What does this mean for remote work?

Ok, so bottom line, what does this mean for your ability to set your staff up for remote work as a government agency or contractor?

Government Agencies

Let’s start with government agencies. If you find yourself in this category, you will quite honestly have very few options. The best way to start is to take a look at what you already had set up. If you already have a work from home program, and your staff has government-issued devices, your only concern will be to secure the communication from that device over the public internet.

If you didn’t have a work from home program set up, and your staff doesn’t currently have government-issued devices, then you’ll have a more difficult time. If you have enough government-issued devices to cover your mission-critical staff, they can continue to work from home. For those that are non-critical, you’ll most likely place them on administrative leave during this time.

At this point in time, it is unlikely that you’ll want to call your IT staff back into the office to set up additional or new devices and then ship that hardware to employees, however, should this last long enough, that may be something you consider.

The important thing for you in this time is ensuring that device connectivity back to the home network over the public internet (and connections you won’t be able to control) is fully secure. A strong and secure VPN is the only way to achieve this.

Devices already set up with work from home capability may have this, and users who already know how to work from home will likely already have been trained on how to use it. The tricky part will be with shifting devices that were not previously meant to connect from outside the network to safe for external connection. And the even trickier part will be with ensuring that users know how to do this safely.

If you need assistance with a solution that is secure enough for most types of government data (CSfC approved), that can be outfitted on any device quickly and is easy for users to adopt, Attila’s GoSilent Cube may be able to help.

Government Contractors

There are two types of government contractors to consider. Those that are in-house contractors for government agencies, and companies that contract or provide products or services for the government.

As an in-house contractor for a government agency, you’ll be following the rules for government agencies above and whatever the agency itself chooses for remote work.

As a company that contracts for the government, you are in a somewhat simpler position. Prior to this event, you were already accessing and transmitting government data from outside the network. This means you already had to have devices and systems set up for external remote access that adhere to the proper standards.

Your challenge will now simply be in ensuring all of your employees can access this information from outside your office. This will most likely involve extending your secure VPN capabilities beyond just your own network to a solution that is portable and secure over the open internet. You may already have this capability if you have been allowing remote work for your team, in which case you are set.

However, any devices not set up for remote work, without a VPN solution configured will need a secure one, and quick. Similar to the example above, Attila’s GoSilent Cube may be able to help you deploy a solution quickly.

There are a host of cybersecurity concerns with allowing workers to connect remotely. There are two primary areas where these concerns lie: technical limitations and user knowledge.

From a technical perspective, connecting remotely, rather than from within a secure network, involves the use of different equipment and devices to communicate and brings with it the frightening prospect of using the public internet as the medium through which those communications must happen.

On the other side of the equation, you have the human who is doing the connecting. Most of the humans, who are suddenly having to work remotely, will have no idea that much of what they choose to do could cause security problems. They also will have very limited technical knowledge, so asking them to do very complex things in order to connect will be riddled with problems.

Technical Issues

Some of the biggest technical issues surrounding the security of remote work include:

Personal Device usage: Many of your employees will be connecting to your network using different or mobile devices that are unsecured. Government agencies will struggle with this less as, for the most part, using personal devices will not be allowed. Government contractors should be especially concerned about this particular issue, as most personal devices won’t be set up with the correct security measures to be NIST compliant.

Wi-Fi Connections: Connections via Wi-Fi, especially public Wi-Fi, are notoriously unsecure (and will be the most common method by which your remote employees will connect). The majority of your users will be connecting from their home Wi-Fi but have probably never set any security settings on their routers or have any idea how.

Eavesdropping or Man-in-the-Middle attacks: Cybercriminals gain access to an unsecured or poorly secured Wi-Fi router in order to intercept and read the victim’s transmitted data. 

Captive portals: One of the most concerning aspects of remote work, Captive Portals are present when you get a popup web page as soon as you connect to Wi-Fi networks in places with free guest Wi-Fi access. They often ask you to agree to terms and conditions and/or put in information like your social media accounts, email address, access code, last name, room number (such as in a hotel) or other identifying information before granting you broader access to the network. During this current situation, this will likely be less common (as most people won’t be traveling to these establishments), but it is still a consideration.

Behavioral Concerns

Some of the human behavioral concerns with remote work include:

Physical Security: The physical security of devices is just as important as the technical security of those devices. Quite often employees will leave devices unsecure in vehicles where a bad actor could easily steal them.

Password Hygiene: Most users are terrible at creating secure passwords and keeping them protected. The harder the password to remember, the more likely a user has written it down or saved it on their device somewhere for reference. Users also commonly reuse passwords multiple times and break every other password rule in the book.

Scams and Phishing Emails: Employees may fall victim to scam emails or attacks. Of particular concern during this time are Coronavirus-related scams (which are on the rise). Italy has already seen a campaign where the bad actors masquerade as officials of the World Health Organization encouraging users to download information about COVID-19 to protect themselves.

Connecting Storage Devices: Many users will connect thumb drives or other external accessories that may be insecure or infected or compromised, ultimately infecting the device itself.

Installing Updates: Many users put off installing updates when prompted by their device, leaving their device open to security threats or attacks.

Securing your organization is not as simple as flipping a switch. You’ll want to take a two-pronged approach to ensure that your employees can work remotely without concern for security.

You’ll want to simultaneously start making changes to your technology while also working on educating your employees about what they need to be doing from their end. If you address one side without the other, you’ll be wasting your time. The technology you deploy is useless if your employees use it incorrectly or fail to use it.

Organizational Approach

The strategies you can employ or the actions you can take from as an organization include:

Set up two-factor authentication: Two-Factor Authentication (2FA) involves adding an additional layer of security to login entry points. It involves providing a second proof point, beyond just knowing a password, that you are who you say you are. This second factor can range from a biometric identifier (like a fingerprint) to a simple temporary code sent to a mobile device. You’ll want to have this set up for any application or device that handles or transmits sensitive data for your organization.

Use a VPN and encrypted communications: Anytime a device needs to transmit or communicate sensitive data, it should be over a secure Virtual Private Network (VPN) connection. VPNs encrypt data before sending to ensure nobody who looks at the data will be able to understand it, except the endpoint receiver that is supposed to. 

VPNs come in two flavors, hardware, and software. Software VPNs require significant setup (which you may not have the ability to do at this point in the crisis), rely on consistent updates and may be difficult to teach end-users how to use properly. Hardware VPNs, like Attila’s GoSilent Cube, are typically faster to deploy, easier to use and less prone to user error.

You’ll also need to make sure your organization’s network has the proper set up to accept and handle this traffic. It can be as simple as deploying a virtual server within your existing network to manage the VPN traffic.

Use antivirus software: On any work-furnished device, make sure you are installing and regularly updating antivirus software. This may not be an aspect you have control over if allowing your employees to use personal computers or devices.

Be careful with remote desktop tools: Depending upon how remote desktop services are set up, they may expose the endpoint computer to unnecessary risks. If your team needs to use them, you’ll want to ensure that they have been properly configured and are only accessed over a VPN connection.

Data at rest encryption: Make sure all of your devices have encryption for the data physically stored on that endpoint device. This helps mitigate concerns around lost or stolen devices. The potentially sensitive data that is stored on the device should be unreadable by bad actors.

Data loss prevention (DLP): Using DLP software can help to protect sensitive data by controlling what end users can share or do with that data. For instance, if a user attempted to forward sensitive data outside of their own internal network, they would be denied permission from doing so. Solutions like Microsoft 365 and Sharepoint have some of this functionality built-in.

Employee Approach

Now that you’ve taken steps to secure your network and put in place the technology you need to do so, it is time to ensure that each remote employee is doing their part to keep your data safe. You’ll want to place a big emphasis on training to ensure that employees know what is expected of them and how to maintain all of the security measures put in place.

Training on the basics: Train your users on the basics that they need to know with regards to best practices including password strength, phishing emails, and sites, physical use of devices, etc.

Instructions for connecting: Provide your employees with clear instructions for how they should connect, what requirements you have from their home router, and what type of connections are safer than others (e.g. public Wi-Fi connections).

Provide a solution that is fool-proof: While it should never replace training, providing users a solution that requires no specialized technical knowledge and can be secure over any connection can go a long way in reducing the problems users are able to introduce.

What is incredibly important to remember as you embark upon this journey is that it does you no good to blame your employees or give up on their ability to help keep you secure. It is your responsibility to help find solutions that will be as simple and effective as possible for them to use with as little training as possible. 

For those who do need training, make sure they get it and make sure that you’ve clearly defined what is expected of them and why. Every employee is their own CISO, and they should feel that way.

Supply Chain and Partners

Now that you’ve taken care of your own network and your employees are well-positioned to keep you secure, you’re done, right?

Unfortunately not. Now you have to consider anyone else you work with, like supply chain partners or vendors that have access to your network and data as well. Target learned this lesson the hard way with their HVAC vendor.

You will want to ensure that vendors or partners who have access to your sensitive data are also set up with a secure VPN solution to access your corporate network securely from a remote location.

Unfortunately, at this moment you don’t have the luxury of time to implement new remote work procedures. You need steps you can take immediately to help those who you need to send home now or have already sent home. So what are things you can do right away that can help you make your workforce more secure now?

Find a solution that doesn’t require heavy IT support.

Realistically, you can’t call your entire IT team back into the office to implement a large scale solution that takes days or even weeks to set up and deploy (much less maintain while they are all remote). You need a solution that is plug and play.

You need a secure virtual server that can be set up and running in quickly, and virtually eliminates the need for centralized IT support for configuration and activation. It should have incredibly low overhead for maintenance and support means your team doesn’t need to deal with constant upgrades, updates, and patches.

Find a solution that is both device and architecture agnostic.

Given that you may have multiple different types of endpoint devices that you need to connect to your network, you’ll need a solution that works with any and all of them.

You also won’t be able to pick and choose elements of your existing network, like operating systems and servers, that you can change to support a new solution. You’ll need to make sure that whatever solution you choose to deploy can work with any architecture that you currently have in place.

Deploy a solution that requires little-to-no training.

As previously mentioned, the best thing you can do to ensure users stay secure is to take as much of the burden off of them as possible. Especially in the current atmosphere, where a solution must be deployed quickly, a requirement for lengthy or intense training won’t work.

Give them the basics: Provide a brief Cybersecurity 101, remotely of course, that teaches them some of the most important basics (e.g. always use the VPN, how to identify spam, etc.). Make everyone feel comfortable enough to ask questions and speak up.

Make sure the team knows how to report problems. Create a culture of “if you see something say something.” If a user notices strange activity on their device, suspicious email, they should be ready and willing to notify the security administrators or systems administrators.

What COVID-19 has truly taught is how woefully underprepared we were for a pandemic. It has made it painfully clear that we need to have better contingency plans in place such that an immediate need to deploy a remote workforce at a large scale is possible in the future.

In the wake of COVID-19, as the world begins to return to normal, we’ll find that all government agencies, contractors and public sector businesses alike will need plans in place for remote work. Similar to the requirement for organizations to have a disaster recovery plan in place, organizations will need to have a pandemic plan.

They will need a documented set of policies and procedures, as well as the supporting underlying technology to allow for immediate and widespread remote work.This means you should start building a solution that will support you in the immediate response to COVID-19, but be prepared to build a long term plan as well.

Visit our secure remote work resource center for more information on how to keep your team connected.