From the U.S. Government Accountability Office, www.gao.gov

Transcript for: How Prepared Was the Federal Government to Use Telework
During the Pandemic?  

Description: Many of us are still working from home in an effort to slow
the spread of the coronavirus. For the federal government, telework has
been used by employees to continue their work during times of
disruption. But how prepared was the government to provide widespread,
prolonged telework support to its employees, while also maintaining
cybersecurity of federal information and systems?  We find out more from
GAO's Jennifer Franks. 

Related GAO Work: GAO-21-583, COVID-19: Selected Agencies Overcame
Technology Challenges to Support Telework but Need to Fully Assess
Security Controls

Released: September 2021

[Jennifer Franks:] While some of the agencies told us that they had
experienced an increase in certain types of cyberattacks, they were able
to maintain their regular cybersecurity operations

[Music]

[Holly Hobbs:] Hi, and welcome to GAO's Watchdog Report, your source for
news and information from the U.S. Government Accountability
Office--celebrating 100 years of fact-based, nonpartisan government
oversight.  I'm Holly Hobbs. Many of us are still working from home in
an effort to slow the spread of the coronavirus. For the federal
government, telework has been used by employees to continue their work
during times of disruption. But how prepared was the government to
provide widespread, prolonged telework support to its employees, while
also maintaining cybersecurity of federal information and systems?
Today, we'll find out more from Jennifer Franks, an expert on federal
systems cybersecurity and a Director in our Information Technology and
Cybersecurity Team. Thanks for joining us. 

[Jennifer Franks:] Thank you. 

[Holly Hobbs:] So, Jennifer, federal employees could telework before the
pandemic, but it wasn't every employee every day, all the time. What new
IT challenges to this dramatic increase in telework present for federal
agencies? 

[Jennifer Franks:] So that's a good question. And we didn't look at all
federal agencies. We selected a few to review. All of them had
technologies in place to support remote access for their employees. And
they initially each experience it challenges when implementing maximum
telework. Agencies had to contend with the inadequate ability to connect
to their agency's resources--and this included VPN connections supporting
the bandwidth that was needed and even software licenses for employees.
Other challenges include how to provide IT support to all the new
teleworkers at these agencies. And then, agencies were experiencing
delays in acquiring government-furnished equipment. Laptops were a big
problem for agencies at the start of the pandemic because there was a
high demand both in the public and private sector to just acquire them.
But we spoke with agency officials they did indeed overcome these
challenges and were successfully operating in a maximum telework
environment. 

[Holly Hobbs:] So some federal employees work with classified documents
or sensitive data. I'm thinking, you know, the IRS and taxpayer data.
What were the limits on who could telework or what work could be done
from home? 

[Jennifer Franks:] So our report didn't really get into this particular
subject, but we did do a report earlier this year that looked at the
2020 tax filing process. And this report looked at instances in which
their employees did have limitations in performing their work at home.
And this is because the mail-in documentation IRS receives from
taxpayers typically includes federal taxpayer information and even
sensitive data. We wouldn't want that type of information falling into
the wrong hands. IRS officials indicated to us that the agency must
fully consider all of the risk and then all of the benefits of making
tax returns, processing work, ready for telework.  But they're just not
ready yet. 

[Holly Hobbs:] And for the folks who are able to work from home, how
were networks and information protected during this long period of
telework?

[Jennifer Franks:] So our review found that agencies do use secure
methods, such as virtual private networks. OMB actually directed
employees at the start of the pandemic to maintain the cybersecurity of
their systems, even in this maximum telework capacity. The National
Institute of Standards and Technology has also published guidance to
help agency secure their systems in this remote environment. And these
agencies were able to quickly pivot and work remotely at home to conduct
their services and to service the needs of their organizations. Agencies
were also able to remotely patch government furnished equipment to keep
their services updated. 

[Holly Hobbs:] So did the rapid increase in telework lead to new
cybersecurity risks? 

[Jennifer Franks:] So that's a good question, and the majority of the
cyber challenges remained the same.  However, with this increase in
remote operations, organizations needed to pay attention to the aspects
of their workforce that could be targeted, such as vulnerabilities and
remote desktop technologies. They also needed to pay closer attention to
the lack of employee situational awareness to make sure that those of us
who are at home don't get too comfortable. There were also added
complexities with increasing the number of users at home. So the cyber
challenges were the same, but we just had to be a little bit more aware. 

[Holly Hobbs:] So what did agencies tell us about their experience with
telework during COVID?

[Jennifer Franks:] So overall, agencies told us that the transition to
maximum telework went relatively smoothly. And while some of the
agencies in our review told us that they had experienced an increase in
certain types of cyberattacks like phishing, they were able to maintain
their regular cybersecurity operations. 

{MUSIC}

[Holly Hobbs:] So Jennifer just told us that federal agencies we looked
at were able to ramp-up telework quickly and generally followed guidance
to do so. But that with more people teleworking for longer periods,
employees needed to be more aware of potential cyberthreats. Jennifer,
did we make any recommendations for improving federal telework access
and security moving forward? 

[Jennifer Franks:] So although we found that agencies generally follow
federal guidance in securing the systems that supported remote access
for telework, we did make 9 recommendations to 6 agencies in our report,
given that we discovered gaps in the information security documentation.
And these recommendations included that agency should document all
actions toward implementing information security controls for systems
that support remote access for telework. And then they should look at
assessing these controls. And then in the event the agencies discover
weaknesses in the controls, they should document and monitor the
remedial actions through the plans of actions and milestones. 

[Holly Hobbs:] And last question, what's the bottom line of this report? 

[Jennifer Franks:] So the bottom line is, although there were some
initial snags with rapidly moving to maximum telework at the onset of
COVID-19, agencies told us that they had generally overcome IT
challenges and had secured their systems that support remote access by
employees.

[Holly Hobbs:] That was Jennifer Franks talking about GAO's recent
review of telework during the COVID-19 pandemic. Thanks for your time,
Jennifer. 

[Jennifer Franks:] Thank you. 

[Holly Hobbs:] And thank you for listening to the Watchdog Report. To
hear more podcasts, subscribe to us on Apple Podcasts, Spotify or
wherever you listen. And make sure to leave a rating and review to let
others know about the work we're doing. For more from the congressional
watchdog, the U.S. Government Accountability Office, visit us at
GAO.gov.