Top Secret Telework


After a federal employee allegedly leaked a trove of confidential documents to anti-secrets website WikiLeaks, the government responded with tighter controls on information sharing. But hunkering down on unauthorized access to official data hasn’t necessarily disconnected teleworkers, say current and former federal security officials. 

If information sharing and information protection can coexist then so can telework and data security, as evidenced by the actions of the Office of the National Counterintelligence Executive, or ONCIX, as well as the Defense Department and the Office of Management and Budget. In October 2011, President Obama issued an executive order directing agencies to retrofit classified networks with safeguards to stop intrusions and unauthorized downloads. An interagency insider threat task force, managed by ONCIX, was created to instruct departments on controlling employee access, even at off-site locations. 

Task force members are looking at how to apply protections so that they don’t conflict with telework laws. ONCIX officials acknowledge the controls must comply with 2010 legislation that calls for harnessing technology to expand the remote workforce. Separately, the Pentagon is instituting congressionally mandated insider threat detection systems at its classified telework center in Virginia. And OMB released new baseline protocols for securing data when teleworking. 

One possible reaction to the data-control policies would have been to say “no telework,” says Josh Sawislak, a former General Services Administration official who was responsible for cybersecurity and remote-work issues. But, he adds, “the administration is trying to fix the leak problem without causing collateral damage on telework.” 

New protections could add complexity to a work style known for its efficiency, but no more so than with the widely popular cloud, according to Sawislak. Agencies are embracing cloud computing—logging on to off-site systems through either the Web or a classified network—for many of the same reasons telework is encouraged, he notes. “In the cloud environment, everybody is a remote worker,” says Sawislak, now a senior fellow at the Telework Exchange, a public-private advocacy group. 

“Technology is not what’s keeping people from being able to work on classified information from a remote location,” he says, adding the main deterrents are the price of security tools and availability of accredited office space. “You’re obviously not going to sit in your living room with the highest level of classified information.” Nor would you want your most secret info lying around in a commercial cloud provider’s data center, he says. 

ONCIX officials make the case that until the task force works out options, the only means of classified telework is the flexiplace concept—a more convenient work site that is government-run. 

The Office of Personnel Management declined to discuss whether telework has or will decrease as a result of recent breaches, such as the WikiLeaks scandal. In response to questions, OPM officials referred to a summer 2011 OMB telework memorandum aimed at preventing security incidents that reiterates policies for protecting remote devices, such as the National Institute of Standards and Technology’s 2009 guidelines. The bulletin instructs officials to follow the procedures that best fit their needs. 

The memo also sets a new threshold for managing remote workers. Federal telework policies now must spell out rules for controlling access to agency information, protecting the data and safeguarding employee-owned mobile devices used for work. Policies also must address “preventing inappropriate use of official time or resources . . . by viewing, downloading, or exchanging pornography, including child pornography.” 

Defense spokeswoman Lt. Col. April Cunningham says the October executive order to tighten classified system controls isn’t necessarily making military telework more expensive or complicated. Most Pentagon teleworkers deal with unclassified materials that aren’t subject to special internal surveillance, she says. 

Only the Defense Information Systems Agency operates a classified telework center. The facility, located in Woodbridge, Va., is for personnel who otherwise would have to endure the region’s notorious rush-hour traffic to reach DISA’s new headquarters at Fort Meade, Md. The agency relocated as part of a recent base closure and realignment initiative. “Our agency leadership is very supportive of telework, and the agency has implemented the tools, processes and policy to use it effectively and securely,” DISA spokeswoman Laura Williams says. 

Technology at the telework center bans the use of CDs, jump drives and other removable storage devices. A tool called the Host-Based Security System blocks unauthorized applications and spots rogue systems on the network. This year, the Pentagon is rolling out special smart card tokens that personnel will need to sign on to the Secret Internet Protocol Router Network, which handles the military’s classified data. That’s the system Pfc. Bradley Manning allegedly tapped into to aid WikiLeaks. Military employees will need the tokens to log on at the telework center or any other workstation hooked up to SIPRNET. The added layer of protection is separate from a password, badge or smart card ID. 

“Like all other computers that connect to the department’s secret network, the computers in the DISA telework center also comply with all DoD policies regarding the cybersecurity of classified systems, including DoD policies and procedures for the use of removable media on classified systems,” Cunningham says. Defense is “driving out anonymity and increasing accountability by giving a cyber identity credential to every DoD person and requiring their use on classified networks.” 

According to Sawislak, opening more classified telework centers would reduce lengthy commutes, but so far they haven’t proved inherently useful. “In the past, the government contracted for a dozen or so telework centers without looking at the need or in great detail where they were located,” he says. “The goal to success in this area is to figure out the problem and find a flexible solution that addresses the problem at a reasonable cost that is outweighed by the benefits.”

Stay up-to-date with federal news alerts and analysis — Sign up for GovExec's email newsletters.
Close [ x ] More from GovExec

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Sponsored by G Suite

    Cross-Agency Teamwork, Anytime and Anywhere

    Dan McCrae, director of IT service delivery division, National Oceanic and Atmospheric Administration (NOAA)

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

  • Federal IT Applications: Assessing Government's Core Drivers

    In order to better understand the current state of external and internal-facing agency workplace applications, Government Business Council (GBC) and Riverbed undertook an in-depth research study of federal employees. Overall, survey findings indicate that federal IT applications still face a gamut of challenges with regard to quality, reliability, and performance management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security


When you download a report, your information may be shared with the underwriters of that document.