The Cybersecurity and Infrastructure Security Agency announced on May 1 the release of cybersecurity guidance documents to advise critical infrastructure operators, businesses and federal agencies on safe practices during the telework period caused by the coronavirus pandemic.
The new product line from CISA, a component of the Department of Homeland Security that regularly releases cybersecurity best practices for various sectors, will focus on secure practices when adopting or expanding an organization’s telework environment.
“As many businesses and organizations have rapidly shifted to a maximum telework environment, CISA is providing a one-stop shop of cybersecurity and resources to protect networks in this new landscape,” said CISA Director Christopher Krebs, whose agency is tasked with securing critical infrastructure and federal networks.
Much of the guidance focuses on secure videoconferencing — a challenge organizations have faced after Zoom, a popular videoconferencing platform, was found to have several security flaws. For federal agencies, CISA urges the use of Zoom for Government, a platform approved for use in the government that’s different than Zoom’s commercial offering.
CISA’s product for critical infrastructure operators using videoconferencing sites includes information on tactics that malicious actors may use to disrupt business. It also recommends security practices to adpot.
The guidance from CISA comes a week after the National Security Agency released guidance for federal agencies on securing collaboration tools while teleworking. The NSA guidance, released April 24, emphasized that agencies check a collaboration platform’s encryption capabilities and privacy policies before using the service. CISA’s new guidance also stresses the importance of end users only using agency-approved tools.
To ensure the cybersecurity of these agencies during telework, some in industry say that agencies need to ensure mobile devices are accounted for in their cybersecurity policies.
“Agencies should align desktop and mobile policies, and any new endpoint should have security and management that aligns with existing policies,” said Tim LeMaster, director of systems engineering at mobile security firm Lookout. “There has been significant investment in securing traditional endpoints like laptops, but the mass migration of government workers to teleworking means there will be a larger attack surface created by the use of mobile devices. This means agencies should expand their endpoint security to include mobile devices, including the use of mobile threat defense to bring mobile endpoint security on par with laptop security.”
In a statement, Krebs said his agency will continue to provide telework guidance as the pandemic situation evolves.
“We are working with our federal and private sector partners to understand the threat landscape and provide a central point of the latest and most up-to-date information for organizations to keep their networks and employees safe," he said.
Andrew Eversden covers all things defense technology for C4ISRNET. He previously reported on federal IT and cybersecurity for Federal Times and Fifth Domain, and worked as a congressional reporting fellow for the Texas Tribune. He was also a Washington intern for the Durango Herald. Andrew is a graduate of American University.