House Oversight and Reform Committee Chairwoman Carolyn Maloney, D-N.Y., and several chairs of the panel’s key subcommittees today asked inspectors general (IGs) from 10 Federal agencies for assessments of any cybersecurity vulnerabilities that were created or worsened by the use of telework systems during the coronavirus pandemic, and whether any such vulnerabilities have been mitigated.
Those requests went out in letters dated today to IGs for the Intelligence Community, and the departments of State, Defense, Homeland Security, Justice, Energy, Treasury, Health and Human Services, Veterans Affairs, and Education.
“The widespread use of virtual private networks and other remote-access technologies to facilitate continuity of operations across the federal government allowed federal agencies to continue to serve the nation throughout a deadly pandemic but also created additional cybersecurity vulnerabilities that could jeopardize the integrity of federal information technology networks,” the House Democrats said.
The House members cited the recent spate of high-profile cyberattacks against government networks, and said, “The proliferation and growing sophistication of malicious state and non-state cyber actors requires federal departments and agencies to be able to maintain and protect the integrity of their information technology systems – particularly if they adopt more flexible telework policies after the coronavirus pandemic subsides.”
They also told the IGs that the Federal Information Security Modernization Act (FISMA) requires IGs to conduct annual evaluations of their agencies’ cybersecurity policies and practices, and encouraged them to conduct the requested assessments on that basis.
In particular, the House members asked the IGs to look at the security of remote connections facilitated by VPNs and virtual network controllers, the deployment by agencies of a variety of collaboration platforms, and whether agencies have “implemented security controls to prevent the unauthorized dissemination of controlled unclassified information, personally identifiable information, or sensitive but unclassified information via third-party collaboration platforms.”
They also asked the IGs to look: at identity, credential, and access management systems; distribution and management of physical assets used for telework including laptops and smartphones; adherence to Trusted Internet Connections 3.0 guidance; how and whether agencies implemented additional security policies in response to pandemic-driven telework; and whether agencies have implemented continuous monitoring and scanning of networks to identify vulnerabilities.