Jul 16 2020

How Remote Workers Can Safely Access Classified Data

Commercial solutions are increasingly enabling users to gain access to networks that they previously could enter only in the office.

As federal agencies have adapted to allowing vast numbers of users to work from home, some of them have had to adapt to the fact that users at home are operating in unclassified environments. For example, Defense Intelligence Agency CIO Jack Gumtow says that the DIA had to revamp even seemingly simple processes, such as maintaining email distribution lists.

“I’ve often said that I cannot live within a zero-risk environment and implement capabilities that are totally secure,” Gumtow recently told FedTech. “Anything done on the unclassified environment, by its nature, is not secure. My goal has been to implement capabilities that provide a level of security that is commensurate with the level of operations and work being conducted.”

However, what if agencies that need to have users access secure systems, and even classified data, could enable them to do so from home? Increasingly, that is becoming possible, thanks to commercially available technology. 

The National Security Agency’s Commercial Solutions for Classified program certifies commercial network solutions that agencies can use to create secure, encrypted networks. The program is designed to enable commercial products for use in layered solutions protecting classified National Security Systems data.

The government is pushing agencies to embrace commercial solutions, including those that can be used to access classified networks, because they tend to be less costly than proprietary government solutions. Users also tend to have an easier understanding of commercial technology tools because they interact with them in their lives outside the office. 

READ MORE: What are the fundamentals of zero-trust security? 

Army Tests a New Network Access Model

CDW is an approved NSA Commercial Solutions for Classified technical integrator and is in the process of deploying a CSfC solution for the Army that will allow users to access multiple networks through a single device. 

The Army is finalizing a pilot to give users access to nonclassified but sensitive information and classified information up to the secret level, C4ISRNET reports

The solution enables users to log in to a virtual desktop infrastructure environment from their devices. In that virtual environment, from a single device users can access multiple VPNs, with different firewalls that control how traffic can travel, depending on what the user is trying to access. 

Essentially, users establish the first VPN and then, depending on the network they are trying to access, they create additional VPNs that branch off the preceding one. Users access networks and data via virtual machines. None of the data they access is stored locally on their devices, and once they turn off the virtual machine, the information disappears as well.

Importantly, from a security perspective, users use the same account and Common Access Card technology they would use if they were logging in from a government office. 

As users move up into classified networks, they need to have physical cards and certificates along with their usernames and passwords to ensure multiple factors of authentication. For the Army, this is especially useful because it does not have to provision multiple user accounts for users to access these networks. Users simply need to be trained on the new setup. 

Lt. Gen. Bruce Crawford, the Army CIO, said on a webinar in early June that before the coronavirus pandemic, the Army was “probably a year and a half” away from launching such a capability, but that the pandemic accelerated the rollout. The Army originally expected to have 500 users on the system by the end of August, 1,000 by the end of 2020 and 2,000 by next summer, but the pandemic could push those numbers higher.

Notably, the Defense Department is looking to make part of its shift to telework permanent. Indeed, 81 percent of DOD IT and program managers said they want to see DOD telework more frequently after the pandemic, according to new MeriTalk research underwritten by Microsoft.

Getting Access to Secure Networks

The main benefit of the solution the Army is deploying is that users can gain access to networks they normally would not be able to get into outside of the office.

Most agencies have out-of-band networks that administrators have access to, and they are usually highly restricted, often accessible only via specific machines in offices. 

With the new solution, agencies can configure their VPNs to give users access to such networks from home. That’s especially useful for agencies that want to avoid users congregating in offices to limit the spread of the coronavirus. 

This is useful not just for intelligence analysts but also for, say, budget analysts or contract officers who need to access secure contracting networks or data.

Many of those networks were restricted for very valid reasons. With the new network access control protocols that can be enabled, agencies can restrict who has access to networks on a granular basis and avoid data spilling out. 

The work of the government needs to go on, even with many users working from home. Emerging technologies can enable agencies to safely ensure access to sensitive and classified information, keeping both users and data safe. 

This article is part of FedTech’s CapITal blog series. Please join the discussion on Twitter by using the #FedIT hashtag.

CapITal blog logo

Blue Planet Studio/Getty Images