The Defense Department is taking more steps to enable its remote workers to be able to access sensitive, classified information outside of the Pentagon’s secure environment.
As of August, the Pentagon had expanded its remote work capabilities to about 1 million personnel through its Commercial Virtual Remote collaboration environment, which, as Nextgov reports, “facilitates the exchange of low-risk, unclassified data and communications among users.” It’s been a critical tool as the DOD has enabled widespread telework during the coronavirus pandemic.
However, DOD CIO Dana Deasy and other defense officials have indicated they are working to enable access to classified information through the CVR environment, which uses the cloud-based Microsoft Teams collaboration tool.
Deasy said in late July that his office was running “a lot of pilots” to improve the security of the CVR, FedScoop reports. “We are confident we will rise to the challenge by leveraging our innovative ecosystem,” Deasy said at the time. He noted that the Pentagon and its users are continually facing cyberattacks. “When you move to cloud … the adversary is going to pivot and try to exploit,” he said.
If the DOD were to enable such a shift widely across its enterprise, it would represent a sea change for the risk-averse Pentagon. “COVID-19 must be a wake-up call that to sustain this critical public-private partnership we must take a hard look at what really needs to be classified, who truly needs a clearance, and how we can maintain a nimble, skilled, and diverse national security workforce while still protecting our nation’s secrets,” Mark Testoni, CEO at SAP National Security Services, tells FedScoop.
DOD Sees Value in Teleworkers Accessing Classified Data
Defense IT officials see the Pentagon at a turning point when it comes to accessing classified information in settings outside of the traditional sensitive and compartmented information facilities.
“In the secret and top secret realm, we have kind of cracked how to do telework in that way,” Lauren Knausenberger, chief transformation officer at the U.S. Air Force, said during an event hosted by Nextgov in early August, according to Nextgov. “It’s just that doing that at scale … What does that scale mean? It’s not really a technical problem as much as it’s a, ‘Let’s make decisions and provision.’”
Stephen Wallace, systems innovation scientist within the Defense Information Systems Agency’s Emerging Technology Directorate, confirmed Deasy’s remarks and said that the Pentagon is conducting pilots to enable remote workers to access classified information.
“There’s generally more acceptance … of software-oriented separation,” Wallace said, also at the Nextgov event. “Those kinds of things may drive some commoditization in that space where we’re using attributes about data or people or those kinds of things to help create separation versus physically having different stacks of equipment.”
DISA had been working on a prototype classified remote Windows capability early in the pandemic, but then shifted to it being more of a widely used product, Nextgov reports.
“Since then, we’ve put a tremendous more amount of capability out there with respect to how to deal with classified missions, both on-premise and off,” Wallace said. “I’m pretty excited about where that’s gone.”
Deasy’s goal is to get the CVR environment up to Impact Level 5 by the end of 2020, “which would allow it to host the Defense Department’s most sensitive unclassified data,” Nextgov reports. “Any potential telework solutions to host data at the secret designation or above would have to meet Impact Level 6 security requirements,” the publication adds.
Meanwhile, the Army has been working on a pilot to give users access to nonclassified but sensitive information and classified information up to the secret level, C4ISRNET reports. CDW is an approved NSA Commercial Solutions for Classified technical integrator and is in the process of deploying a CSfC solution for the Army that will allow users to access multiple networks through a single device.
The solution enables users to log in to a virtual desktop infrastructure environment from their devices. In that virtual environment, from a single device, users can access multiple VPNs, with different firewalls that control how traffic can travel depending on what the user is trying to access.
Essentially, users establish the first VPN and then, depending on the network they are trying to access, create additional VPNs that branch off the preceding one. Users access networks and data via virtual machines. None of the data they access is stored locally on their devices, and once they turn off the virtual machine, the information disappears as well.
Importantly, from a security perspective, users use the same account and Common Access Card technology they would use if they were logging in from a government office.
As users move up into classified networks, they need to have physical cards and certificates along with their usernames and passwords to ensure multiple factors of authentication. For the Army, this is especially useful because it does not have to provision multiple user accounts for users to access these networks. Users simply need to be trained on the new setup.
READ MORE: What are the fundamentals of zero-trust security?