“The one thing that we can’t take our eye off of is that because we’ve moved into this environment, our threat landscape has changed,” says Karen S. Evans, former CIO, Department of Homeland Security.

Feb 17 2021

After Months of Remote Work, Agencies Begin Planning Ways to Bring Back Employees

Keeping workers safe in the physical office while still permitting the scaled-up level of telework are the main priorities.

When Karen S. Evans started as CIO at the Department of Homeland Security on June 1, 2020, she was a bit intimidated by the size of one of her first virtual meetings. “There were about 90 people,” she recalls. 

But it didn’t take long for her to recognize it as an opportunity. With most employees working remotely, meetings were no longer constrained by the size of a conference room. 

It was a vast improvement from what she refers to as “whispering down the lane,” when a directive gets passed along the chain of command.

“By the time it gets to the person who actually has to do the work, it probably got translated 10 to 15 ways,” says Evans, who resigned as CIO on Jan. 20. 

“Now our boss — the deputy undersecretary for management — holds town halls, and the whole directorate can get on and hear what he has to say,” she adds. “Just think about the improved communication that’s happening.”

It’s one of many silver linings that have coincided with the challenges of the COVID-19 pandemic. Since the March 2020 executive order maximizing telework, agencies have been ­devising and, as virus transmission has waned and spiked, altering plans to safely bring employees back into offices

But after months of telework, many agencies are finding productivity boosts, reduced costs and a more tech-savvy workforce. Now, as they plan to return to a post-COVID world, many are rethinking business as usual.

Agencies See Productivity Benefits in Shift to Telework 

Take the Air Force, for instance. Before the pandemic, it had just 7,000 VPN connections. “The military culture was almost solely based on in-person collaboration. With so few VPN connections on day one of telework, and VPN required to access all business, we were clearly not optimized for telework,” says Air and Space Force Deputy CIO Lauren Knausenberger. 

“However, our IT team recognized the problem quickly and rapidly scaled up to allow 400,000 concurrent users within a few weeks.”

Not only has it gone smoothly, but a survey by the Air Force’s Enterprise IT as a Service team found that people are now more satisfied with their telework IT experience than they are with the on-base IT experience.

Productivity is also up. “We already have geographically dispersed teams, and being in a collaboration suite with modern tools, automation and workflows has been huge,” Knausenberger adds. “It took COVID for us to be able to get the support needed to deploy these modern tools, and now everyone’s eyes are opened.”

At DHS, only about 10,000 of 240,000 employees worked remotely before the novel coronavirus outbreak. In March 2020, the department had to support more telework. “They were able to spin up the demand to more than 70,000 overnight,” says Evans. “We can now sustain close to 120,000 concurrent users on our VPN connections.”

She attributes the department’s quick and successful response to its modernization efforts through the years. “It’s your resiliency plans. It’s your contingency plans. It’s all the things that you put in place for when something happens. This was the ‘when something happens’ moment.”

23

Number of major agencies whose inspectors general are reviewing plans to return employees to physical work sites, or who are reviewing those plans internally

Source: IG Response Tracker, U.S. House of Representatives Subcommittee on Government Operations, Jan. 4, 2021

The activity that DHS’ CIO organization has supported for years — cloud first, data center consolidation, multifactor authentication, Homeland Security Presidential Directive 12 (a government common identification standard) — has built efficiencies to enable the department’s agility, Evans says.

“The whole promise of the cloud and network modernization was to not build the infrastructure to the nth degree, because you can’t pay for the worst-case scenario,” explains Evans. “It scales as you need it.”

To support the massive spike in remote work, DHS had to accelerate certain features in Office 365. For instance, it scaled out Microsoft Teams’ videoconferencing capabilities and ramped up its VPN capability to ensure it was reliable enough to meet the demand, “because it’s a lot different when you have 120,000 concurrent sessions going versus 10,000,” Evans says.

The Air Force had been in the ­process of deploying Office 365 and Microsoft Teams when COVID hit, and the virus expedited that rollout. Within a few weeks, it was able to deploy the software on ­government-owned and personal devices across all ­military ­services, and expand VPN access.

“Our ability to accelerate change and rapidly respond to this was truly herculean,” says Knausenberger. “When I talk about meeting the demands of a future digital fight, it’s areas like our response to COVID that give me so much hope in our ability to build a rock-solid digital foundation and improve the warfighters’ experience.”

VIDEO: What lessons have been learned in the shift to remote work? 

Cybersecurity Remains a Top Concern with Increased Remote Work

The shift in the way federal employees have been working has also changed ­agencies’ risk profiles. “The one thing that we can’t take our eye off of is that because we’ve moved into this environment, our threat landscape has changed,” Evans says. “We have to continue to anticipate what our adversaries may do and then put in proper controls for that.”

Part of the problem is that workers are connecting to resources from home networks and using personal devices; another issue is the recently ­discovered breach of several ­federal agencies, ­allegedly by a foreign adversary that tampered with legitimate software updates.

“Our adversaries are seeing additional attack surface and coming at us aggressively,” adds Knausenberger, “so we’ll have to continue to up our cyber game to keep our data secure.”

The Telework Advancement Act of 2010 requires agencies to create policies for remote work, but with the unprecedented shift to virtual work amid the pandemic, and the subsequent heightened security risks, agencies need to be more vigilant than ever, says Laura DiDio, principal at ITIC research firm.

She advises requiring VPNs, regular software patching and data backups, and separating network access and resources based on the type of device connecting. “You don’t want some teleworker’s mobile phone going into a mission-­critical mainframe without the proper ­controls,” DiDio says.

She also recommends increased ­computer security training for all employees, multifactor authentication and specific policies and procedures that are strictly enforced and reviewed ­quarterly until the end of the pandemic.

“The big headline here is, pay ­attention,” she says. “Take all your ­normal teleworking policies and put them on steroids.”

READ MORE: What are the top federal IT trends to watch for in 2021? 

Photography by Ryan Donnell