Creating a New Working Normal
The Defense Department offers a prime example of how agencies are attempting to strike that balance. In March 2022, Deputy Defense Secretary Kathleen Hicks issued a memo noting that flexibility and communication would be paramount as DOD components figure out the best work setups for their civilian employees. Absent any urgent or compelling mission needs, civilian employees who have been on full-time telework or have work schedules that differ from their organizations’ regular schedule must be given 30 days’ notice in writing prior to being recalled to the office or having their schedules changed.
Supervisors may adjust work locations and schedules for DOD civilian employees who aren’t in those categories, the memo notes. At the same time, the memo praises the department’s use of telework.
“Continuation of flexibilities used during the COVID-19 pandemic increases the DOD’s efficiency and effectiveness, as well as allows the Department to better attract and retain those with the necessary skills and abilities needed to accomplish current and future missions,” the memo states.
While it appears the Pentagon is trying to thread the needle here, the 2023 Defense Authorization bill requires the department to come up with uniform guidance by April on when flexible work arrangements will be allowed.
The DOD’s approach is laudable in that it recognizes the benefits of telework while providing agency components with the ability to bring employees back to the office if that is what the mission requires. As agencies plan for the future, this kind of flexibility will be crucial.
Making Security Dynamic from Home
At the same time, if more federal employees will be working remotely or in hybrid environments long-term, agencies need to ensure such arrangements don’t compromise their cybersecurity.
As agencies move to adopt zero-trust architectures, this will be imperative. Agencies need to ensure they implement policies of least privilege, which limit employees’ access to only the data and systems they need to do their jobs, including on their mobile devices.
Further, identity and access management tools should be dynamic in how they identify users and their behavior so they can recognize and respond to anomalous activity, even by previously verified users. IT security teams must define the legitimate access needs of all employees and develop efficient means of enforcing the policies that apply to those users.