NSA Publishes Security Guidelines for Government Employees Working Remotely

The National Security Agency (NSA) is letting US government employees who are working remotely keep their communications safe.

With the corona virus keeping a major population of the United States (and indeed, other nations) isolated at homes, a lot of work that is essential for services and organizations to run has shifted purely online, with the necessary employees working from home. This telework mode has brought in a lot of issues when it comes to cybersecurity. The number of government employees using their mobile and computers to connect with each other or government networks are usually unsafe and not that much protected.

In light of this, the NSA has published a document that advises government employees a number of things to consider when teleworking. The document mostly covers what it describes as collaboration services, a broader term to cover multitude of communication and working services available online.

Criteria for Collaboration Services

The criteria is a 9 point agenda that covers the security of the applications themselves:

1. Does the service implement end-to-end encryption?
2. Are strong, well-known, testable encryption standards used?
3. Is multi-factor authentication (MFA) used to validate users’ identities?
4. Can users see and control who connects to collaboration sessions?
5. Does the service privacy policy allow the vendor to share data with third parties or affiliates?
6. Do users have the ability to securely delete data from the service and its repositories as needed?
7. Has the collaboration service’s source code been shared publicly (e.g. open source)?
8. Has the service and/or app been reviewed or certified for use by a security-focused nationally recognized or government body?
9. Is the service developed and/or hosted under the jurisdiction of a government with laws that could jeopardize USG official use?

Comparison of Collaboration Tools

In order to give government employees an idea of how secure different and popular collaboration tools are, it gave table that compared them against different criteria:

How to Use Collaboration Services Securely

NSA’s document goes on to further explain that even though a collaboration tool and software may have a good protection, if the computer of device it is working on is itself compromised, there may not be much that can be done. To ensure that devices are secure, the document gives 7 points to ensure security of devices:

1. If possible, use government furnished equipment (GFE) that is managed and intended for government use only and secure services designed for government use.
2. If you download a collaboration service app, be sure you know where it came from.
3. Ensure that encryption is enabled when initiating a collaboration session.
4. Use the most secure means possible for meeting invitations.
5. Verify that only intended invitees are participating before beginning, and throughout, each session.
6. Ensure that any information shared is appropriate for the participants.
7. Ensure that your physical environment does not provide unintentional access to voice, video, or data during collaboration sessions.

NSA has said that the information it has collected is based on publically available literature and data. It has made clear that it has not tested the applications and as such, employees must make their own final judgement.