NIST issues draft cybersecurity guidelines for teleworking

NIST is seeking comments on two draft guidelines that would shore up defenses for remote workers

The National Institute of Standards and Technology this week released draft guidelines to bolster cybersecurity in agencies that routinely allow teleworking — just in time for the unprecedented shutdown of the capital’s Metrorail system Wednesday that prompted the federal government to allow its employees to telework. 

As flexibility and mobility are increasingly at the top of agency priority lists, the trend toward remote working and allowing employees to use their personal devices in the workplace is growing across the public and private sectors alike — to the point that employees have come to expect it.

“This model of allowing access to data and resources anytime, anywhere, anyplace is the new norm,” Murugiah Souppaya, author of NIST’s new guidelines, told FedScoop. “In the future this will be the norm for enterprise — no agency will set up structure without it. For organizations that are so distributed, connected all the time, working all the time — if we don’t provide these capabilities we won’t keep good people.”

According to NIST, however, the unsecured nature of data transfer through personal devices is putting sensitive information at risk and providing opportunities for hackers to play the middle man between the office and the worker. To combat these risks, NIST has updated its outdated 2009 teleworking guidelines with new considerations for mobile devices and laptops that straddle the line between work use and personal use.


“[Bring your own device] is becoming the new buzzword these days,” Souppaya said. “The adoption of BYOD and mobile devices is seeing a huge surge. Most of our recommendations from 2009 are still valid, but we made tweaks and changes. This is a new technology gap that we are trying to fill out.”

Among NIST’s new recommendations are the implementation of virtual mobile infrastructure technologies, which create temporary, secure environments for teleworkers who need to access organizational data that are destroyed when the session is over.

Another promising security resource is mobile device management technology, which can force devices to adhere to certain security standards before granting them access to sensitive data.

Souppaya said that the new guidelines, although tailored for federal agencies, have lessons for the private sector.

“We believe that the tech that government and industry are using — if you think about financial, health care, energy — we all are using the same technology. The same iPhones and the same Blackberries. It’s all uniform,” he said.


“Our guidelines are very applicable to all sectors.”

Latest Podcasts