National Security Agency Releases Cybersecurity Guidance for Remote Workers

May 1, 2020

The U.S. National Security Agency (NSA) has released Selecting and Safely Using Collaboration Services for Telework, cybersecurity guidance which contains a snapshot of current, commercially-available collaboration tools available for use, along with a list of security criteria to consider when selecting which capability to leverage. In addition, the guidance contains a high-level security assessment of how each capability measures up against the defined security criteria, which can be used to more quickly identify the risks and features associated with each tool.

The primary audience for this guidance are U.S. Government employees and military service members engaging in telework, especially telework employing personally owned devices such as smartphones and home computers.

Collaboration services vary widely in the cybersecurity functionality and assurance that they offer. By using the objective criteria detailed below, government employees and organizations can make more informed decisions about which collaboration services meet their particular needs. By following the practical guidelines, users can draw down their risk exposure and become harder targets for malicious threat actors.

Note that individual departments and agencies may provide specific services or issue specific direction for their teleworkers.

Criteria to Consider When Selecting a Collaboration Service

Does the service implement end-to-end encryption?
Are strong, well-known, testable encryption standards used?
Is multi-factor authentication (MFA) used to validate users’ identities?
Can users see and control who connects to collaboration sessions?
Does the service privacy policy allow the vendor to share data with third parties or affiliates?
Do users have the ability to securely delete data from the service and its repositories as needed?
Has the collaboration service’s source code been shared publicly (e.g. open source)?
Has the service and/or app been reviewed or certified for use by a security-focused nationally recognized or government body?
Is the service developed and/or hosted under the jurisdiction of a government with laws that could jeopardize USG official use?

Using Collaboration Services Securely

If possible, use government furnished equipment (GFE) that is managed and intended for government use only and secure services designed for government use.
If you download a collaboration service app, be sure you know where it came from.
Ensure that encryption is enabled when initiating a collaboration session.
Use the most secure means possible for meeting invitations.
Verify that only intended invitees are participating before beginning, and throughout, each session.
Ensure that any information shared is appropriate for the participants.
Ensure that your physical environment does not provide unintentional access to voice, video, or data during collaboration sessions.

Assessment of Common Collaboration Services Against the Criteria

The table below presents an initial assessment of how available commercial collaboration services satisfy NSA security criteria.

According to the NSA, the selection of services for this initial assessment was driven by inquiries and usage from across NSA's national security customer base; this is not a comprehensive list of services or possible criteria. NSA analysts gathered factual material from published company literature and product specifications, supplemented by other openly published analyses and basic hands-on technical observation. No formal testing was performed on products or services for this analysis. These assessment findings are meant to serve as an input for government employees and organizations. Users of these services must exercise judgment when choosing a service for their particular mission telework needs, says the NSA.

NSA criteria

Legend: Y = Yes, N = No; (a) text chat, (b) voice conferencing, (c) video conferencing, (d) file sharing, (e) screen sharing.

1 Configurable

2 Free Version - N

3 No Published Details

4 Partial

An extended version of Selecting and Safely Using Collaboration Services for Telework is also available.

You must login or register in order to post a comment.

ON DEMAND: DevSecOps creates an environment of shared responsibility for security, where AppSec and development teams become more collaborative. With the right training and tools, developers can become more hands-on with security and, with that upskilling, stand out among their peers... however, they need the security specialists on-side, factoring them into securing code from the start and championing this mindset across the company.

ON DEMAND: The insider threat—consisting of scores of different types of crimes and incidents—is a scourge even during the best of times. But the chaos, instability and desperation that characterize crises also catalyze both intentional and unwitting insider attacks. Learn how your workers, contractors, volunteers and partners are exploiting the dislocation caused by today's climate of Coronavirus, unemployment, disinformation and social unrest.

Security Magazine

2020 October

This month in Security magazine, we explore how Corning's global security group ensured business continuity and employee safety during the global COVID-19 pandemic. Also, we highlight the global security team at Uber and their recent security programs and initiatives. Industry experts discuss travel safety programs, career hackers, working for terrible bosses, group attribution error and more.

View More Create Account

National Security Agency Releases Cybersecurity Guidance for Remote Workers

Related Articles

Related Events

Report Abusive Comment