[Federal Register: March 2, 2007 (Volume 72, Number 41)] [Notices] [Page 9532-9535] From the Federal Register Online via GPO Access [wais.access.gpo.gov] [DOCID:fr02mr07-46] ======================================================================= ----------------------------------------------------------------------- GENERAL SERVICES ADMINISTRATION [FMR Bulletin 2007-B1] Information Technology and Telecommunications Guidelines for Federal Telework and Other Alternative Workplace Arrangement Programs AGENCY: General Services Administration. ACTION: Notice. ----------------------------------------------------------------------- SUMMARY: This bulletin establishes guidelines for implementing and operating telework and other alternative workplace arrangement programs through the efficient and effective use of information technology and telecommunications. These policies are designed to assist agencies in the implementation and expansion of Federal alternative workplace arrangement programs. EFFECTIVE DATE: March 2, 2007. FOR FURTHER INFORMATION CONTACT: For further clarification of content, contact Stanley C. Langfeld, Director, Regulations Management Division (MPR), General Services Administration, Washington, DC 20405; or stanley.langfeld@gsa.gov. Dated: February 21, 2007. Kevin Messner, Acting Associate Administrator, Office of Governmentwide Policy. General Services Administration [FMR Bulletin 2007-B1] Real Property TO: Heads of Federal Agencies SUBJECT: Information Technology and Telecommunications Guidelines for Federal Telework and Other Alternative Workplace Arrangement Programs 1. Purpose: This bulletin establishes guidelines for implementing and operating telework and other alternative workplace arrangement (AWA) programs through the efficient and effective use of information technology and telecommunications. 2. Expiration Date: This bulletin will remain in effect indefinitely until specifically cancelled. 3. Definitions: Following are terms and definitions used in and for the purpose of this bulletin: a. Agency Worksite--An agency worksite is the post of duty to which an employee would report if not teleworking. b. Alternative Worksite--An alternative work location used by teleworkers while teleworking. c. Broadband--Broadband is a term that commonly and loosely refers to high speed data transmission service. When such service is used for connections to the internet, the Federal Communications Commission (FCC) defines two types of connections: (1) high-speed lines that deliver services at speeds exceeding 200 kilobits per second (kbps) in at least one direction, and (2) advanced services lines that deliver services at speeds exceeding 200 kbps in both directions (see FCC News Release entitled ``Federal Communications Commission Releases Data On High-Speed Services for Internet Access, High-Speed Connections to the Internet Increased by 33% in 2005,'' dated July 26, 2006, http://hraunfoss.fcc.gov/edocs_public/attachmatch/DOC-266593A1.doc%3E ). d. Dial-up--Dial-up refers to the use of an analog telephone line for accessing the internet and remotely connecting to and from an alternative worksite to an agency Information Technology (IT) system. Dial-up access uses normal telephone lines for data transmission and generally has a lower data transfer rate as compared to other internet services. e. Docking Station--A docking station is a piece of equipment that is used with a laptop computer to allow for the convenient and quick connection of peripheral and/or telecommunications (internet access, for example) equipment by providing the laptop with additional ports, expansion slots, and bays for various types of peripherals and other connections. Typically, the docking station is continuously located in a given workstation and continuously connected to peripherals and telecommunications access; the laptop is slipped in and out of the docking station, as needed. A docking station also enables use of the laptop to resemble the use and convenience of a desktop computer by enabling the user to operate the laptop with a full size external keyboard, monitor, and/or mouse. Thus, a docking station maintains the flexibility of a laptop while giving it the functionality of a desktop computer. f. External Information Systems--Information systems or components of information systems that are outside of the accreditation boundary established by the organization and for which the organization typically has no direct control over the application of required security controls or the assessment of security control effectiveness. External information systems include, but are not limited to, personally owned information systems (e.g., computers, cellular telephones, or personal digital assistants); privately-owned computing and communications devices resident in commercial or public facilities (e.g., hotels, convention centers or airports); information systems owned or controlled by non-federal governmental organizations; and federal information systems that are not owned by, operated by, or under the direct control of the organization. g. One Computer Model--Teleworker use of a single computer, usually a laptop, that is transported to all worksites (typically back and forth between an alternative worksite and the agency worksite). The One Computer Model contrasts with multi-computer situations in which the teleworker has a separate computer for use at each worksite and, typically, each of these computers remains at the worksite and is not transported around. h. Remote Access Servers (RAS)--Remote access servers provide internet and dialup access to the office local area network (LAN). The RAS authenticates the user through a password or stronger mechanism; it then allows the user to access files, printers, or other resources on the LAN. The chief benefit of a RAS is in providing a conveniently packaged comprehensive solution to offsite access needs. Typically, the servers include support for internet- based voice communications, virtual private networks (defined below), and authentication in a package designed to make it easier for administrators to establish and maintain user privileges. i. Telework--Telework is work performed by an employee at an alternative worksite, which reduces or eliminates the employee's commute or travel to the agency worksite. Alternative worksites may include the employee's home, telework center, satellite office, field installation, or other location. j. Virtual Private Network (VPN)--The National Institute of Standards and Technology (NIST) defines VPN as ``a logical network that is established, at the application layer of the Open Systems Interconnection (OSI) model, over an existing physical network and typically does not include every node present on the physical network.'' Further, NIST describes how VPN technology uses the internet as the transport medium [[Page 9533]] and employs security measures to ensure that the communications are private. Although VPN traffic crosses the internet, VPN protection prevents most unauthorized users from reading and/or modifying the traffic (see NIST Special Publication 800-46, Security for Telecommuting and Broadband Communications, http://csrc,nist.gov/ publications/nistpubs/800-46/sp800-46.pdf). 4. Background: a. 40 U.S.C. Sec. 587(c)(3) [Public Law 104-208, div. A, title I, Sec. 101(f) [title IV, Sec. 407(a)] (September 30, 1996)), as revised, restated and recodified without substantive change by Public Law 107-217 (August 21, 2002)] authorizes GSA to provide guidance, assistance, and oversight, as needed, regarding planning, establishment and operation of AWA programs. b. In accordance with Section 359 of Public Law 106-346, effective October 23, 2000, each Executive agency must establish a policy under which eligible employees of the agency may participate in telecommuting to the maximum extent possible without diminished employee performance. c. Public Law 104-52, Treasury, Postal Service, and General Government Appropriations Act, 1996, title VI, Sec. 620 (November 19, 1995), 31 U.S.C. Sec. 1348 note, provides as follows: ``Notwithstanding any provisions of this or any other Act, during the fiscal year ending September 30, 1996, and hereafter, any department, division, bureau, or office may use funds appropriated by this or any other Act to install telephone lines, and necessary equipment, and to pay monthly charges, in any private residence or private apartment of any employee who has been authorized to work at home in accordance with guidelines issued by the Office of Personnel Management: Provided, That the head of the department, division, bureau, or office certifies that adequate safeguards against private misuse exist, and that the service is necessary for direct support of the agency's mission.'' d. Public Law 107-347, The E-Government Act of 2002 (December 17, 2002), recognized the importance of information security to the economic and national security interests of the United States. Title III of the E-Government Act, referred to therein as the Federal Information Security Management Act of 2002 (FISMA), emphasizes the need for organizations to develop, document, and implement an organization-wide program to provide security for the information systems that support its operations and assets. e. GSA Federal Management Regulation (FMR) Bulletin 2006-B3-- Guidelines for Alternative Workplace Arrangements, effective March 17, 2006, sets forth the parameters for establishing agency AWA programs. 5. Further Information: For further information, contact Stanley C. Langfeld, Director, Regulations Management Division, Office of Real Property Management (MP), at (202) 501-1737; or stanley.langfeld@gsa.gov. Guidelines for IT and Telecommunications for Federal Telework and Other AWA Programs I. Basic Equipment Recommendations a. An agency may provide employees with computer equipment, associated peripheral equipment (e.g., printer, copier, scanner, facsimile), telecommunications, and associated technical support for the implementation and expansion of telework in the Federal Government. The agency may provide the level and configuration of these resources that it deems necessary for mission accomplishment. To make this determination, an agency may consider factors such as the teleworker's job requirements, frequency of telework, and other work-related parameters. In addition, the agency is advised to review the 2006 Telework Technology Cost Study, which concluded that the One Computer Model is advantageous from both a value added cost perspective and from a multi-purpose perspective. The 2006 Telework Technology Cost Study is located in the GSA Telework Library at http://www.gsa.gov/telework. b. An agency may establish a policy that provides that teleworkers utilize their respective alternative worksite equipment and associated technical support for continuity of operations (COOP) purposes. In addition to facilitating COOP responsiveness, this dual-purpose use of telework resources can (1) increase the agency's return on investment for the cost of those resources, as well as (2) reduce agency COOP costs. The NIST Special Publication 800-34, Contingency Planing Guide for Information Technology Systems, provides instructions, recommendations, and considerations for government IT contingency planning (see http://csrc.nist.gov/publications/nistpubs/800-34/sp800-34.pdf ), and NIST Special Publication 800-84, Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities, provides additional recommendations and related information (see http://csrc.nist.gov/publications/nistpubs/800-84/SP800-84.pdf. ) c. An agency may provide teleworkers with equipment that is no longer needed for its original purposes, such as when equipment is replaced during a refresh cycle. This strategy can maximize the value of federal IT investments through the 're-use' or 're- purposing' of equipment to help implement or expand an agency telework program. In accordance with 41 CFR 102-36.30 and 102-36.35, even though equipment may no longer be used for its original purpose, employee, or location, the agency must determine if the equipment can serve other agency uses, such as in alternative worksites. The equipment officially does not become excess until the agency determines that the agency has no further use for the equipment, including use in main or alternative worksites. II. Telecommunications and Internet Services a. Public Law 104-52, section 620, 31 U.S.C. 1348 note, authorizes agencies to use appropriated funds to install telephone lines and necessary equipment, and to pay monthly charges, in any private residence of an employee who has been authorized to work at home in accordance with the guidelines issued by the Office of Personnel Management. The head of the department, division, bureau, or office must certify that adequate safeguards against private misuse exist, and that the service is necessary for direct support of the agency's mission. This authority includes facsimile machines, internet services, broadband access, e-mail services. Voice over Internet Protocol equipment and services, desktop videoconference equipment and services, and, in general, any other telecommunications equipment and services the agency deems needed by individuals working in any authorized alternative worksite. b. As describe above, agencies are authorized to provide and/or pay for installation and operation of a dedicated voice line for teleworker use at an alternative worksite. Regardless of whether or not, or the extent to which, an agency provides resources for such a line, a dedicated voice line is recommended so that (1) managers, co-workers, clients, and/or other work-related personnel are not prevented from reaching a teleworkers due to the tying up of a teleworker's phone line by online or other data use activity and (2) teleworker do not put themselves at risk by tying up their personal voice line with business activity. Agencies may carry out this recommendation through the use of landlines and/or cell phones. c. The authorities described above also authorize agencies to pay equipment costs, usage fees, and service charges for all authorized methods of connectivity (e.g., dial-up, high-speed, wireless, satellite) utilized for official business at alternative worksites. d. Factors such as teleworker job requirements, telecommunications service availability, and quality and cost of service at the alternative worksite should be used to determine teleworker connectivity. Various types of high-speed telecommunication services are available in many areas and not in others. Speed, performance, reliability, and cost are factors to consider when determining how to meet connectivity requirements. In some instances, for example, in which an analog telephone line is the only available connectivity solution, the resulting dial-up access may be sufficient, depending on the teleworker's job requirements. Agency policies should address the equitable provisioning of these resources. It is recommended that agencies implement more than one type of connectivity because of variations in service availability, teleworker job requirements and modes of operation, and other factors that impact the type of connectivity required. e. Security and connectivity requirements vary according to whether or not a teleworker's job requires interacting with an agency's centralized IT systems. Teleworkers who do not require interaction with an agency's centralized IT systems may be able to telework successfully using only e-mail and telephone contact with the office, without logging into the agency system. For example, a user who teleworks one or two days per week, and whose job consists [[Page 9534]] largely of writing and document preparation, may never need to log in to agency systems from an alternative worksite. Provided that they are not sensitive or do not contain personally identifiable information, documents can be e-mailed back and forth between the agency system and the user's e-mail account. In this scenario, e- mailing a document from an alternative worksite to the agency system does not require the teleworker to interact with the system. In general, there are may firewall implementations that use an electronic mail proxy to allow access to the files on a protected system without having to directly access that system. Alternatively, the teleworker may physically transport the documents on portable storage media. When teleworkers need to access the agency's centralized IT systems, it is necessary, at a minimum, to allow for remote logins from the alternative worksite computer. In this case, strong authentication (at least ``two factor authentication'') is required to minimize the vulnerabilities in providing external access. This solution is sufficient for teleworkers requiring minimal access to internal resources, such as some types of intranet access. NIST provides detailed guidance on this issue in Special Publication 800- 63, its document on electronic authentication, and agencies are advised to review and comply with this guidance (see http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf ). Some teleworkers, however, may require more involved access to internal resources. In this case, a more secure solution, such as a VPN, should be used. A VPN can provide a high level of security and convenience for the teleworker. Encryption protects all interaction between the offsite computer and the main office, so that in many ways the user's offsite computer is as secure as one on the main office local network. This approach makes it possible to allow offsite users to operate applications such as scheduling, budget analysis, or other complex systems from the alternative worksite. The tradeoff for a VPN is in cost and complexity of administration. Note also that operating a VPN does not guarantee protection from viruses and e-mail worms. The agency Chief Information Officer (CIO), in conjunction with other agency officials (such as telework and/or human resources management policy providers), should examine job requirements and provide policy, guidance, and appropriate secure system access. f. Agencies should be aware and take advantage of the potential utility and other benefits of audio teleconference and web conference capabilities for their respective telework programs. These capabilities can be excellent tools to facilitate productivity, agency cost savings (from reduced travel expenses, for example), and other benefits for all employees, in general, and for teleworkers, in particular. Agency telework program planners and implementers should be aware of and utilize the relevant telecommunications products, tools, information, and services that are available in their existing contracts and/or from service providers, such as the GSA Global Account Manager (http://www.gsa.gov/networkscvs ), or equivalent sources and providers. III. Security a. According to an Office of Management and Budget (OMB) memorandum entitled ``Protection of Sensitive Agency Information,'' dated June 23, 2006, which addresses the lack of physical security controls when information is removed from or accessed from outside the agency location, agencies should implement the NIST checklist for protection of remote information (see http://www.whitehouse.gov/omb/memoranda/fy2006/m06-16.pdf ), and: (1) Encrypt all data on mobile computers and devices that carry agency data, unless the agency determines that the data are non- sensitive; (2) Allow remote access only with two-factor authentication where one of the factors is provided by a device separate from the computer gaining access; (3) Use a ``time-out'' function requiring user re-authentication after thirty (30) minutes of inactivity for remote access and mobile devices; and (4) Log all computer-readable data extracts from databases holding sensitive information and verify that each such extract has been erased within ninety (90) days or that its use is still required. b. FISMA delegates to NIST the responsibility to develop detailed information security standards and guidance for federal information systems, with the exception of national security systems. Agency personnel involved in planning, implementing, and/or operating telework programs should consult the Web site of NIST's Computer Security Resource Center (see http://csrc.nist.gov) for up- to-date information and guidance on secure computing. Listed below are key documents that can assist in the implementation of secure telework operations. (1) Security for Telecommuting and Broadband Communications (NIST Special Publication 800-46 (2002)), assists organizations in addressing telework security issues by providing recommendations on securing a variety of applications, protocols, and network architectures (see http://csrc.nist.gov/publications/nistpubs/800-46/sp800-46.pdf ). (2) Recommended Security Controls for Federal Information Systems (NIST Special Publication 800-53, Rev. 1 (2006)), provides important guidance on security controls selection and specification, including information on Media Protection, Certification, Accreditation, Security Assessments, Identification and Authentication families, updating security controls, and the use of external information systems (see http://csrc.nist.gov/publications/nistpubs/index.html#sp800-53-Rev1 ). (3) Information Security Handbook: A Guide for Managers (see http://csrc.nist.gov/publications/nistpubs/#sp800-100). (4) Security Management and guidance (see http://csrc.nist.gov/ c. Agencies should review and comply with applicable controls and guidance, especially sections on portable devices, remote access, and external IT systems set forth in NIST Special Publication 800-53, Rev. 1, when developing telework program implementation guidelines. Listed below are selected controls and guidance from NIST Special Publication 800-53, Rev. 1: (1) Access Control for Portable and Mobile Devices (e.g., notebook computers, personal digital assistants, cellular telephones, and other computing and communications devices with network connectivity and the capability of periodically operating in different physical locations): i. Establish usage restrictions and implementation guidance for organization-controlled portable and mobile devices; ii. Authorize, monitor, and control device access to organizational information systems; iii. Require that portable and mobile device access to organizational information systems be in accordance with organizational security policies and procedures. Security policies and procedures include device identification and authentication, implementation of mandatory protective software (e.g., malicious code detection, firewall), configuration management, scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware (e.g., wireless, infrared). (2) Remote Access: i. Authorize, montior, and control all methods of remote access to the information system. Remote access controls should be applied to all information systems other than public web servers or systems specifically designed for public access; ii. Restrict access achieved through dial-up connections (e.g., limit dial-up access based upon source of request) or protect against unauthorized connections or subversion of authorized connections (e.g., using VPN technology). NIST Special Publication 800-63 provides guidance on remote electronic authentication; iii. Employ automated mechanisms to facilitate the monitoring and control of remote access methods; iv. Use cryptography to protect the confidentiality and integrity of remote access sessions; v. Control all remote accesses through a limited number of managed access control points; and vi. Permit remote access for privileged functions only for compelling operational needs and document the rationale for such access in the security plan for the information system. (3) Use of External Information Systems Control: i. Establish terms and conditions for authorized individuals to: (A) access the information system from an external information system; and (B) process, store, and/or transmit organization- controlled information using an external information system. Authorized individuals include organizational personnel, contractors, or any other individuals with authorized access to the organizational information system. This control does not apply to the use of external [[Page 9535]] information systems to access organizational information systems and information that are intended for public access (e.g., individuals accessing federal information through public interfaces to organizational information systems). ii. Establish terms and conditions for the use of external information systems in accordance with organizational security policies and procedures. The terms and conditions should address, at a minmum: (A) the types of applications that can be accessed on the organizational information system from the external information system; and (B) the maximum Federal Information Processing Standard 199 security category of information that can be processed, stored, and transmitted on the external information system. iii. Prohibit authorized individuals from using an external information system to access the information system or to process, store, or transmit organization-controlled information except in situations where the organization: (A) Can verify the employment of required security controls on the external system as specified in the organization's information security policy and system security plan; or (B) has approved information system connection or processing agreements with the organizational entity hosting the external information system. IV. Privacy Agencies should review the OMB memorandum entitled ``Safeguarding Personally Identifiable Information,'' dated May 22, 2006, and ensure that their respective telework technology infrastructures, practices and procedures are in compliance with that memorandum and the Privacy Act. The OMB memorandum reemphasizes the many responsibilities under law and policy to safeguard sensitive personally identifiable information appropriately. Among other things, the Privacy Act requires each agency to establish: ``Rules of conduct for persons involved in the design, development, operation, or maintenance of any system of records, or in maintaining any record, and instruct each such person with respect to such rules and the requirements of [the Privacy Act], including any other rules and procedures adopted pursuant to [the Privacy Act] and the penalties for noncompliance;'' [and] ``appropriate administrative, technical, and physical safeguards to insure the security and confidentiality of records and to protect against any anticipated threats or hazards to their security or integrity which could result in substantial harm, embarrassment, inconvenience, or unfairness to any individual on whom information is maintained.'' (5 U.S.C. 552a(e)(9)-(10)) V. Training Teleworkers should receive adequate training on the use of IT systems and applications needed for effective job performance. This should include any specialized training associated with (1) effective use of remote access and other resources needed for working remotely, and (2) security awareness and responsibility. In addition, agencies are encouraged to provide opportunities for teleworkers to practice in a telework situation. VI. Technical Support a. Agencies should (1) provide adequate and effective Help Desk support for teleworkers, and (2) require Help Desk personnel to possess the skills, procedures, and resources needed for resolving teleworker issues, such as remote access hardware and software issues. b. Where feasible and applicable, agencies should provide routine systems maintenance via remote transmission procedures such as transmitting (``pushing'') software and system upgrades out to the teleworker's alternative worksite as opposed to requiring the teleworker to bring a computer to the agency worksite for maintenance. VII. Additional References and Resources a. Office of Management and Budget (see http://www.whitehouse.gov/omb/memoranda/m03-18.pdf ). b. Government Accountability Office (see http://www.gao.gov). VIII. Commonly Asked Questions a. May an employee use his or her own personal computer equipment to conduct official business from an alternative worksite? If so, who is responsible for maintaining an employee's personally- owned equipment that is used for official business? Yes, provided certain conditions are met, agencies may permit employees to use personally-owned equipment to conduct official business. If an agency permits the use of personally owned equipment, the employee must agree to allow the agency to (1) configure that equipment with the proper hardware and software necessary for secure and effective job performance, and (2) access the equipment, as needed, to verify compliance with agency policy and procedures. Additional conditions that must be met are set forth in NIST Special Publication 800-53, Rev. 1, on page 64, as follows: ``The organization prohibits authorized individuals from using an external information system to access the information system or to process, store, or transmit organization-controlled information except in situations where the organization: (i) Can verify the employment of required security controls on the external system as specified in the organization's information security policy and system security plan; or (ii) has approved information system connection or processing agreements with the organizational entity hosting the external information system.'' If the agency allows the use of personally-owned equipment for official business, then the telework agreement should clearly identify the employee's and agency's obligations for appropriate operation, repair, and maintenance of the equipment. While agencies are responsible for Government-owned equipment regardless of location, they are not required to be responsible for employee-owned equipment. At their sole discretion, however, agencies may assume responsibility for employee-owned equipment that is used to conduct official business. For example, agencies may authorize Help Desks or other agency personnel or resources to (1) fix a problem with the employee's personally-owned equipment, (2) help the employee fix the problem, or (3) provide, install, and/or upgrade Government-owned software on employee-owned equipment. If an agency permits the use of personally-owned equipment, the employee must agree to allow the agency to configure that equipment with the proper hardware and software including security, communications and applications. b. Are there policies for ``limited personal use'' of Government e-mail and internet systems? Yes. The Office of Management and Budget expects all agencies to establish personal use policies consistent with the recommended guidance developed by the CIO Council in 1999 (see ``Personal Use Policies and `File Sharing' Technology'' memorandum at: http://www.whitehouse.gov/omb/memoranda/fy04/m04-26.html ). In addition, NIST Special Publication 800-53, Rev. 1, under the section titled Supervision and Review--Access Control, recommends that agencies supervise and review the activities of users with respect to the enforcement and usage of information system access controls. According to this guidance, agencies should review audit records (e.g., user activity logs) for inappropriate activities in accordance with organizational procedures and investigate unusual information system-related activities. c. Are there any other Guidelines for Alternative Workplace Arrangements? Yes. For additional guidance, see FMR Bulletin, 2006-B3, Guidelines for Alternative Workplace Arrangements, Sections I through XV, dated March 17, 2006. [FR Doc. 07-951 Filed 3-1-07; 8:45 am] BILLING CODE 6820-RH-M