24 March 2020

Moving to the Unclassified

by Cortney Weinbaum, Arthur Chan, Karlyn D. Stanley, Abby Schendt
Source Link

What policy, legal, technology, security, financial, and cultural considerations should intelligence leaders take into account when determining how to conduct work outside secure government facilities?

This report provides analysis and recommendations for intelligence agencies regarding how to conduct work outside secure government facilities by identifying policy, legal, technology, security, financial, and cultural considerations. This report provides steps that intelligence agencies can take to address these considerations and overcome potential challenges. The advantages of remote-work programs include greater access to outside expertise, continuity of operations, and increased work-life offerings for recruitment and retention. The authors reviewed studies on telework and telecommuting, examined seven federal agencies that conduct work outside government facilities, and conducted interviews inside the National Geospatial-Intelligence Agency (NGA). Intelligence agencies could benefit from conducting some unclassified functions outside Sensitive Compartmented Information Facilities (SCIFs), with each agency differing in terms of which functions would be most appropriate to move to unclassified facilities. The report provides lessons learned and recommendations for leaders of intelligence agencies to consider.

Key Findings


Current laws do not prohibit intelligence agencies from conducting unclassified work outside SCIFs. However, existing policies and technologies at intelligence agencies may be either hurdles or enablers to remote-work or telework programs.

Clear policy guidance and security procedures could facilitate effective remote work at intelligence agencies — specifically, clear policies related to telework, use of personal devices, handling of Controlled Unclassified Information (CUI), core work hours, and time and attendance management.

Three regulations most relevant to intelligence agencies implementing remote-work programs are the Federal Information Security Management Act of 2002, the Telework Enhancement Act of 2010, and Executive Order 13556. The authors did not find specific laws governing the use of personally owned electronic devices, which leaves each agency to develop its own policy within these legal frameworks.

Moving employees and work functions outside of classified facilities may incur financial costs to agencies, and these changes might not always reap financial savings. Therefore, the decision to move employees outside of SCIFs might be based on mission, continuity of operations, and other operational factors, rather than cost savings.

Investment costs associated with these changes may include technologies that enable employees to work off-site, such as remote log-on, online collaboration tools, and the ability to transfer files across computer systems. Cost savings may include fewer security clearances needed, higher employee retention rates, and decreased use of utilities.

There are cultural challenges to moving unclassified work outside of SCIFs, including overcoming perceptions that some employees and managers have of remote work, measuring the performance of remote workers, and training employees and managers on the program. These challenges can be alleviated by setting expectations of what remote work should be and what it can do for employees and the agency's mission.

Recommendations

Facilitate communications between employees and supervisors, particularly in terms of defining who is eligible for telework, when they can perform such telework, and what kinds of tasks can be performed off-site. Communicate changes to managers and employees, including how a change fits within the agency mission, what changes will occur, who is eligible for off-site work, and what roles each part of the organization has in this change.

Consider which essential and unclassified capabilities should move from classified to unclassified systems so that employees will be able to access them irrespective of work location. Make collaborative tools available to employees on unclassified computing systems, including instant messaging, group-chat capabilities, file sharing, video conferencing, workflow tracking and project management, and calendar sharing.

Consider costs that employees would incur or savings that employees may reap, and communicate these expectations to employees choosing to participate in the program. Decide whether to provide government-issued laptops and other hardware to employees who work remotely or whether to rely on personally owned devices.

Write clear security classification guides that explain what information is CUI, and write policies on how to handle CUI on unclassified computer systems and outside of SCIFs. Clear policies will help agencies prevent data spills of classified information on unclassified computing systems and will allow employees to identify what is and is not CUI and the appropriate handling channels.

Provide measures for the program's performance and tools for managers to determine employee performance and to effectively manage employees off-site. These mechanisms may include new policies, manager training, and technology tools.

No comments: