In response to the drastic increase of U.S. employees working remotely, the U.S. Federal Trade Commission (“FTC”) and the U.S. National Institute of Standards and Technology (“NIST”) have both issued guidance for employers and employees on best practices for teleworking securely.  In addition, the Cybersecurity and Infrastructure Security Agency (“CISA”) has provided advice on identifying essential workers, including IT and cybersecurity personnel, in critical infrastructure sectors that should maintain normal work schedules if possible.  Each set of guidance is discussed in further detail below.

NIST Guidance to Enterprises on Secure Telework, Remote Access, and BYOD

NIST has issued a bulletin on Security for Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Solutions to “help organizations mitigate security risks associated with the enterprise technologies used for teleworking.”  The bulletin summarizes key concepts and recommendations from NIST SP 800-46, Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security and recommends that organizations consider the “balance between the benefits of providing remote access to additional resources and the potential impact of a compromise of those resources.”  To mitigate the risks associated with providing remote access, NIST recommends hardening resources against external threats and limiting access to the “minimum necessary.”

The NIST guidance also highlights the following key recommendations, derived from NIST SP 800-46:

  • Plan telework-related security policies and controls based on the assumption that external environments contain hostile threats. The NIST guidance specifically references three types of threats that organizations should assume exist, along with accompanying mitigation measures.
    • First, organizations can mitigate the risk that malicious parties will gain control of client devices and attempt to recover data from them, or leverage them to gain access to the enterprise network, by limiting storage of sensitive data on such devices, encrypting the device or the data present on it, and using strong authentication, “preferably multi-factor,” for access to the enterprise network.
    • Second, organizations can protect against the risk of eavesdropping, interception, or modification of communications on external networks by using encryption technologies to protect these communications and authenticating endpoints to each other to verify their identities.
    • Finally, organizations can protect against malware infections on client devices by utilizing anti-malware technologies, verifying a client’s security posture through network access controls, and segmenting client devices on a separate network.
  • Develop a telework security policy that defines telework, remote access, and BYOD requirements. NIST recommends that an organization’s policy define the forms of remote access the organization permits, devices that can be used for remote access, the type of access each teleworker is granted, and the administration and patching of remote access servers.  NIST further recommends that organizations should make “risk-based decisions” on the levels of remote access they will permit to different types of client devices.  The NIST guidance suggests considering a tiered approach for remote access that allows “the most controlled devices [e.g. organization-owned laptops] to have the most access and the least controlled devices [e.g. BYOD mobile devices] to have minimal access.”
  • Ensure that remote access servers are secured effectively and configured to enforce telework security policies. The NIST guidance notes that remote access servers not only serve a critical role in an organization’s remote access capabilities, but can also be leveraged by attackers for various types of malicious activities.  NIST recommends that such servers are not only configured as a single point of entry to the organization’s network that can enforce a telework security policy, but are also kept fully patched and only managed by authorized administrators from trusted hosts.
  • Secure organization-controlled telework client devices against common threats, and maintain their security regularly. The NIST guidance recommends that organizations not only apply their normal security baseline controls to client devices, including applying updates, disabling unneeded services, and using firewalls and anti-malware tools, but also consider enhanced controls to address the risks associated with teleworking, including encryption of sensitive data stored on the devices.  NIST also recommends that organizations provide guidance to device administrators and users on securing these devices.

FTC and NIST Guidance on Secure Teleworking for Employees

The FTC’s blog post on Online Security Tips for Working from Home, as well as guidance released by NIST on Telework Security Basics, build on prior guidance from both organizations on key cybersecurity practices.  While both organizations’ secure teleworking guidance are directed to individuals, employers should be prepared to support their employees in following the guidance and use it as a reference point for their own cybersecurity practices for remote work.  A summary of key points from both sets of guidance is provided below.

Although the specific details from each set of guidance differ, both the FTC and NIST guidance for teleworking securely revolve around many similar themes.  We have summarized the most notable themes below:

  • Follow organizational policies or rules: Both the FTC and NIST guidance include recommendations that employees follow security policies or rules established by their employers, including policies or rules that may govern working remotely.  In support of these efforts, organizations may want to ensure that employees are aware of these policies and consider whether any policies should be adjusted to account for the increase in remote work.
  • Adhere to good cybersecurity practices: The FTC urges employees to follow its “Cybersecurity Basics for Small Business” guidance, which recommends measures such as updating software, encrypting devices, requiring passwords, and using multi-factor authentication to access sensitive information.  NIST similarly encourages employees to keep their devices patched and updated, enabling automatic updates where appropriate.  Employers can use these suggestions as indications of cybersecurity practices that regulators may expect employers to maintain as employees shift to working remotely.
  • Enable device security features: While the FTC’s guidance encourages the use of passwords for laptops, NIST also encourages enabling “basic security features” on devices, such as PINs, fingerprint authentication, or facial recognition, to the extent that they are available.
  • Practice secure networking: Both the FTC and NIST guidance recommend that employees ensure that their home wi-fi networks are set up securely, using WPA2 or WPA3 security and a hard-to-guess password.  NIST also recommends that employees use an employer-provided VPN or, if none is provided, consider obtaining their own VPN service.  To support these efforts and maintain consistent security practices, employers may want to ensure that employees are aware of employer-approved VPN solutions and instructions for their use.
  • Maintain physical security: The FTC’s guidance also focuses on the physical security of the devices and files that employees may take home, as well as secure disposal of hard-copy personal information, which has previously been an area of interest for the FTC.  Employers may want to consider how they can limit the amount of personal information that employees may need to secure outside of the office, and how they can support secure disposal methods for information that employees may need to take home.
  • Reporting suspected security incidents: NIST’s guidance also emphasizes the importance of employees reporting “usual or suspicious activity” on any device the employee uses to telework.  Employers should consider promoting awareness of incident reporting mechanisms to employees working remotely and plan for how to respond to possible incidents involving remote employees and, possibly, their personal devices.

NIST’s guidance also warns employees to be “on the lookout for social engineering attempts,” which may include emails with strange file attachments, communications from individuals claiming to be IT personnel asking for passwords or directing you to a website to “scan” your computer, or unusual web meeting requests.  NIST recommends that employees ask questions when confronted with such requests, and verify the authenticity of the request via phone “or other means” before proceeding to avoid falling victim to malicious activity.  The FTC also recently released similar guidance regarding scams related to “Coronavirus Scams,” urging consumers to avoid clicking on unfamiliar links and exercise caution with donation requests, online offers for vaccinations or cures, or emails purporting to be from the CDC, WHO, or other medical organizations.  As trends in fraudulent or malicious activity surrounding COVID-19 continue to develop, employers should consider alerting or reminding their employees of such scams and the appropriate steps they should take to minimize the risk of a potential security incident.

CISA Guidance on Critical Infrastructure Workforce

CISA has also released guidance on the identification of essential critical infrastructure workers that have a “special responsibility” to maintain their “normal work schedule” during the COVID-19 response.  The guidance covers workers across all sixteen critical infrastructure sectors and specifically identifies several categories of IT or information security personnel, including workers “supporting [information technology] command centers,” data center operators, client service centers and technicians supporting critical infrastructure, and workers “responding to cyber incidents involving critical infrastructure.”  CISA notes that its guidance is advisory, and that state and local authorities maintain responsibility for managing response activities within their borders, which could include the issuance of business closure or shelter-in-place orders.  The guidance therefore does not automatically exempt workers in critical infrastructure industries from such state and local restrictions.  The guidance also encourages workers to work remotely where possible or otherwise enlist strategies, such as social distancing or off-setting shifts, to reduce the likelihood of spreading the disease.

Tags: CISA, COVID-19, Federal Trade Commission, National Institute of Standards and Technology
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Ashden Fein Ashden Fein

Ashden Fein is co-chair of Covington’s Data Privacy and Cybersecurity Practice. He advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance. Ashden also serves as lead counsel…

Ashden Fein is co-chair of Covington’s Data Privacy and Cybersecurity Practice. He advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance. Ashden also serves as lead counsel in criminal, civil, and internal investigations involving cybersecurity, insider risk, and U.S. national security issues.

Ashden regularly counsels clients on preparing for and responding to cyber-based attacks, assessing security controls and practices for the protection of data and systems, developing and implementing cybersecurity risk management and governance programs, and complying with federal and state regulatory requirements. Ashden frequently supports clients as the lead investigator and crisis manager for global cyber and data security incidents, including data breaches involving personal data, advanced persistent threats targeting intellectual property across industries, state-sponsored theft of sensitive U.S. government information, extortion and ransomware, and destructive attacks.

Ashden also assists clients from across industries with leading internal investigations and responding to government inquiries related to U.S. national security and insider risks. He frequently represents government contractors in False Claims Act matters involving cybersecurity and national security. Additionally, he advises aerospace, defense, and intelligence contractors on security compliance under U.S. national security laws and regulations including, among others, the National Industrial Security Program (NISPOM), U.S. government cybersecurity regulations, FedRAMP, and requirements related to supply chain security.

Before joining Covington, Ashden served on active duty in the U.S. Army as a Military Intelligence officer and prosecutor specializing in cybercrime and national security investigations and prosecutions — to include serving as the lead trial lawyer in the prosecution of Private Chelsea (Bradley) Manning for the unlawful disclosure of classified information to Wikileaks. Ashden is a retired U.S. Army officer.

Read more about Ashden FeinEmail
Show more Show less
Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on managing privacy, cyber security, and artificial intelligence risks, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with U.S. and global privacy laws.

Libbie Canter represents a wide variety of multinational companies on managing privacy, cyber security, and artificial intelligence risks, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with U.S. and global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state laws, including the California Consumer Privacy Act, the Colorado AI Act, and other state laws. As part of her practice, she also regularly represents clients in strategic transactions involving personal data, cybersecurity, and artificial intelligence risk and represents clients in enforcement and litigation postures.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations.

Chambers USA 2025 ranks Libbie in Band 3 Nationwide for both Privacy & Data Security: Privacy and Privacy & Data Security: Healthcare. Chambers USA notes, Libbie is “incredibly sharp and really thorough. She can do the nitty-gritty, in-the-weeds legal work incredibly well but she also can think of a bigger-picture business context and help to think through practical solutions.”

Read more about Libbie CanterEmail
Show more Show less
Photo of Caleb Skeath Caleb Skeath

Caleb Skeath helps companies manage their most complex and high‑stakes cybersecurity and data security challenges, combining deep regulatory insight, technical fluency, and practical judgment informed by leading incident response matters.

Caleb Skeath advises in‑house legal and security teams on the full lifecycle of…

Caleb Skeath helps companies manage their most complex and high‑stakes cybersecurity and data security challenges, combining deep regulatory insight, technical fluency, and practical judgment informed by leading incident response matters.

Caleb Skeath advises in‑house legal and security teams on the full lifecycle of cybersecurity and privacy risk—from governance and preparedness through incident response, regulatory engagement, and follow‑on litigation. A Certified Information Systems Security Professional (CISSP), he is trusted by clients across highly regulated and technology‑driven sectors to provide clear, practical guidance at moments when legal judgment, technical understanding, and business realities must be aligned.

Caleb has deep experience leading and overseeing responses to complex cybersecurity incidents, including ransomware, data theft and extortion, business email compromise, advanced persistent threats and state-sponsored threat actors, insider threats, and inadvertent data loss. He regularly helps in‑house counsel structure and manage investigations under attorney‑client privilege; coordinate with internal IT, information security, and executive stakeholders; and engage with forensic firms, crisis communications providers, insurers, and law enforcement. A central focus of his practice is advising on notification obligations and strategy, including the application of U.S. federal and state data breach notification laws and requirements along with contractual notification obligations, and helping companies make defensible, risk‑informed decisions about timing, scope, and messaging.

In addition to his work responding to cybersecurity incidents, Caleb works closely with clients’ legal, technical, and compliance teams on cybersecurity governance, regulatory compliance, and pre‑incident planning. He has extensive experience drafting and reviewing cybersecurity policies, incident response plans, and vendor contract provisions; supervising cybersecurity assessments under privilege; and advising on training and tabletop exercises designed to prepare organizations for real‑world incidents. His work frequently involves translating evolving regulatory expectations into actionable guidance for in‑house counsel, including in highly-regulated sectors such as the financial sector (including compliance with NYDFS cybersecurity regulations, the Computer Security Incident Notification Rule, and GLBA guidelines and guidance) and the pharmaceutical and healthcare sector (including compliance with GxP standards, FDA medical device guidance, and HIPAA).

Caleb’s practice also addresses evolving and emerging areas of cybersecurity and data security law, including advising clients on compliance with the Department of Justice’s Data Security Program, CISA‑related security requirements for restricted transactions, and preparation for new regulatory regimes such as the CCPA cybersecurity audit requirements and federal incident reporting obligations. He regularly counsels clients on how artificial intelligence and connected devices intersect with cybersecurity, privacy, and consumer protection risk, and how to support innovation while managing regulatory exposure.

Caleb also has extensive experience helping clients navigate high-stakes cybersecurity-related inquiries from the Federal Trade Commission, state Attorneys General, and other sector-specific regulators, including incident-specific inquiries as well as broader inquiries related to an entity’s cybersecurity practices and the security of product or service offerings. For companies that have entered into cybersecurity-related settlement agreements with regulators, Caleb has helped guide them through compliance with settlement agreement obligations, including navigating required third-party assessments and strategically responding to cybersecurity incidents that can arise while a company is subject to a settlement agreement. Caleb also routinely works hand-in-hand with colleagues in Covington’s class action litigation, commercial litigation, and insurance recovery practices to prepare for and successfully navigate incident-related disputes that can devolve into litigation.

Read more about Caleb SkeathEmail
Show more Show less