NSA Provides Guidance on Selecting Video Conferencing Tools
The National Security Agency (NSA) has provided guidance for agencies on determining which video conferencing tools should be using during telework periods. The guidance provides nine factors for consideration to determine which platform should be used. The guidance only applies to commercial applications such as Zoom, which have become increasingly popular for office communications during the COVID-19 pandemic.
The guidance encourages agencies to use U.S. government services such as Defense Collaboration Services, Intelink Services and others, which were designed specifically for secure government communications, when possible; however, when communicating with and receiving invitations from external entities, this criteria should be considered:
Does the service implement end-to-end encryption?
Are strong, well-known, testable encryption standards used?
Is multi-factor authentication used to validate users’ identities?
Can users see and control who connects to collaboration sessions?
Does the service privacy policy allow the vendor to share data with third parties or affiliates?
Do users have the ability to securely delete data from the service and its repositories as needed?
Has the collaboration service’s source code been shared publicly (e.g. open source)?
Has the service and/or app been reviewed or certified for use by a security-focused nationally recognized or government body?
Is the service developed and/or hosted under the jurisdiction of a government with laws that could jeopardize U.S. government official use?
The guidance does not endorse any specific commercial video conferencing platforms and does not supersede any internal agency guidances but is meant to act as a framework for agencies when considering how to communicate during telework.
The guidance does provide an assessment of how 13 common platforms meet the criteria established.
During video conferencing meetings, the NSA recommends employees ensure encryption is enabled (as some applications require it to be disabled and enabled for each meeting), verify before and during sessions that only invited attendees are participating, and ensure that their physical environment does not allow unauthorized access to voice, video, or data discussed during collaborative sessions.