CISA issues COVID-19 risk management insights for organizations
CISA’s COVID-19 Insights (6 March 2020) urges organizations to stress-test remote work, protect critical functions, and formalize contingency roles; adding control mappings and implementation steps strengthens operational readiness.
Executive briefing: On , CISA released COVID-19 risk management guidance advising organizations to prepare for elevated telework, absenteeism, and supply-chain disruption. The memo emphasizes continuity planning for critical functions, clear delegation of authority, and security controls that keep remote access resilient under load.
Validated sources
- CISA Insights: Risk Management for COVID-19 outlining operational preparedness steps and technology dependencies.
- CISA VPN hardening alert reinforcing the need for patched remote access gateways during pandemic-driven telework.
- FEMA continuity resources that align with CISA’s call for delegation of authority and reconstitution planning.
Control mappings
- NIST SP 800-34 Rev.1 & SP 800-53 CP-2, CP-4: Support tested continuity plans and alternate processing sites for essential services.
- CIS Controls v8 12.1 & 15.7: Require remote access management and tested incident response communications that scale during surges.
- ISO/IEC 22301:2019 8.4 & ISO/IEC 27001:2022 A.5.30: Tie business continuity procedures to information security continuity and change management.
Implementation checklist
- Identify critical business services, owners, dependencies, and minimum staffing; document manual workarounds if key systems fail.
- Load-test VPNs, SSO, and collaboration tools; enable MFA everywhere and enforce device posture checks for remote connections.
- Pre-position spare laptops and mobile hotspots; verify asset imaging and MDM enrollment to keep new devices compliant.
- Define delegation of authority, cross-train backups for essential roles, and maintain call trees for rapid activation.
- Establish supplier communication routines and alternate vendors for critical inputs; track impacts in a centralized issue log.
Continuity metrics and follow-ups
- Record results of capacity tests (concurrent VPN sessions, SSO login success, video quality) and keep evidence of remedial actions with owners and due dates.
- Measure telework policy adoption, including MFA enrollment percentages, patch currency of remote endpoints, and phishing training completion during remote periods.
- Validate that alternate suppliers and logistics routes are contractually secured; document any single points of failure and mitigation plans.
- Re-run tabletop exercises after major policy changes or outbreaks to ensure call trees, paging tools, and command structures still function.
Assurance notes
- Record outcomes of continuity exercises, remote-access capacity tests, and VPN patch status to evidence readiness.
- Monitor for increased phishing and credential-stuffing attempts targeting remote workers, and update playbooks with remote containment steps.
- Document lessons learned in an after-action report and track closure of findings through change management.
Recovery and reconstitution
- Define triggers for returning to normal operations, including minimum staffing, service availability, and supplier stability; capture them in leadership playbooks.
- Plan phased restoration of onsite operations with validation of building systems (HVAC, physical security) and IT services after prolonged remote use.
- Archive telework exceptions and temporary firewall rules, scheduling their removal with change management once the surge subsides.
Supplier resilience checks
- Review business continuity statements from critical SaaS and telecom providers; verify RTO/RPO commitments and document alternates if outages exceed contract terms.
- Track upstream component shortages (laptops, networking gear) and pre-approve substitutions that meet security baselines.