Information Technology and Telecommunications Guidelines for Federal Telework and Other Alternative Workplace Arrangement Programs, 9532-9535 [07-951]

Agencies

• General Services Administration

[Federal Register Volume 72, Number 41 (Friday, March 2, 2007)]
[Notices]
[Pages 9532-9535]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 07-951]


=======================================================================
-----------------------------------------------------------------------

GENERAL SERVICES ADMINISTRATION

[FMR Bulletin 2007-B1]


Information Technology and Telecommunications Guidelines for 
Federal Telework and Other Alternative Workplace Arrangement Programs

AGENCY: General Services Administration.

ACTION: Notice.

-----------------------------------------------------------------------

SUMMARY: This bulletin establishes guidelines for implementing and 
operating telework and other alternative workplace arrangement programs 
through the efficient and effective use of information technology and 
telecommunications. These policies are designed to assist agencies in 
the implementation and expansion of Federal alternative workplace 
arrangement programs.

EFFECTIVE DATE: March 2, 2007.

FOR FURTHER INFORMATION CONTACT: For further clarification of content, 
contact Stanley C. Langfeld, Director, Regulations Management Division 
(MPR), General Services Administration, Washington, DC 20405; or 
stanley.langfeld@gsa.gov.

    Dated: February 21, 2007.
Kevin Messner,
Acting Associate Administrator, Office of Governmentwide Policy.

General Services Administration

[FMR Bulletin 2007-B1]

Real Property

TO: Heads of Federal Agencies
SUBJECT: Information Technology and Telecommunications Guidelines 
for Federal Telework and Other Alternative Workplace Arrangement 
Programs

    1. Purpose: This bulletin establishes guidelines for 
implementing and operating telework and other alternative workplace 
arrangement (AWA) programs through the efficient and effective use 
of information technology and telecommunications.
    2. Expiration Date: This bulletin will remain in effect 
indefinitely until specifically cancelled.
    3. Definitions: Following are terms and definitions used in and 
for the purpose of this bulletin:
    a. Agency Worksite--An agency worksite is the post of duty to 
which an employee would report if not teleworking.
    b. Alternative Worksite--An alternative work location used by 
teleworkers while teleworking.
    c. Broadband--Broadband is a term that commonly and loosely 
refers to high speed data transmission service. When such service is 
used for connections to the internet, the Federal Communications 
Commission (FCC) defines two types of connections: (1) high-speed 
lines that deliver services at speeds exceeding 200 kilobits per 
second (kbps) in at least one direction, and (2) advanced services 
lines that deliver services at speeds exceeding 200 kbps in both 
directions (see FCC News Release entitled ``Federal Communications 
Commission Releases Data On High-Speed Services for Internet Access, 
High-Speed Connections to the Internet Increased by 33% in 2005,'' 
dated July 26, 2006, https://hraunfoss.fcc.gov/edocs_public/
attachmatch/DOC-266593A1.doc%3E).
    d. Dial-up--Dial-up refers to the use of an analog telephone 
line for accessing the internet and remotely connecting to and from 
an alternative worksite to an agency Information Technology (IT) 
system. Dial-up access uses normal telephone lines for data 
transmission and generally has a lower data transfer rate as 
compared to other internet services.
    e. Docking Station--A docking station is a piece of equipment 
that is used with a laptop computer to allow for the convenient and 
quick connection of peripheral and/or telecommunications (internet 
access, for example) equipment by providing the laptop with 
additional ports, expansion slots, and bays for various types of 
peripherals and other connections. Typically, the docking station is 
continuously located in a given workstation and continuously 
connected to peripherals and telecommunications access; the laptop 
is slipped in and out of the docking station, as needed. A docking 
station also enables use of the laptop to resemble the use and 
convenience of a desktop computer by enabling the user to operate 
the laptop with a full size external keyboard, monitor, and/or 
mouse. Thus, a docking station maintains the flexibility of a laptop 
while giving it the functionality of a desktop computer.
    f. External Information Systems--Information systems or 
components of information systems that are outside of the 
accreditation boundary established by the organization and for which 
the organization typically has no direct control over the 
application of required security controls or the assessment of 
security control effectiveness. External information systems 
include, but are not limited to, personally owned information 
systems (e.g., computers, cellular telephones, or personal digital 
assistants); privately-owned computing and communications devices 
resident in commercial or public facilities (e.g., hotels, 
convention centers or airports); information systems owned or 
controlled by non-federal governmental organizations; and federal 
information systems that are not owned by, operated by, or under the 
direct control of the organization.
    g. One Computer Model--Teleworker use of a single computer, 
usually a laptop, that is transported to all worksites (typically 
back and forth between an alternative worksite and the agency 
worksite). The One Computer Model contrasts with multi-computer 
situations in which the teleworker has a separate computer for use 
at each worksite and, typically, each of these computers remains at 
the worksite and is not transported around.
    h. Remote Access Servers (RAS)--Remote access servers provide 
internet and dialup access to the office local area network (LAN). 
The RAS authenticates the user through a password or stronger 
mechanism; it then allows the user to access files, printers, or 
other resources on the LAN. The chief benefit of a RAS is in 
providing a conveniently packaged comprehensive solution to offsite 
access needs. Typically, the servers include support for internet-
based voice communications, virtual private networks (defined 
below), and authentication in a package designed to make it easier 
for administrators to establish and maintain user privileges.
    i. Telework--Telework is work performed by an employee at an 
alternative worksite, which reduces or eliminates the employee's 
commute or travel to the agency worksite. Alternative worksites may 
include the employee's home, telework center, satellite office, 
field installation, or other location.
    j. Virtual Private Network (VPN)--The National Institute of 
Standards and Technology (NIST) defines VPN as ``a logical network 
that is established, at the application layer of the Open Systems 
Interconnection (OSI) model, over an existing physical network and 
typically does not include every node present on the physical 
network.'' Further, NIST describes how VPN technology uses the 
internet as the transport medium

[[Page 9533]]

and employs security measures to ensure that the communications are 
private. Although VPN traffic crosses the internet, VPN protection 
prevents most unauthorized users from reading and/or modifying the 
traffic (see NIST Special Publication 800-46, Security for 
Telecommuting and Broadband Communications, https://csrc,nist.gov/
publications/nistpubs/800-46/sp800-46.pdf).
    4. Background:
    a. 40 U.S.C. Sec.  587(c)(3) [Public Law 104-208, div. A, title 
I, Sec.  101(f) [title IV, Sec.  407(a)] (September 30, 1996)), as 
revised, restated and recodified without substantive change by 
Public Law 107-217 (August 21, 2002)] authorizes GSA to provide 
guidance, assistance, and oversight, as needed, regarding planning, 
establishment and operation of AWA programs.
    b. In accordance with Section 359 of Public Law 106-346, 
effective October 23, 2000, each Executive agency must establish a 
policy under which eligible employees of the agency may participate 
in telecommuting to the maximum extent possible without diminished 
employee performance.
    c. Public Law 104-52, Treasury, Postal Service, and General 
Government Appropriations Act, 1996, title VI, Sec.  620 (November 
19, 1995), 31 U.S.C. Sec.  1348 note, provides as follows:

    ``Notwithstanding any provisions of this or any other Act, 
during the fiscal year ending September 30, 1996, and hereafter, any 
department, division, bureau, or office may use funds appropriated 
by this or any other Act to install telephone lines, and necessary 
equipment, and to pay monthly charges, in any private residence or 
private apartment of any employee who has been authorized to work at 
home in accordance with guidelines issued by the Office of Personnel 
Management: Provided, That the head of the department, division, 
bureau, or office certifies that adequate safeguards against private 
misuse exist, and that the service is necessary for direct support 
of the agency's mission.''

    d. Public Law 107-347, The E-Government Act of 2002 (December 
17, 2002), recognized the importance of information security to the 
economic and national security interests of the United States. Title 
III of the E-Government Act, referred to therein as the Federal 
Information Security Management Act of 2002 (FISMA), emphasizes the 
need for organizations to develop, document, and implement an 
organization-wide program to provide security for the information 
systems that support its operations and assets.
    e. GSA Federal Management Regulation (FMR) Bulletin 2006-B3--
Guidelines for Alternative Workplace Arrangements, effective March 
17, 2006, sets forth the parameters for establishing agency AWA 
programs.
    5. Further Information: For further information, contact Stanley 
C. Langfeld, Director, Regulations Management Division, Office of 
Real Property Management (MP), at (202) 501-1737; or 
stanley.langfeld@gsa.gov.

Guidelines for IT and Telecommunications for Federal Telework and Other 
AWA Programs

I. Basic Equipment Recommendations

    a. An agency may provide employees with computer equipment, 
associated peripheral equipment (e.g., printer, copier, scanner, 
facsimile), telecommunications, and associated technical support for 
the implementation and expansion of telework in the Federal 
Government. The agency may provide the level and configuration of 
these resources that it deems necessary for mission accomplishment. 
To make this determination, an agency may consider factors such as 
the teleworker's job requirements, frequency of telework, and other 
work-related parameters. In addition, the agency is advised to 
review the 2006 Telework Technology Cost Study, which concluded that 
the One Computer Model is advantageous from both a value added cost 
perspective and from a multi-purpose perspective. The 2006 Telework 
Technology Cost Study is located in the GSA Telework Library at 
https://www.gsa.gov/telework.
    b. An agency may establish a policy that provides that 
teleworkers utilize their respective alternative worksite equipment 
and associated technical support for continuity of operations (COOP) 
purposes. In addition to facilitating COOP responsiveness, this 
dual-purpose use of telework resources can (1) increase the agency's 
return on investment for the cost of those resources, as well as (2) 
reduce agency COOP costs. The NIST Special Publication 800-34, 
Contingency Planing Guide for Information Technology Systems, 
provides instructions, recommendations, and considerations for 
government IT contingency planning (see https://csrc.nist.gov/
publications/nistpubs/800-34/sp800-34.pdf), and NIST Special 
Publication 800-84, Guide to Test, Training, and Exercise Programs 
for IT Plans and Capabilities, provides additional recommendations 
and related information (see https://csrc.nist.gov/publications/
nistpubs/800-84/SP800-84.pdf.)
    c. An agency may provide teleworkers with equipment that is no 
longer needed for its original purposes, such as when equipment is 
replaced during a refresh cycle. This strategy can maximize the 
value of federal IT investments through the 're-use' or 're-
purposing' of equipment to help implement or expand an agency 
telework program. In accordance with 41 CFR 102-36.30 and 102-36.35, 
even though equipment may no longer be used for its original 
purpose, employee, or location, the agency must determine if the 
equipment can serve other agency uses, such as in alternative 
worksites. The equipment officially does not become excess until the 
agency determines that the agency has no further use for the 
equipment, including use in main or alternative worksites.

II. Telecommunications and Internet Services

    a. Public Law 104-52, section 620, 31 U.S.C. 1348 note, 
authorizes agencies to use appropriated funds to install telephone 
lines and necessary equipment, and to pay monthly charges, in any 
private residence of an employee who has been authorized to work at 
home in accordance with the guidelines issued by the Office of 
Personnel Management. The head of the department, division, bureau, 
or office must certify that adequate safeguards against private 
misuse exist, and that the service is necessary for direct support 
of the agency's mission. This authority includes facsimile machines, 
internet services, broadband access, e-mail services. Voice over 
Internet Protocol equipment and services, desktop videoconference 
equipment and services, and, in general, any other 
telecommunications equipment and services the agency deems needed by 
individuals working in any authorized alternative worksite.
    b. As describe above, agencies are authorized to provide and/or 
pay for installation and operation of a dedicated voice line for 
teleworker use at an alternative worksite. Regardless of whether or 
not, or the extent to which, an agency provides resources for such a 
line, a dedicated voice line is recommended so that (1) managers, 
co-workers, clients, and/or other work-related personnel are not 
prevented from reaching a teleworkers due to the tying up of a 
teleworker's phone line by online or other data use activity and (2) 
teleworker do not put themselves at risk by tying up their personal 
voice line with business activity. Agencies may carry out this 
recommendation through the use of landlines and/or cell phones.
    c. The authorities described above also authorize agencies to 
pay equipment costs, usage fees, and service charges for all 
authorized methods of connectivity (e.g., dial-up, high-speed, 
wireless, satellite) utilized for official business at alternative 
worksites.
    d. Factors such as teleworker job requirements, 
telecommunications service availability, and quality and cost of 
service at the alternative worksite should be used to determine 
teleworker connectivity. Various types of high-speed 
telecommunication services are available in many areas and not in 
others. Speed, performance, reliability, and cost are factors to 
consider when determining how to meet connectivity requirements. In 
some instances, for example, in which an analog telephone line is 
the only available connectivity solution, the resulting dial-up 
access may be sufficient, depending on the teleworker's job 
requirements. Agency policies should address the equitable 
provisioning of these resources. It is recommended that agencies 
implement more than one type of connectivity because of variations 
in service availability, teleworker job requirements and modes of 
operation, and other factors that impact the type of connectivity 
required.
    e. Security and connectivity requirements vary according to 
whether or not a teleworker's job requires interacting with an 
agency's centralized IT systems. Teleworkers who do not require 
interaction with an agency's centralized IT systems may be able to 
telework successfully using only e-mail and telephone contact with 
the office, without logging into the agency system. For example, a 
user who teleworks one or two days per week, and whose job consists

[[Page 9534]]

largely of writing and document preparation, may never need to log 
in to agency systems from an alternative worksite. Provided that 
they are not sensitive or do not contain personally identifiable 
information, documents can be e-mailed back and forth between the 
agency system and the user's e-mail account. In this scenario, e-
mailing a document from an alternative worksite to the agency system 
does not require the teleworker to interact with the system. In 
general, there are may firewall implementations that use an 
electronic mail proxy to allow access to the files on a protected 
system without having to directly access that system. Alternatively, 
the teleworker may physically transport the documents on portable 
storage media.
    When teleworkers need to access the agency's centralized IT 
systems, it is necessary, at a minimum, to allow for remote logins 
from the alternative worksite computer. In this case, strong 
authentication (at least ``two factor authentication'') is required 
to minimize the vulnerabilities in providing external access. This 
solution is sufficient for teleworkers requiring minimal access to 
internal resources, such as some types of intranet access. NIST 
provides detailed guidance on this issue in Special Publication 800-
63, its document on electronic authentication, and agencies are 
advised to review and comply with this guidance (see https://
csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf).
    Some teleworkers, however, may require more involved access to 
internal resources. In this case, a more secure solution, such as a 
VPN, should be used. A VPN can provide a high level of security and 
convenience for the teleworker. Encryption protects all interaction 
between the offsite computer and the main office, so that in many 
ways the user's offsite computer is as secure as one on the main 
office local network. This approach makes it possible to allow 
offsite users to operate applications such as scheduling, budget 
analysis, or other complex systems from the alternative worksite. 
The tradeoff for a VPN is in cost and complexity of administration. 
Note also that operating a VPN does not guarantee protection from 
viruses and e-mail worms. The agency Chief Information Officer 
(CIO), in conjunction with other agency officials (such as telework 
and/or human resources management policy providers), should examine 
job requirements and provide policy, guidance, and appropriate 
secure system access.
    f. Agencies should be aware and take advantage of the potential 
utility and other benefits of audio teleconference and web 
conference capabilities for their respective telework programs. 
These capabilities can be excellent tools to facilitate 
productivity, agency cost savings (from reduced travel expenses, for 
example), and other benefits for all employees, in general, and for 
teleworkers, in particular. Agency telework program planners and 
implementers should be aware of and utilize the relevant 
telecommunications products, tools, information, and services that 
are available in their existing contracts and/or from service 
providers, such as the GSA Global Account Manager (https://
www.gsa.gov/networkscvs), or equivalent sources and providers.

III. Security

    a. According to an Office of Management and Budget (OMB) 
memorandum entitled ``Protection of Sensitive Agency Information,'' 
dated June 23, 2006, which addresses the lack of physical security 
controls when information is removed from or accessed from outside 
the agency location, agencies should implement the NIST checklist 
for protection of remote information (see https://www.whitehouse.gov/
omb/memoranda/fy2006/m06-16.pdf), and:
    (1) Encrypt all data on mobile computers and devices that carry 
agency data, unless the agency determines that the data are non-
sensitive;
    (2) Allow remote access only with two-factor authentication 
where one of the factors is provided by a device separate from the 
computer gaining access;
    (3) Use a ``time-out'' function requiring user re-authentication 
after thirty (30) minutes of inactivity for remote access and mobile 
devices; and
    (4) Log all computer-readable data extracts from databases 
holding sensitive information and verify that each such extract has 
been erased within ninety (90) days or that its use is still 
required.
    b. FISMA delegates to NIST the responsibility to develop 
detailed information security standards and guidance for federal 
information systems, with the exception of national security 
systems. Agency personnel involved in planning, implementing, and/or 
operating telework programs should consult the Web site of NIST's 
Computer Security Resource Center (see https://csrc.nist.gov) for up-
to-date information and guidance on secure computing. Listed below 
are key documents that can assist in the implementation of secure 
telework operations.
    (1) Security for Telecommuting and Broadband Communications 
(NIST Special Publication 800-46 (2002)), assists organizations in 
addressing telework security issues by providing recommendations on 
securing a variety of applications, protocols, and network 
architectures (see https://csrc.nist.gov/publications/nistpubs/800-
46/sp800-46.pdf).
    (2) Recommended Security Controls for Federal Information 
Systems (NIST Special Publication 800-53, Rev. 1 (2006)), provides 
important guidance on security controls selection and specification, 
including information on Media Protection, Certification, 
Accreditation, Security Assessments, Identification and 
Authentication families, updating security controls, and the use of 
external information systems (see https://csrc.nist.gov/publications/
nistpubs/#sp800-53-Rev1).
    (3) Information Security Handbook: A Guide for Managers (see 
https://csrc.nist.gov/publications/nistpubs/#sp800-100).
    (4) Security Management and guidance (see https://csrc.nist.gov/
focus_areas.html#smag).
    c. Agencies should review and comply with applicable controls 
and guidance, especially sections on portable devices, remote 
access, and external IT systems set forth in NIST Special 
Publication 800-53, Rev. 1, when developing telework program 
implementation guidelines. Listed below are selected controls and 
guidance from NIST Special Publication 800-53, Rev. 1:
    (1) Access Control for Portable and Mobile Devices (e.g., 
notebook computers, personal digital assistants, cellular 
telephones, and other computing and communications devices with 
network connectivity and the capability of periodically operating in 
different physical locations):
    i. Establish usage restrictions and implementation guidance for 
organization-controlled portable and mobile devices;
    ii. Authorize, monitor, and control device access to 
organizational information systems;
    iii. Require that portable and mobile device access to 
organizational information systems be in accordance with 
organizational security policies and procedures. Security policies 
and procedures include device identification and authentication, 
implementation of mandatory protective software (e.g., malicious 
code detection, firewall), configuration management, scanning 
devices for malicious code, updating virus protection software, 
scanning for critical software updates and patches, conducting 
primary operating system (and possibly other resident software) 
integrity checks, and disabling unnecessary hardware (e.g., 
wireless, infrared).
    (2) Remote Access:
    i. Authorize, montior, and control all methods of remote access 
to the information system. Remote access controls should be applied 
to all information systems other than public web servers or systems 
specifically designed for public access;
    ii. Restrict access achieved through dial-up connections (e.g., 
limit dial-up access based upon source of request) or protect 
against unauthorized connections or subversion of authorized 
connections (e.g., using VPN technology). NIST Special Publication 
800-63 provides guidance on remote electronic authentication;
    iii. Employ automated mechanisms to facilitate the monitoring 
and control of remote access methods;
    iv. Use cryptography to protect the confidentiality and 
integrity of remote access sessions;
    v. Control all remote accesses through a limited number of 
managed access control points; and
    vi. Permit remote access for privileged functions only for 
compelling operational needs and document the rationale for such 
access in the security plan for the information system.
    (3) Use of External Information Systems Control:
    i. Establish terms and conditions for authorized individuals to: 
(A) access the information system from an external information 
system; and (B) process, store, and/or transmit organization-
controlled information using an external information system. 
Authorized individuals include organizational personnel, 
contractors, or any other individuals with authorized access to the 
organizational information system. This control does not apply to 
the use of external

[[Page 9535]]

information systems to access organizational information systems and 
information that are intended for public access (e.g., individuals 
accessing federal information through public interfaces to 
organizational information systems).
    ii. Establish terms and conditions for the use of external 
information systems in accordance with organizational security 
policies and procedures. The terms and conditions should address, at 
a minmum: (A) the types of applications that can be accessed on the 
organizational information system from the external information 
system; and (B) the maximum Federal Information Processing Standard 
199 security category of information that can be processed, stored, 
and transmitted on the external information system.
    iii. Prohibit authorized individuals from using an external 
information system to access the information system or to process, 
store, or transmit organization-controlled information except in 
situations where the organization: (A) Can verify the employment of 
required security controls on the external system as specified in 
the organization's information security policy and system security 
plan; or (B) has approved information system connection or 
processing agreements with the organizational entity hosting the 
external information system.

IV. Privacy

    Agencies should review the OMB memorandum entitled 
``Safeguarding Personally Identifiable Information,'' dated May 22, 
2006, and ensure that their respective telework technology 
infrastructures, practices and procedures are in compliance with 
that memorandum and the Privacy Act. The OMB memorandum reemphasizes 
the many responsibilities under law and policy to safeguard 
sensitive personally identifiable information appropriately. Among 
other things, the Privacy Act requires each agency to establish:

``Rules of conduct for persons involved in the design, development, 
operation, or maintenance of any system of records, or in 
maintaining any record, and instruct each such person with respect 
to such rules and the requirements of [the Privacy Act], including 
any other rules and procedures adopted pursuant to [the Privacy Act] 
and the penalties for noncompliance;'' [and]

``appropriate administrative, technical, and physical safeguards to 
insure the security and confidentiality of records and to protect 
against any anticipated threats or hazards to their security or 
integrity which could result in substantial harm, embarrassment, 
inconvenience, or unfairness to any individual on whom information 
is maintained.'' (5 U.S.C. 552a(e)(9)-(10))

V. Training

    Teleworkers should receive adequate training on the use of IT 
systems and applications needed for effective job performance. This 
should include any specialized training associated with (1) 
effective use of remote access and other resources needed for 
working remotely, and (2) security awareness and responsibility. In 
addition, agencies are encouraged to provide opportunities for 
teleworkers to practice in a telework situation.

VI. Technical Support

    a. Agencies should (1) provide adequate and effective Help Desk 
support for teleworkers, and (2) require Help Desk personnel to 
possess the skills, procedures, and resources needed for resolving 
teleworker issues, such as remote access hardware and software 
issues.
    b. Where feasible and applicable, agencies should provide 
routine systems maintenance via remote transmission procedures such 
as transmitting (``pushing'') software and system upgrades out to 
the teleworker's alternative worksite as opposed to requiring the 
teleworker to bring a computer to the agency worksite for 
maintenance.

VII. Additional References and Resources

    a. Office of Management and Budget (see https://
www.whitehouse.gov/omb/memoranda/m03-18.pdf).
    b. Government Accountability Office (see https://www.gao.gov).

VIII. Commonly Asked Questions

    a. May an employee use his or her own personal computer 
equipment to conduct official business from an alternative worksite? 
If so, who is responsible for maintaining an employee's personally-
owned equipment that is used for official business?
    Yes, provided certain conditions are met, agencies may permit 
employees to use personally-owned equipment to conduct official 
business. If an agency permits the use of personally owned 
equipment, the employee must agree to allow the agency to (1) 
configure that equipment with the proper hardware and software 
necessary for secure and effective job performance, and (2) access 
the equipment, as needed, to verify compliance with agency policy 
and procedures. Additional conditions that must be met are set forth 
in NIST Special Publication 800-53, Rev. 1, on page 64, as follows:

    ``The organization prohibits authorized individuals from using 
an external information system to access the information system or 
to process, store, or transmit organization-controlled information 
except in situations where the organization: (i) Can verify the 
employment of required security controls on the external system as 
specified in the organization's information security policy and 
system security plan; or (ii) has approved information system 
connection or processing agreements with the organizational entity 
hosting the external information system.''

    If the agency allows the use of personally-owned equipment for 
official business, then the telework agreement should clearly 
identify the employee's and agency's obligations for appropriate 
operation, repair, and maintenance of the equipment. While agencies 
are responsible for Government-owned equipment regardless of 
location, they are not required to be responsible for employee-owned 
equipment. At their sole discretion, however, agencies may assume 
responsibility for employee-owned equipment that is used to conduct 
official business. For example, agencies may authorize Help Desks or 
other agency personnel or resources to (1) fix a problem with the 
employee's personally-owned equipment, (2) help the employee fix the 
problem, or (3) provide, install, and/or upgrade Government-owned 
software on employee-owned equipment. If an agency permits the use 
of personally-owned equipment, the employee must agree to allow the 
agency to configure that equipment with the proper hardware and 
software including security, communications and applications.
    b. Are there policies for ``limited personal use'' of Government 
e-mail and internet systems?
    Yes. The Office of Management and Budget expects all agencies to 
establish personal use policies consistent with the recommended 
guidance developed by the CIO Council in 1999 (see ``Personal Use 
Policies and `File Sharing' Technology'' memorandum at: https://
www.whitehouse.gov/omb/memoranda/fy04/m04-26.html). In addition, 
NIST Special Publication 800-53, Rev. 1, under the section titled 
Supervision and Review--Access Control, recommends that agencies 
supervise and review the activities of users with respect to the 
enforcement and usage of information system access controls. 
According to this guidance, agencies should review audit records 
(e.g., user activity logs) for inappropriate activities in 
accordance with organizational procedures and investigate unusual 
information system-related activities.
    c. Are there any other Guidelines for Alternative Workplace 
Arrangements?
    Yes. For additional guidance, see FMR Bulletin, 2006-B3, 
Guidelines for Alternative Workplace Arrangements, Sections I 
through XV, dated March 17, 2006.

[FR Doc. 07-951 Filed 3-1-07; 8:45 am]
BILLING CODE 6820-RH-M