As a result, his department issues work-only machines to telecommuters that are maintained by the department. They are locked down using data rights management software that blocks inadvertent copying of sensitive information.

Despite efforts to make working from home as painless as possible, federal agencies are mandated by FISMA to train telecommuters in securing their hardware, another barrier to some potential telecommuters.

For instance, the Department of Energy encourages working from home, but only 9 percent of employees do -- significantly short of the department goal of 15 percent, according to Rita Franklin, Energy Department deputy chief human capital officer. But the demographics of the department reflect an a workforce that averages 49 years of age -- what she terms the dinosaur generation -- that is skeptical about telework, according to Telework Exchange's account of her presentation to the forum.

That is bad news for the Bureau of Engraving and Printing, which is in charge of minting money. Michael O'Leary, the bureau's program manager in operations support, says that offering work-at-home programs is partially intended to delay a "retirement tsunami" that could gut the agency of its most experienced workers.

Meanwhile, CISOs are directed to NIST recommendations for securing mobile devices. These include strong authentication and logging all activity by remote users and guarding those logs.

The guidelines also call for physical security such as cabling laptops in place if they are used in one location for a long period and establishing a procedure for reclaiming telecommuting gear if an employee is fired.

Training users is also key to any home-worker program, including education about risks and the proper use of security software, NIST says.

The recommendations call for double-wrapping laptops in personal firewalls, residing on the device as software and a second hardware-based firewall sitting between the device and the Internet. The hardware device also can include a VPN.

"Operating both a software personal firewall and a separate device provides the opportunity to screen out intruders and to identify any rogue software that attempts to transmit messages from the user's comptuer to an external system," NIST says.

Browsers should be configured to limit potential weaknesses such as plug-ins, Java and Active X, which can increase the attack vectors from Web sites. Disabling or selectively removing cookies should also be considered, NIST says. Similarly, unused elements of operating systems should be disabled. Both Web browsers and operating systems should be kept up to date with patches.

Threats originating in e-mail also are a worry. For example, the Department of Justice has forbidden employees to use their work e-mail from their private home computers because securing e-mails as they crossed the wire and were stored proved to be too difficult, according to Heretick, the department's CISO, speaking at a Telework Exchange panel.

Security isn't the only hurdle or even the most difficult one facing telecommuting, according to the latest report to Congress from the U.S. Office of Personnel Management.