Even with systems shut down, functions like patching and installing key maintenance upgrades are important and could pose a challenge for skeletal teams that have been assembled to manage IT systems during a shutdown, he said.
If the shutdown were to persist through the second Tuesday of October for instance, many agencies could find themselves scrambling to install Microsoft's monthly security updates, Spafford said.
Mike Brown, vice president and general manager at security firm RSA's global public sector unit, noted that security risks to federal agencies overall should not increase dramatically as a result of the shutdown. However, the potential for agencies to make mistakes increases during times of reduced staffing.
"I would expect that most of the infrastructure would be maintained by personnel who have been designated as essential, and that planning has taken place to ensure security remains a priority," Brown said. "However, any time there is an event like this, there is the potential for mistakes to take place," Brown said. "Not only will the impact of nonessential personnel weigh on an organization, but additional issues could arise based on the overall status of personnel and priorities."
A Sept. 16 directive issued by the White House Office of Management and Budget requires federal agencies to wind down all IT activities other than "excepted" activities, including those that are essential to safety and protection of property, in the event of a government shutdown.
The directive leaves it up to agency heads to determine what systems can be kept running, but it makes clear that the only systems allowed to run will be those that directly support an exempted activity. If that system happens to be interconnected with other system, the agency has to figure out a way to keep it running without affecting the safety and security of the other systems, the directive noted.
"Given that websites represent the front-end of numerous back-end processing systems, agencies must determine whether the entire website can be shut down or components of the website will be shut down," to ensure compliance with procedures during an appropriations lapse, the OMB memo noted.
Sign up for CIO Asia eNewsletters.