The REMOTE Act directs every Executive department to adopt policies that record teleworking employees’ digital connections and the network traffic they generate, require managers to review that data periodically, and retain it for reporting. It also requires agencies to collect comparable login data for staff who access networks from headquarters via PIV/CAC swipes and to publish summarized metrics in budget justification documents.
Separately, the bill amends the Chief Human Capital Officer reporting statute to force managers to document any employee-specific revocation of telework privileges and to preserve that documentation, adding a formal paper trail for disciplinary or performance-based telework decisions. The combination heightens oversight across IT, HR, and budget offices and raises immediate compliance and privacy questions for agencies and contractors.
At a Glance
What It Does
The bill requires agencies to record teleworkers’ logins and the network traffic they generate, to retain that data for at least three years, and to publish aggregated metrics in annual budget justification materials. It also requires swiped login collection at headquarters using PIV/CACs and directs Chief Human Capital Officers to collect manager documentation when telework privileges are revoked for an employee-specific reason.
Who It Affects
Executive departments (CIOs, CHCOs, IT and security teams), managers with teleworking direct reports, contract employees who telework, agency budget offices preparing justification materials, and systems that store or analyze network telemetry.
Why It Matters
The bill creates a uniform, metric-driven baseline for assessing telework utilization across federal agencies and embeds those metrics into budget documents, shifting telework from an operational practice to a reportable management metric. That elevates questions about employee privacy, data security, analytic standards, and the resource implications for agencies that must collect, retain, analyze, and publish the data.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The REMOTE Act is organized around two enforcement levers: telemetry and documentation. For telemetry, it defines key terms (teleworking employee, login, network traffic, computer network) and directs each Executive department to adopt policies that log when teleworkers connect to agency computer networks and capture the network traffic associated with those remote sessions.
Managers must be directed to review that traffic “periodically,” and agencies must begin retaining the specified telemetry within one year of enactment.
The bill specifies the telemetry elements agencies must retain: for each teleworking employee working remotely, agencies must keep the average number of logins per day, the average daily duration of the employee’s connection to the network, and the network traffic generated while working remotely. Agencies must retain that data for no less than three years and may dispose of it only after that retention period.
Separately, for employees who access networks from headquarters, the bill requires login capture tied to Personal Identity Verification (PIV) or Common Access Cards, with the same three-year retention rule.On reporting, agencies must publish the collected telemetry in their budget justification materials for the first fiscal year beginning after 180 days post-enactment and for each fiscal year thereafter. Published materials must protect personally identifiable information while providing two specific comparisons: average login rates of teleworking employees on each weekday versus the number of approved teleworkers for that weekday, and average login rates of teleworkers versus employees working from headquarters.The human capital side amends 5 U.S.C. 6506(d) to require Chief Human Capital Officers to implement a policy that forces any manager who revokes an individual’s telework privileges for an employee-specific reason to submit written information to the agency human capital office and to the employee.
That information must include the employee’s identifying and pay information, an itemized count of telework days in the six work periods before the revocation, a narrative explaining the reason for the revocation sufficient to confirm whether it complied with agency policy, and steps the manager took to discipline the employee prior to revocation. Agencies must retain that documentation for a “reasonable amount of time” after employment ends.Taken together, the Act creates a structured, auditable trail linking network activity, managerial oversight, and budget reporting.
Implementation will require updates to logging systems, data retention and redaction processes, manager training, and coordination between CIO, HR, and budget offices to translate raw telemetry into the protected, comparative metrics the statute prescribes.
The Five Things You Need to Know
Deadlines: agencies must adopt policies to record login activity and require manager review within 180 days of enactment and begin retaining required telemetry within 1 year.
Required telemetry elements: for each teleworking employee working remotely, agencies must retain (a) average number of logins per day, (b) average daily connection duration, and (c) the network traffic that employee generates while remote.
Retention floor: telemetry collected under the Act may not be disposed of sooner than three years after collection.
Headquarters swipe requirement: employees who access networks from a department’s headquarters must log in using a PIV or Common Access Card and have their averaged login, duration, and network-traffic data collected and retained.
CHCO revocation reporting: managers who revoke an individual’s telework privileges for employee-specific reasons must provide written details (including pay and identifying info, telework days in the prior six work periods, a narrative justification, and prior discipline steps) to the human capital office and the employee.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Short title — REMOTE Act
This short section names the statute the 'Requiring Effective Management and Oversight of Teleworking Employees Act' or the 'REMOTE Act.' It serves only to identify the Act and has no operational requirements.
Definitions for telemetry and telework
This subsection sets the operative vocabulary—defining terms such as agency office, computer network, login, network traffic, teleworking employee, contract employee, and working remotely. The definitions narrow the universe of covered individuals (employees and contract employees who are covered by a telework agreement and not detailed elsewhere) and tie telemetry obligations to agency-operated networks, which matters for scope and for contractors who use agency systems.
Agency policies, manager review, and data retention
Agency heads must, within 180 days, establish policies that require recording login activity and network traffic and direct managers to periodically review that footage. Agencies must begin retaining specified telemetry elements within one year and may not dispose of those records for at least three years. Practically, this requires agencies to select logging levels, storage locations, and redaction rules consistent with the three-year floor and to incorporate manager-review practices into supervisory duties.
Swiped login collection at headquarters using PIV/CAC
For individuals who regularly perform duties at headquarters, the Act mandates PIV or Common Access Card use to make a login and requires agencies to collect the same average-login, average-duration, and network-traffic metrics for HQ access. The subsection drives a linkage between physical access controls and digital session records, which will require coordination between physical access systems, identity management, and network logging.
Budget-justification reporting requirements
Agencies must publish the retained telemetry in budget justification materials for the applicable fiscal year in a way that protects Personally Identifiable Information (PII). The published metrics must compare average weekday login rates of teleworkers to the number of teleworkers approved to work remotely and compare teleworker login rates to average login rates of employees working from headquarters. This puts telework metrics into the budget process and requires analytic work to produce protected, comparable figures rather than raw logs.
Amendment to Chief Human Capital Officer reporting (5 U.S.C. 6506(d))
This section revises the CHCO reporting statute to add two requirements: (1) annual CHCO reports must include a description of telework policy adverse effects including disciplinary trends; and (2) within 60 days of enactment, CHCOs must implement a policy requiring managers who revoke an employee’s telework privileges for employee‑specific reasons to submit detailed written information to the human capital office and the affected employee. The latter imposes a documented workflow for individual telework revocations and creates records HR must retain.
This bill is one of many.
Codify tracks hundreds of bills on Government across all five countries.
Explore Government in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Agency managers and supervisors — gain documented metrics and an auditable trail to support telework, productivity and performance decisions, reducing reliance on anecdote when justifying revocations or accommodations.
- CFOs and budget officers — receive standardized, agency-level telework utilization metrics in budget justification materials to inform space, travel, and staffing decisions.
- Agency CIOs and security teams — obtain additional telemetry to support incident response and to correlate remote access patterns with security posture, if they integrate the data into security monitoring.
- Congressional and oversight bodies — get consistent, comparable data across agencies embedded in budget materials for evaluating telework policy, costs, and management effectiveness.
Who Bears the Cost
- Agency IT and security organizations — must expand logging, storage, analytics, and redaction capabilities to capture, retain, and report telemetry at scale; this increases infrastructure and personnel costs.
- Human capital offices and managers — must implement new workflows to collect and retain revocation paperwork, train managers on documentation requirements, and handle potential disputes or appeals.
- Contract employees and their employers — contractors who telework on agency systems are pulled into logging and retention regimes and may need to change access practices or contracts to comply.
- Individual employees — face new monitoring and potential privacy intrusions as aggregated telemetry could be used in managerial decisions, and employees may bear indirect costs if agencies change telework policies based on reported metrics.
Key Issues
The Core Tension
The central tension is between agency needs for auditable oversight (to measure telework utilization, enforce policies, and support security) and individual privacy and operational costs: stronger telemetry and reporting improve managerial visibility and security posture but increase the risk of invasive monitoring, legal exposure, and substantial IT and HR burdens—trade-offs with no simple technical or policy fix.
The Act delegates significant discretion to agency officials on key design choices that will drive both legal risk and operational cost: how to capture and store 'network traffic' without creating excessive operational burdens or collecting sensitive content; how to balance sufficient logging for oversight and security against the legal limits of privacy statutes and collective‑bargaining rights; and how to redact PII before publishing aggregated metrics in budget materials. Absent implementing guidance, agencies will make divergent choices about log granularity, retention discipline, and analytic methods, producing inconsistent comparators across agencies despite the statute’s goal of standardized reporting.
Several practical and legal questions remain unresolved. 'Periodic review' by managers is undefined, leaving open whether managers must review every employee’s traffic, a sample, or only when alerted by anomalies; each approach carries different privacy and workload consequences. The definition of 'network traffic' could sweep in content-level information (URLs, file access patterns, payload metadata) unless agencies narrowly scope collection to metadata; that choice affects admissibility for disciplinary actions, Privacy Act obligations, and cyber incident response.
Finally, requiring PIV/CAC swipes to capture HQ login averages links physical access systems to network telemetry in ways that may require contract changes with access-control vendors and careful coordination to avoid erroneous attribution of logins.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.