Security concerns have made federal information technology managers reluctant to allow their agencies’ employees to use more powerful smartphones for work purposes.
But help is on the way.
Beginning next month, federal cybersecurity experts will begin issuing a series of guidelines agencies can use to help secure their employees’ use of smartphones and tablets.
The new mobile security guidelines are modeled after those issued this month by the National Institute of Standards and Technology. Ron Ross, a senior computer scientist and information security researcher at NIST, said some may need to be modified, depending on each agency’s specific needs.
One NIST security standard recommends that agencies disable or restrict unnecessary functions or services on their information systems.
For mobile devices, that may mean restricting which applications employees can download or disabling mobile capabilities that aren’t needed for work and that could be a security risk.
The new guidelines were developed by officials from NIST, the Department of Homeland Security, the Defense Department and the Justice Department.
Margie Graves, deputy chief information officer at DHS, told an industry event this month that the guidelines amount to a series of checklists that agency IT managers can use to ensure they are adopting sound security steps.
Each checklist is tailored to a different way in which federal employees might use their smartphones, Graves said, declining to add further details.
DHS CIO Richard Spires said the standards will help agencies in developing bring-your-own-device programs, in which employees are able to use their personal mobile devices for work.
Graves said agencies may tailor the guidelines to meet their unique needs.
“What it doesn’t do, and I don’t think we should do ... is we don’t want to prescribe specific technologies or specific solutions,” she said.
For instance, the intelligence community, law enforcement agencies and Defense Department may have similar standards, while DHS’s Federal Emergency Management Agency would need other standards to enable mobile communications with the public during a natural disaster.
The first iteration of security guidelines will concern mobile communications between federal employees.
Later installments will be issued later this spring.
In the absence of governmentwide standards, chief information officers have been forced to create their own mobile policies and decide what security standards are sufficient for their agencies.
Many have been hesitant to expand the use of commercial mobile devices, such as Apple and Android devices, at their agencies for fear that attackers could exploit security weaknesses on the devices and compromise federal data.
“There are … areas that we are looking toward the federal government to provide those answers,” said Brad Nix, chief information security officer for the Agriculture Department’s Food and Nutrition Service.