New security standards aim to enable employees to perform the same activities on mobile devices as on desktop computers. (Mike Morones / Staff)
The administration is expected to release details this week for how agencies should secure government-issued smartphones and tablet computers.
The new security standards are similar to those already in use for laptops and other information systems, but they will be tailored to meet agencies’ mobile security needs. They will not include security requirements for employees’ personal mobile devices that are used for government work.
Kevin Cox, a Justice Department member of the interagency team tasked with developing the mobile security standards, said they will not authorize specific devices for government use. Rather, they are “a way for an agency to determine what level of risk they’re willing to assume” in choosing a device. “It’s not going to give them an answer; they need to do an analysis.”
The documents, for example, won’t spell out whether employees can download Skype or Angry Birds on their government smartphone. But they will help agencies understand how to monitor the security of these types of applications and ensure they aren’t infected with malware or secretly accessing government data on the device.
Apps that require employees to provide personally identifiable information to conduct transactions, for example, would need to be vetted and receive approval for use, said Jitesh Sachdev, chief operating officer for app development firm INADEV, who is familiar with the draft standards. Some agencies may allow employees to use popular apps, such as Google Maps, but may choose to disable the location tracking capabilities, Sachdev said. Some agencies have developed secured versions of applications like Skype to provide employees access to video conferencing.
“There are millions of apps out there, and to be able to know which ones are vetted and which are not is very difficult,” Sachdev said. Some agencies have internal app stores or portals that employees can use to load secure apps. And there are software solutions that can restrict which apps employees download on their government devices.
The goal is to enable employees to perform the same activities on mobile devices as on desktop computers, Cox said.
Agencies may adapt standards to address their specific needs. For example, the National Institute of Standards and Technology, which develops standards for securing federal information technology, recommends that agencies disable or restrict unnecessary functions or services on their computer systems. For mobile devices, that may mean restricting which applications employees can download or disabling mobile capabilities that aren’t needed for work and that could be a security risk.
For example, agencies will have to decide whether to disable or secure capabilities such as WiFi for employee use, Sachdev said.
“You have to work hard to come up with policies that will protect the [government’s] data” and still take advantage of the flexibility mobile devices offer employees, said Ron Perez with AMD, a company that designs and manufactures graphics cards and microprocessors for personal computers, tablets and other devices.
Standards will focus on securing devices to a “moderate level,” which means employees should at least be able to view routine emails, calendars and appointments; do research on the Web; and communicate with colleagues via phone and email, all securely, said the Justice Department’s Cox.
Cox said the documents initially will not include guidance to agencies on allowing employees to use their personal devices for work, a concept known as bring-your-own-device (BYOD). Doing so would have slowed down the release of the standards, but agencies can use them as a foundation for developing BYOD standards, he said.
Many agencies lack the skills needed to tackle mobile security challenges on their own, and these standards will save them the struggle of having to develop their own, said Simon Szykman, chief information officer for the Commerce Department, at an industry event this month.
The standards also will help better guide companies as they seek to roll out mobile technologies and products for the federal market, said AMD’s Perez.
Agencies also must weigh the risk of not equipping employees with mobile devices, said Clark DeHaven, senior director of corporate strategy at LGS Innovations, which specializes in mobile and wireless solutions. The cumbersome process of approving devices for federal work has driven some employees to circumvent the system and use their own unsecure devices and applications.
Intelligence agencies are under pressure to secure employees’ personal devices because their communications with friends and family, if intercepted, could compromise their location or mission, said Mike Janke, CEO and co-founder of Silent Circle. The company provides a service to encrypt voice, text and email and route these communications using a secure app that encrypts and decrypts calls and messages directly on users’ devices. Unlike other solutions, encryption keys are not stored on servers that could be susceptible to hackers.
The intent of Silent Circle’s solution is to ensure employees’ communications over personal devices are secure. Janke referenced one incident where Defense Department contractors were working on drone designs and sending drafts over their personal accounts because they wanted to refine the document before sharing it across the company’s network, where it could be scrutinized prematurely.
Silent Circle’s customers, such as DoD, acknowledge that some business is being done without adhering to security standards, Janke said. “That is the huge liability that DoD is trying to shore up,” he said.
DoD has streamlined its process for reviewing and approving government-owned devices, such as Apple’s iPhone, and is soon expected to approve more devices for widespread use.
One challenge for DoD and civilian agencies has been enabling the use of Personal Identity Verification cards and Common Access Cards on mobile devices, which employees are also supposed to use for accessing federal buildings and workstations.
“CIOs have given an exemption,” allowing employees to use mobile devices without PIV and CAC cards, said Michael Harris, chief technology officer at technology firm Precise Biometrics. As new capabilities become available, CIOs will enforce the use of PIV cards, but that requires funding to test and purchase those security solutions.
Harris’ company last year released a solution called Tactivo, a $249 case that doubles as a smart card reader and fingerprint scanner for such devices as the iPhone and iPad. More than 30 agencies, including DoD, the Federal Aviation Administration and the White House, are testing the case, Harris said. The solution can be integrated with mobile device management solutions and require employees to satisfy a combination of security safeguards, such as entering a password, inserting a PIV card in the back of the case or verifying identity with a fingerprint, to access agency applications. Contractors such as Booz Allen Hamilton, which uses government PIV cards, are testing the Tactivo solution to secure company-issued and personal devices, Harris said.
Some agencies don’t know this type of technology exists, Harris said. The issue, however, will be the cost associated with replacing the cases when new phones are purchased or buying them for employees’ own devices. Harris doesn’t expect that cost will come up often, considering that agencies tend to extend the use of their devices rather than upgrade them when new versions come out.
He expects DoD and other agencies will use the phone case technology more widely, especially if DoD’s approval for iPhones and Android devices requires the use of CACs. ■