The administration issued new security standards for mobile devices on Thursday that call on agencies to use third-party software that can monitor and enforce security policies on the devices.
The standards, released on CIO.gov, focus on securing devices to a “moderate level,” which means employees should be able to view routine emails, calendars and appointments; communicate with colleagues via phone and email; and access agency and mission-specific apps, all securely. The baseline standards will help agencies address security risks from employees accessing data on internal and external systems using government-issued mobile devices while in the office, in the field, at alternate work sites or in remote locations abroad.
The standards say that third-party software used on the mobile devices should enable agencies to:
* Restrict employees from downloading certain attachments and copying data to and from removable media.
* Lock the device or erase agency data on the device if the operating system is altered, if there are multiple failed attempts to enter the correct password for accessing the device, or if other agency security standards are violated.
* Control what applications can and cannot be downloaded on the device. The document doesn’t tell agencies which apps to download, but it advises agencies to develop a process for vetting mobile apps to check for vulnerabilities and malware and whether downloaded apps have been approved for use by the agency.
There are optional standards agencies can adopt, including the ability to view the current location of a single device or logical grouping of devices on a map. The document makes clear that the standards should be use as a guide for implementing a mobile security program, and they will not replace or supersede mandatory federal requirements for protecting information systems.
Along with the baseline standards, the administration released recommendations for approving, procuring and managing the use of mobile apps within an agency. They include:
* Creating a governmentwide catalog for commercial mobile apps that highlight key functions and capabilities the apps provide for government.
* Develop standard governmentwide terms of service for commercial mobile applications.
* Create a governmentwide cloud storage service to store and process data for government apps.