Mobility

Feds make good on mobile deliverables

Cover of Digital Government

A key component of the Obama administration’s one-year-old Digital Government Strategy charged several federal agencies with developing baseline standards of security requirements for mobile computing and mobile security reference architecture that incorporated security and privacy by design.

On May 23, the government made good on the strategy’s mobility deliverables, releasing standards for the Federal Mobile Security Baseline, Mobile Security Decision Framework, and Mobile Security Reference Architecture.

Defining what works and what doesn’t in mobility makes sense, given that the number of Internet-connected mobile devices already outnumbers PCs and will soon outnumber the worldwide human population. The future of government is mobile, Federal CIO Steven VanRoekel told reporters in a May 23 conference, and these deliverables will help government address that fast-approaching reality.

“The future for us really holds a future where mobile is the default computing platform,” VanRoekel said, discussing how separate security guidelines apply for on-premise computers, laptops, desktops and mobile devices.

“We’re not far from mobile being the default computing environment and the fact that we treat them differently is a disconnect,” VanRoekel said. “This guideline, along with the mobile app development guideline and the mobile device management guidelines, are the three pieces on how you build a comprehensive story of how to properly manage mobile inside the government environment."

The Federal Mobile Security Baseline provides federal agencies a minimum set of security controls for mobile devices. It was tasked to the Department of Homeland Security, Department of Defense and the National Institute of Standards and Technology, and the resulting standards were ultimately a collaborative effort with experts from the Department of Justice, General Services Administration and other members of the Mobile Technology Tiger Team.

The standards address major access-, application-, data-, device- and identity-management challenges, as well as mitigation techniques agencies should use to deal with threats at the application, device and network levels.

The standards also identify five high-level user communities for digital services, outlining use cases from non-sensitive public data to top-secret data accessed on national security systems.

mobile network

“We ... had DHS, DOD, NIST, DOJ and others scrubbed in and working on this project to define to the industry what are the security baselines we’d like to see on a government-owned phone on a government network,” VanRoekel said.

The Mobile Security Decision Framework, meanwhile, is designed to assist in determining what mobile capabilities most effectively support an agency's mission. At its core, it is a decision-making process feds can use to select the right mobile computing solution for their agency, and divides the process into four stages: mission requirements, decision balancing, risk-based tailoring and results.

The majority of the decision-making process centers around the risk-based tailoring aspect, wherein frameworks like NIST Special Publications 800-37 and 800-39 help agencies weight risk across seven categories.

The Mobile Security Reference Architecture details the components necessary to implement secure mobile services throughout their enterprise architectures, and was produced by the Federal CIO Council and DHS’ National Protection and Program Directorate Office of Cybersecurity and Communications Federal Network Resilience.

The document describes MSRA as a “living, flexible” guide, adaptable enough for any department that provides in-depth reference architecture that includes:

• Components of a mobile computing reference architecture;

• Categories for users of a mobile computing architecture;

• Sample implementations of a mobile computing architecture;

• Management and security functions of a mobile computing architecture;

• A discussion of the threats to mobile computing devices and infrastructures, and potential mitigations for those threats;

• Information assurance controls that apply to the mobile infrastructure components, and their relation to NIST Special Publication 800-53 rev4;

• A set of considerations for High Risk environments; and

• A discussion of the policy considerations necessary for the secure adoption of a mobile solution.

About the Author

Frank Konkel is a former staff writer for FCW.

Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.