Progress and problems in hashing out government mobile baseline


As government agencies work to implement measures under the White House's digital government strategy, leaders say collaboration and learning as they go along are helping to propel progress.

The strategy includes a slate of deliverables that will be due as the effort reaches the 12-month milestone in June. Among them is milestone 10.2, a directive for the Homeland Security Department, Defense Department and National Institute of Standards and Technology to develop a government-wide mobile and wireless security baseline, including security reference architectures. According to officials, the final plan is expected in the coming weeks, but the road to get there has been bumpy at best.

"It is not as easy as it sounds to go through 700-some controls and figure out what constitutes a baseline for the federal government," said David Carroll, chief information security architect at DHS and co-chair of both the federal CIO Council's mobile technology tiger team and the committee on national security systems' mobile and wireless working group.

The plan is designed as a package that provides the baseline as well as a roadmap for getting there. "This baseline will come out looking something like a DOD overlay – it will have a descriptive capability package. The reference architecture is like a playbook; it says if you're here and this type of user and mission, here's how you start making decisions at this point to get you to the baseline," Carroll said. "We want to be able to lay this in front of somebody and say, 'You are here, and here are your problem sets.'"

While Carroll said he expects to wrap up by next month, both he and Kevin Cox, program manager of the information security tools team on the IT security staff at the Justice Department, noted it has been a laborious process getting there.

Cox, who co-chairs the CIO council tiger team with Carroll, said that their team talked to agencies to learn what they were doing, what their longer-term mission requirements were, and what they wanted to be able to do. They also worked to find gaps preventing them from moving forward.

"The real aim is to enable new technology, not to put up roadblocks," Cox said. "But at the same time, as the government, we have to ensure that our data is protected and personally identifiable information from citizenry is protected. So we have to really establish what is minimally acceptable for everybody to ensure the infrastructure is protected as well as the data itself."

Along the way, Carroll said he found that many agency leaders were not sure where to begin. "You never expect folks to ask how to make a decision, especially those of us within the information security – that's all we do, analyze, break things down into little parts and apply policy," Carroll said. "But halfway through process people were asking, 'how do I even start?'"

To answer that question, Carroll said, he helped convene a team to create a decision framework model, layering government efforts in a range of security-related areas, such as tailored risk models and frameworks being used at DOD and in the intelligence community. He also said leadership must focus on user information and location – which can be anywhere these days – as well as balancing decisions between security and other concerns, such as economics and capabilities.

Both Carroll and Cox emphasized the need for industry to have a seat at the table in able to create a seamless mobile environment within the government.

"A lot of what we're trying to do here is speak as one voice within the federal government to our industry partners, to tell them what we expect," Carroll said. "That will take the form of the baseline, that will take the form of the reference architecture and it will make clear what our conditions are."

While the effort is driven by the White House, the speakers also acknowledged the power of the federal workforce's growing demand to embrace technology and to be able to work anywhere, any time.

"There will be future technologies to deal with, and we want to be able – to the extend it makes sense – to enable teleworkers to do their day-to-day jobs and perhaps gain efficiencies and capabilities," Cox said. "So this process will continue as new technologies come down...and from a federal standpoint we're going to try to enable that and meet mission requirements securely."

About the Author

Amber Corrin is a former staff writer for FCW and Defense Systems.

Rising Stars

Meet 21 early-career leaders who are doing great things in federal IT.


  • SEC Chairman Jay Clayton

    SEC owns up to 2016 breach

    A key database of financial information was breached in 2016, possibly in support of insider trading, said the Securities and Exchange Commission.

  • Image from

    DOD looks to get aggressive about cloud adoption

    Defense leaders and Congress are looking to encourage more aggressive cloud policies and prod reluctant agencies to embrace experimentation and risk-taking.

  • Shutterstock / Pictofigo

    The next big thing in IT procurement

    Steve Kelman talks to the agencies that have embraced tech demos in their acquisition efforts -- and urges others in government to give it a try.

  • broken lock

    DHS bans Kaspersky from federal systems

    The Department of Homeland Security banned the Russian cybersecurity company Kaspersky Lab’s products from federal agencies in a new binding operational directive.

  • man planning layoffs

    USDA looks to cut CIOs as part of reorg

    The Department of Agriculture is looking to cut down on the number of agency CIOs in the name of efficiency and better communication across mission areas.

  • What's next for agency cyber efforts?

    Ninety days after the Trump administration's executive order, FCW sat down with agency cyber leaders to discuss what’s changing.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group