Mobility

Feds make good on mobile deliverables

Cover of Digital Government

A key component of the Obama administration’s one-year-old Digital Government Strategy charged several federal agencies with developing baseline standards of security requirements for mobile computing and mobile security reference architecture that incorporated security and privacy by design.

On May 23, the government made good on the strategy’s mobility deliverables, releasing standards for the Federal Mobile Security Baseline, Mobile Security Decision Framework, and Mobile Security Reference Architecture.

Defining what works and what doesn’t in mobility makes sense, given that the number of Internet-connected mobile devices already outnumbers PCs and will soon outnumber the worldwide human population. The future of government is mobile, Federal CIO Steven VanRoekel told reporters in a May 23 conference, and these deliverables will help government address that fast-approaching reality.

“The future for us really holds a future where mobile is the default computing platform,” VanRoekel said, discussing how separate security guidelines apply for on-premise computers, laptops, desktops and mobile devices.

“We’re not far from mobile being the default computing environment and the fact that we treat them differently is a disconnect,” VanRoekel said. “This guideline, along with the mobile app development guideline and the mobile device management guidelines, are the three pieces on how you build a comprehensive story of how to properly manage mobile inside the government environment."

The Federal Mobile Security Baseline provides federal agencies a minimum set of security controls for mobile devices. It was tasked to the Department of Homeland Security, Department of Defense and the National Institute of Standards and Technology, and the resulting standards were ultimately a collaborative effort with experts from the Department of Justice, General Services Administration and other members of the Mobile Technology Tiger Team.

The standards address major access-, application-, data-, device- and identity-management challenges, as well as mitigation techniques agencies should use to deal with threats at the application, device and network levels.

The standards also identify five high-level user communities for digital services, outlining use cases from non-sensitive public data to top-secret data accessed on national security systems.

mobile network

“We ... had DHS, DOD, NIST, DOJ and others scrubbed in and working on this project to define to the industry what are the security baselines we’d like to see on a government-owned phone on a government network,” VanRoekel said.

The Mobile Security Decision Framework, meanwhile, is designed to assist in determining what mobile capabilities most effectively support an agency's mission. At its core, it is a decision-making process feds can use to select the right mobile computing solution for their agency, and divides the process into four stages: mission requirements, decision balancing, risk-based tailoring and results.

The majority of the decision-making process centers around the risk-based tailoring aspect, wherein frameworks like NIST Special Publications 800-37 and 800-39 help agencies weight risk across seven categories.

The Mobile Security Reference Architecture details the components necessary to implement secure mobile services throughout their enterprise architectures, and was produced by the Federal CIO Council and DHS’ National Protection and Program Directorate Office of Cybersecurity and Communications Federal Network Resilience.

The document describes MSRA as a “living, flexible” guide, adaptable enough for any department that provides in-depth reference architecture that includes:

• Components of a mobile computing reference architecture;

• Categories for users of a mobile computing architecture;

• Sample implementations of a mobile computing architecture;

• Management and security functions of a mobile computing architecture;

• A discussion of the threats to mobile computing devices and infrastructures, and potential mitigations for those threats;

• Information assurance controls that apply to the mobile infrastructure components, and their relation to NIST Special Publication 800-53 rev4;

• A set of considerations for High Risk environments; and

• A discussion of the policy considerations necessary for the secure adoption of a mobile solution.

About the Author

Frank Konkel is a former staff writer for FCW.

The Fed 100

Save the date for 28th annual Federal 100 Awards Gala.

Featured

  • computer network

    How Einstein changes the way government does business

    The Department of Commerce is revising its confidentiality agreement for statistical data survey respondents to reflect the fact that the Department of Homeland Security could see some of that data if it is captured by the Einstein system.

  • Defense Secretary Jim Mattis. Army photo by Monica King. Jan. 26, 2017.

    Mattis mulls consolidation in IT, cyber

    In a Feb. 17 memo, Defense Secretary Jim Mattis told senior leadership to establish teams to look for duplication across the armed services in business operations, including in IT and cybersecurity.

  • Image from Shutterstock.com

    DHS vague on rules for election aid, say states

    State election officials had more questions than answers after a Department of Homeland Security presentation on the designation of election systems as critical U.S. infrastructure.

  • Org Chart Stock Art - Shutterstock

    How the hiring freeze targets millennials

    The government desperately needs younger talent to replace an aging workforce, and experts say that a freeze on hiring doesn't help.

  • Shutterstock image: healthcare digital interface.

    VA moves ahead with homegrown scheduling IT

    The Department of Veterans Affairs will test an internally developed scheduling module at primary care sites nationwide to see if it's ready to service the entire agency.

  • Shutterstock images (honglouwawa & 0beron): Bitcoin image overlay replaced with a dollar sign on a hardware circuit.

    MGT Act poised for a comeback

    After missing in the last Congress, drafters of a bill to encourage cloud adoption are looking for a new plan.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group