BYOD is evolving for a cyber-conscious age

Shutterstock image: mobile data concept.

Mobile devices have been a staple of the federal workplace for years, going back to the days when everyone relied on BlackBerries to bang out email when away from the office.

The smartphone world looks quite different today. Although a few diehards still refuse to surrender their BlackBerries, iPhone and Android devices dominate the landscape. And increasingly, employees would rather use their own devices at work rather than carry a personal and a work phone.

The bring-your-own-device practice has gained ground at the federal level, but it brings a mix of issues with which CIOs and other IT leaders must grapple. Experts caution that agencies have serious security matters to consider before throwing open the doors to mobile access to key assets.

Kimberly Hancher, former CIO at the Equal Employment Opportunity Commission, helped craft the White House BYOD policy in 2012. That document outlines a broad set of guidelines that agencies can use to establish the proper parameters for mobile access. Yet four years later, she said, there aren't enough clear policies at federal agencies.

"I don't think most agencies are really undertaking the effort and due diligence to address BYOD policy," she said. "They're just sort of letting people do whatever they can get away with, and very few agencies have actually put formal policies in place."

She points out that there are consequences to that approach. "If the agency doesn't undertake due diligence to create the rules of behavior for bringing a device, then people will simply do it and put agency data at risk by doing so," Hancher said. "It's really important to state the policy [and] put the security measures in place if you're going to allow some BYOD. And if you're not going to allow it, you should make that decision and say [that] until further notice, it's not allowed."

Hancher, now a principal at Deep Water Point consulting firm, said agencies must decide whether a BYOD program makes sense for them and then determine which devices to support and what types of security to use.

The fundamentals

Many agencies have a BYOD environment and don't even know it. According to research by mobile security company Lookout, nearly half of federal employees access work email from a personal device. Furthermore, nearly one-quarter send work-related documents to their personal email accounts, and 17 percent store work documents in their personal cloud storage service.

With teleworking making such activities common, the National Institute of Standards and Technology issued a report in March that outlines some best practices for teleworking and BYOD security. Among the recommendations:

  • Use mobile device management software, which allows agencies to containerize particular data and wipe it, when necessary, without affecting the user's personal content.
  • Require employees to stick to approved application stores and tell them not to root or jailbreak their devices to avoid threats from nonsecure networks or apps.
  • More broadly, NIST concluded that agencies must create clear-cut policies describing what's allowed and what's off-limits when it comes to email, documents and other government data.

The hurdles

The biggest driver of BYOD policy is security, said Tom Suder, president and founder of Mobilegov. Suder, who regularly advises agencies on mobile device strategy, said security and the corresponding legal issues are leading the discussions.

"The biggest issue to this day is legal," he said. "What happens if there is data spillage on a personal device and by policy I have to destroy the device? Who pays for it? Do I get to keep my phone number? What rights do I give up if I agree to a government BYOD policy?"

Such issues must be spelled out in a policy, he added. If they're not, employees might be reluctant to allow critical information to be stored on their devices.

He said containerization solutions such as Samsung Knox and Good Secure EMM Suites can segment the government data from the rest of the phone. Another option is Hypori, a startup that uses virtualized app technology to access sensitive information without actually storing it on the device.

Some agencies are issuing guidelines that set boundaries and tell employees what they are allowed to do with sensitive information and how to access work email on their personal devices. NASA, for example, is managing several projects that will facilitate the use of personal devices for varying levels of network and system access, according to an agency spokesman. Although those projects have not reached the user testing or trial stage, employees are allowed to use personal mobile devices to connect to the agency's email system via Microsoft's Exchange ActiveSync, where a set of security requirements are applied.

"NASA's mobility vision...states that NASA personnel 'will be able to securely and seamlessly access and share any authorized information, anyplace, anytime, using any device,'" Enterprise Applications Service Executive John Sprague wrote in a newsletter published by NASA's Office of the CIO in late 2013. "The aim of NASA's mobility vision is to provide services while protecting sensitive data."

He added that participation in the BYOD program is voluntary, and NASA will not compensate employees for the costs associated with using their personal devices for work. Furthermore, participating employees must use lockout code protection and keep their devices up-to-date with the latest security patches.

Although a key appeal of BYOD for agencies are the savings that come with not buying devices, the endeavor is hardly cost-free.

"It saves money if you replace a company phone, but it's not a cost of zero," Suder said. "You still have the licensing fees from mobile device management, the company doing the containerization and any costs that come from additional security measures."

The challenge for IT leaders is determining whether or not to embrace BYOD and, if so, how to craft a policy. BYOD doesn't make sense for every agency. But the fact that so many employees are creating their own shadow networks means that all levels of government should have some type of policy that explicitly states the expectations.

Hancher, who helps federal agencies craft BYOD policies, has a three-part test that should serve as the foundation for any BYOD initiative:

  • Does your agency deal with classified data?
  • Do you have sensitive personally identifiable information? This is usually less secure than classified information but can include important details such as Social Security numbers.
  • Does your agency, as part of its mission, handle information critical to the infrastructure of the country? This could include data about the energy grid, water sources or other information that terrorist organizations would deem valuable.

A "yes" answer to any one of those questions can complicate the task of crafting a workable approach, Hancher said.

Next steps

Some agencies might determine that BYOD is not appropriate, but that doesn't mean IT leaders should consider the matter closed. Instead, it means the agency should formulate a policy that states why BYOD isn't appropriate and details the expectations for how employees treat government data.

"I would want to be clear with my employees that we do not allow BYOD, we do provision for people in these kinds of jobs, and that's it. Or we do allow BYOD and here are the rules," Hancher said. "It's critical to be clear with employees what you do and don't allow under certain circumstances. I don't think most agencies have done the proper due diligence and made employees aware of what the policy is."

And although the focus of much of the debate has been smartphones, it's worth noting that the discussion extends to tablets and laptops as well. In general, Suder said, agencies that want their employees to have a tablet or other mobile tool, such as the Surface Pro 4, are providing those devices. He cited the departments of Defense and Agriculture as examples.

"On the tablet side, Microsoft is doing well because the Surface Pro 4 is really the next generation of your laptop as you can also use it as tablet," he said. "I see a lot of those, but of course, a lot of folks are still using the iPad for its ideal form factor."

Whatever the device, managers and employees must know what the expectations are, even if BYOD isn't allowed. There is too much critical information at stake to ignore the issue.

The Fed 100

Save the date for 28th annual Federal 100 Awards Gala.


  • computer network

    How Einstein changes the way government does business

    The Department of Commerce is revising its confidentiality agreement for statistical data survey respondents to reflect the fact that the Department of Homeland Security could see some of that data if it is captured by the Einstein system.

  • Defense Secretary Jim Mattis. Army photo by Monica King. Jan. 26, 2017.

    Mattis mulls consolidation in IT, cyber

    In a Feb. 17 memo, Defense Secretary Jim Mattis told senior leadership to establish teams to look for duplication across the armed services in business operations, including in IT and cybersecurity.

  • Image from Shutterstock.com

    DHS vague on rules for election aid, say states

    State election officials had more questions than answers after a Department of Homeland Security presentation on the designation of election systems as critical U.S. infrastructure.

  • Org Chart Stock Art - Shutterstock

    How the hiring freeze targets millennials

    The government desperately needs younger talent to replace an aging workforce, and experts say that a freeze on hiring doesn't help.

  • Shutterstock image: healthcare digital interface.

    VA moves ahead with homegrown scheduling IT

    The Department of Veterans Affairs will test an internally developed scheduling module at primary care sites nationwide to see if it's ready to service the entire agency.

  • Shutterstock images (honglouwawa & 0beron): Bitcoin image overlay replaced with a dollar sign on a hardware circuit.

    MGT Act poised for a comeback

    After missing in the last Congress, drafters of a bill to encourage cloud adoption are looking for a new plan.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group