OMB's mixed messages on mobility are putting federal agencies at risk

On October 8, 2021, the Office of Management and Budget (OMB) issued M-22-01 specifically calling on agencies to provide continuous monitoring and collection of endpoint data for, among other endpoints, mobile devices.  This is in keeping with President Joe Biden's cybersecurity executive order and also consistent with the Federal Information Security Modernization Act (FISMA) metrics and reporting requirements going back several years. 

In fact, the updated requirements for 2020 stated that metrics "include an additional focus on the security of mobile devices…particularly in the areas of mobile device management and enterprise mobility management."

Then, in December of 2021, OMB released the reporting requirements for the FISMA Scorecard, which each agency CIO must submit.  The FY 2022 CIO FISMA Metrics no longer contain the FISMA Mobility Metrics, and OMB's language omits mobile devices (including tablets and smartphones) and apparently no longer considers them to be endpoints on the agency's enterprise network.  OMB has confirmed that this was done intentionally and was not an oversight.  

OMB's intention might have been to streamline the FISMA reporting process by eliminating the requirement to report the FISMA Mobility Metrics, and it may be that OMB believed the increased logging requirements would provide an adequate alternative.  However, by not requiring that agencies specifically report on the percentage of mobile devices accessing their network under mobile device management, agency CIOs no longer have visibility into or accountability for how those mobile endpoints are secured and protected.   

Even as early as 2016, more than 50% of worldwide traffic was initiated on a mobile device, and in 2020 it is reported that more than 60% of that traffic is accessed on a mobile device. Certainly, in March of 2020, when the pandemic forced many federal employees and contractors to work remotely, the amount of network traffic over GFE mobile devices or bring your own devices (BYOD) skyrocketed.   Now, in the summer of 2022, even as some agencies have reopened, the reliance on mobile devices is not likely to decrease.  In fact, as the pandemic restrictions ease, we are seeing federal employees and contractors resuming travel schedules, again a time when reliance on mobile endpoints is critical for success of the government's mission.  

Additionally, the executive order and OMB memo M-22-09 call for the implementation of zero trust architectures, requiring a complete inventory of all endpoints, authorization of those endpoints, and asset management.  And looking back to OMB memo M21-31 from August of 2021, requirements were outlined for mobile devices to be enrolled in a mobile device management solution and to have mobile threat defense capabilities and threat logging.  

Improving cybersecurity and reducing risk is clearly critical, as highlighted by the EO and the OMB memos.  Part of the best practices for risk reduction is identifying and knowing all the devices that are accessing your data, applications, and resources.  Any change to the CIO's reporting requirements that omits mobile devices is a step in the wrong direction and sends the signal that there is no accountability for protecting this critical part of the network.  OMB needs to revise the 2022 FISMA Metrics and explicitly reinstate the mobility metrics and threat defense protections.