Feds make good on mobile deliverables

A key component of the Obama administration’s one-year-old Digital Government Strategy charged several federal agencies with developing baseline standards of security requirements for mobile computing and mobile security reference architecture that incorporated security and privacy by design.

On May 23, the government made good on the strategy’s mobility deliverables, releasing standards for the Federal Mobile Security Baseline, Mobile Security Decision Framework, and Mobile Security Reference Architecture.

Defining what works and what doesn’t in mobility makes sense, given that the number of Internet-connected mobile devices already outnumbers PCs and will soon outnumber the worldwide human population. The future of government is mobile, Federal CIO Steven VanRoekel told reporters in a May 23 conference, and these deliverables will help government address that fast-approaching reality.

“The future for us really holds a future where mobile is the default computing platform,” VanRoekel said, discussing how separate security guidelines apply for on-premise computers, laptops, desktops and mobile devices.

“We’re not far from mobile being the default computing environment and the fact that we treat them differently is a disconnect,” VanRoekel said. “This guideline, along with the mobile app development guideline and the mobile device management guidelines, are the three pieces on how you build a comprehensive story of how to properly manage mobile inside the government environment."

The Federal Mobile Security Baseline provides federal agencies a minimum set of security controls for mobile devices. It was tasked to the Department of Homeland Security, Department of Defense and the National Institute of Standards and Technology, and the resulting standards were ultimately a collaborative effort with experts from the Department of Justice, General Services Administration and other members of the Mobile Technology Tiger Team.

The standards address major access-, application-, data-, device- and identity-management challenges, as well as mitigation techniques agencies should use to deal with threats at the application, device and network levels.

The standards also identify five high-level user communities for digital services, outlining use cases from non-sensitive public data to top-secret data accessed on national security systems.

“We ... had DHS, DOD, NIST, DOJ and others scrubbed in and working on this project to define to the industry what are the security baselines we’d like to see on a government-owned phone on a government network,” VanRoekel said.

The Mobile Security Decision Framework, meanwhile, is designed to assist in determining what mobile capabilities most effectively support an agency's mission. At its core, it is a decision-making process feds can use to select the right mobile computing solution for their agency, and divides the process into four stages: mission requirements, decision balancing, risk-based tailoring and results.

The majority of the decision-making process centers around the risk-based tailoring aspect, wherein frameworks like NIST Special Publications 800-37 and 800-39 help agencies weight risk across seven categories.

The Mobile Security Reference Architecture details the components necessary to implement secure mobile services throughout their enterprise architectures, and was produced by the Federal CIO Council and DHS’ National Protection and Program Directorate Office of Cybersecurity and Communications Federal Network Resilience.

The document describes MSRA as a “living, flexible” guide, adaptable enough for any department that provides in-depth reference architecture that includes:

• Components of a mobile computing reference architecture;

• Categories for users of a mobile computing architecture;

• Sample implementations of a mobile computing architecture;

• Management and security functions of a mobile computing architecture;

• A discussion of the threats to mobile computing devices and infrastructures, and potential mitigations for those threats;

• Information assurance controls that apply to the mobile infrastructure components, and their relation to NIST Special Publication 800-53 rev4;

• A set of considerations for High Risk environments; and

• A discussion of the policy considerations necessary for the secure adoption of a mobile solution.