Can mobility escape the security snare?

The incorporation of mobile devices into agency work has continued to expand, but its main challenge is one that has lingered since the technology began gaining traction in the federal government: security.

Rick Holgate, assistant director and CIO at the Bureau of Alcohol, Tobacco, Firearms and Explosives, says that agencies are taking diverse approaches to incorporating mobility, but can't shake some common worries.

“As you look across various agencies, there’s a lot of disparity in the way how people think about their IT infrastructure, how they might expand that mobile environment and secure it,” Holgate said.

In the last 12 months, federal agencies have started to address the security issues, whether it’s updating or drafting new policies or creating new security controls, he said. Taxonomy is also catching up, noted Holgate, who serves as co-chair of Advanced Mobility Working Group at the American Council for Technology and Industry Advisory Council.

“We’re starting to see more common vocabulary and framework to even have a conversation about security issues,” he said. “Beyond that, it’s a matter of looking at federal agencies and their various levels on risk tolerance as it relates to security.”

Risk tolerance, indeed, spans a broad range. Some agencies, such as the General Services Administration and the Agriculture Department, by nature have entirely different risk levels than departments dealing with sensitive or classified information. Law enforcement agencies have a risk tolerance that’s “much, much lower,” which can be seen in how they pursue something like cloud computing opportunities, Holgate said.

But all agencies have to assess their vulnerabilities and have an understanding what mitigations to put in place before considering a mobile move.  “Agencies are now starting to get more specific in trying to categorize solutions that meet the different levels of risk tolerance,” Holgate said.

Three months after the Office of Management and Budget released the digital government strategy, U.S. CIO Steven VanRoekel announced new guidance for "bring your own device" that highlights case studies and best practices for BYOD. The document was created by the Digital Services Advisory Group, of which Holgate is a member, and the Federal CIO Council.

The challenge of BYOD, he said, again boils down to risk. But the risk is compounded because the agencies have little or no control over devices owned by individual employees. 

The willingness of agencies to allow BYOD varies widely. The Defense Department, for example, “pretty much wants nothing to do with: BYOD, he said, whereas other organizations have moved more aggressively with providing their employees capabilities that enable remote work.

Good policy can go a long way toward making BYOD less risky for agencies. It also covers other concerns, such as whether agencies are able to pick up the mobile device and service tab entirely, partially or not all, he said.

“People are looking for the next-generation information on BYOD to come from the OMB that will address issues around reimbursement and the changing nature of the employee relations that BYOD means,” Holgate said. “There’s a cultural aspect as well – there are implications for what the organizations’ expectations are for employees who are now connected 24/7.”

[Related: Keeping work and life balanced in a BYOD world]