Progress and problems in hashing out government mobile baseline

As government agencies work to implement measures under the White House's digital government strategy, leaders say collaboration and learning as they go along are helping to propel progress.

The strategy includes a slate of deliverables that will be due as the effort reaches the 12-month milestone in June. Among them is milestone 10.2, a directive for the Homeland Security Department, Defense Department and National Institute of Standards and Technology to develop a government-wide mobile and wireless security baseline, including security reference architectures. According to officials, the final plan is expected in the coming weeks, but the road to get there has been bumpy at best.

"It is not as easy as it sounds to go through 700-some controls and figure out what constitutes a baseline for the federal government," said David Carroll, chief information security architect at DHS and co-chair of both the federal CIO Council's mobile technology tiger team and the committee on national security systems' mobile and wireless working group.

The plan is designed as a package that provides the baseline as well as a roadmap for getting there. "This baseline will come out looking something like a DOD overlay – it will have a descriptive capability package. The reference architecture is like a playbook; it says if you're here and this type of user and mission, here's how you start making decisions at this point to get you to the baseline," Carroll said. "We want to be able to lay this in front of somebody and say, 'You are here, and here are your problem sets.'"

While Carroll said he expects to wrap up by next month, both he and Kevin Cox, program manager of the information security tools team on the IT security staff at the Justice Department, noted it has been a laborious process getting there.

Cox, who co-chairs the CIO council tiger team with Carroll, said that their team talked to agencies to learn what they were doing, what their longer-term mission requirements were, and what they wanted to be able to do. They also worked to find gaps preventing them from moving forward.

"The real aim is to enable new technology, not to put up roadblocks," Cox said. "But at the same time, as the government, we have to ensure that our data is protected and personally identifiable information from citizenry is protected. So we have to really establish what is minimally acceptable for everybody to ensure the infrastructure is protected as well as the data itself."

Along the way, Carroll said he found that many agency leaders were not sure where to begin. "You never expect folks to ask how to make a decision, especially those of us within the information security – that's all we do, analyze, break things down into little parts and apply policy," Carroll said. "But halfway through process people were asking, 'how do I even start?'"

To answer that question, Carroll said, he helped convene a team to create a decision framework model, layering government efforts in a range of security-related areas, such as tailored risk models and frameworks being used at DOD and in the intelligence community. He also said leadership must focus on user information and location – which can be anywhere these days – as well as balancing decisions between security and other concerns, such as economics and capabilities.

Both Carroll and Cox emphasized the need for industry to have a seat at the table in able to create a seamless mobile environment within the government.

"A lot of what we're trying to do here is speak as one voice within the federal government to our industry partners, to tell them what we expect," Carroll said. "That will take the form of the baseline, that will take the form of the reference architecture and it will make clear what our conditions are."

While the effort is driven by the White House, the speakers also acknowledged the power of the federal workforce's growing demand to embrace technology and to be able to work anywhere, any time.

"There will be future technologies to deal with, and we want to be able – to the extend it makes sense – to enable teleworkers to do their day-to-day jobs and perhaps gain efficiencies and capabilities," Cox said. "So this process will continue as new technologies come down...and from a federal standpoint we're going to try to enable that and meet mission requirements securely."