OMB delivers advice to help agencies get going on mobile
- By Patrick Marshall
- Jun 04, 2013
IT staffs that have been struggling with finding ways to securely integrate the growing number of smart phones and tablets into their data environments are now getting some guidance from the Office of Management and Budget.
At the end of May, OMB delivered to departments and agencies The Federal CIO Council's “Mobile Security Reference Architecture,” a 104-page guide detailing strategies for securing government-owned commercial smartphones and tablets.
The MSRA follows the April release by the National Institute of Standards and Technology of the even broader set of security policy guidelines in Revision 4 of Special Publication 800-53, “Security and Privacy Controls for Federal Information Systems and Organizations,” and late 2011 of the “Electronic Authentication Guideline,” SP 800-63. Both publications address mobile environments.
The CIO Council’s document goes into great detail about strategies for securing mobile devices in an enterprise environment, but doesn’t get into the details of implementing those strategies with, say, specific operating systems or devices. And as some analysts have pointed out, the guide amounts to a mandate for agencies and departments, but there is no additional funding being provided for implementation.
Still, some analysts say the report is an important step. "It's a big deal to some agencies that are lagging in developing policies," said Shawn McCarthy, ICD Government Insights director. "A baseline document like this has to exist so that people can go back to it, especially if somebody comes up with something that's too far afield of that."
The variety of systems and computing environments among agencies prevents a single document from getting too technically specific. "It is a set of best practices," McCarthy said. "And that's a loaded thing to say. Every agency is so unique that is difficult to say, 'Here's your one-size-fits-all solution.'"
The big problem is going to be with the legacy systems in agencies. "The CIO Council has to speak in generalities and say, ‘Here's the direction we want to move in, this is the approach we want to take,’" McCarthy said. "But the more specific you get, the more you risk closing off certain people who have certain legacy systems."
The primary focus of the report is on providing a structure for deciding what mix of government-provided and user-provided devices to use and what the security consequences of these choices will be.
The report recommends starting with an assessments of an agency’s digital assets, including defining those assets and developing metrics to help determine how to administer them. The report calls for IT staff to ask a number of questions:
- Who has access to what data?
- What identity levels are needed?
- What actions can users take on the data?
- Where and when do users have access?
- What types of devices can have access?
- In what physical locations can the devices be used?
- Are specific locations unsuitable for accessing agency data?
- Are there availability metrics that define the quality of access?
- Where can the data exist from its native source and how is integrity and confidentially assured?
- Should the change log be retained?
- Does the data have to be encrypted at rest (if allowed) or in transit?
- Why is the presentation format of the data (e.g., raw, PDF) viewable only through a UI application presentation layer?"
The answers to these questions will point to what kind of implementation is indicated — one that relies on government-furnished equipment or user-owned devices — and how much control of the devices should be exercised by the agency or department.
The report spells out in detail the benefits and challenges of each type of implementation. For example, a fully managed solution of government-furnished devices can standardize its hardware and software, resulting in easier identity and mobile device management, reduced support costs and virtual private network security. The drawbacks of such a solution would include the costs of providing the devices, the complexity of managing all the devices and the potential risks of using federal identities. And extending an agency’s VPN to mobile users would open up risks of its own.