Putting advanced mobile security on CDM DEFEND
- By Bob Stevens
- Apr 03, 2019
The government is entering the era of post-perimeter security -- an entirely cloud-based, no-perimeter IT infrastructure, which is forcing agencies to move key security functions to the endpoint and establish a zero-trust access model. Meanwhile, the move to mobile has exploded the number of endpoints, exposing government networks to mobile threats. According to a report Lookout published last year, 60.5 percent of federal agencies reported security incidents involving mobile devices.
The Department of Homeland Security has integrated mobile protection into the Continuous Diagnostic and Mitigation program. CDM's Dynamic and Evolving Federal Enterprise Network Defense (DEFEND) contract acquisition process and its Request for Services processes are touted as an easy way for agencies to achieve "CDM parity" for agencies' mobile devices, comparable to other CDM-protected endpoints.
However, agencies cannot currently use DEFEND contract dollars to pay for mobile threat protection, because it is considered an emerging technology and therefore ineligible for DEFEND. This classification is leaving agency networks and data vulnerable to mobile threats.
Last month, a letter signed by two senators highlighted the serious nature of this vulnerability regarding government employees' mobile devices.
The letter from Sens. Ron Wyden (D-Ore.) and Marco Rubio (R-Fla.) to Christopher Krebs, the director of the Cybersecurity and Infrastructure Security Agency at DHS, explains how the growth of mobile services could be causing a security vulnerability. Federal government employees’ web browsing data could be exposed to third parties, particularly those affiliated with countries of national security concern through the use of apps, VPNs and mobile data proxies. The senators urged Krebs to conduct an immediate threat assessment and, if necessary, issue a directive prohibiting the use of certain mobile services.
To prevent the loss of government data, DHS needs two related capabilities: visibility/notification about the threat and then protection/mitigation when a threat is revealed. Mobile device management (MDM) tools do not deliver this functionality. Advanced mobile threat protection tools, however, can provide these capabilities and prevent the data vulnerabilities cited by the two senators without resorting to an outright ban of popular devices and apps agencies use.
For example, advanced mobile threat tools can automatically detect when an agency device connects to a new Wi-Fi, cellular, VPN or tethered network and immediately run a series of health checks on that new network to ensure that it is behaving properly. If a new network connection is deemed unsafe, these tools alert the employee, IT administrators and the MDM platform within seconds to ensure government data is protected and steps are taken immediately to remediate the threat.
These advanced tools give agencies the opportunity to select, based on their risk tolerance, policies that help ensure devices stay compliant with internal and external mandates. If a device exceeds the acceptable level of risk as defined by the agency, a remediation message is sent to the employee, the issue is flagged to the relevant admin and employee is logged out of any agency resources.
CDM DEFEND needs to include a comprehensive mobile security solution that protects government data against the full spectrum of mobile threats, including:
- App threats and risks
- Device threats and risks
- Network threats and risks
- Web and content threats and risks (e.g., phishing)
These advanced solutions can be seamlessly integrated with existing enterprise mobile management and MDM platforms to create true mobile protection for today's modern government agencies. Most mobile security providers integrate their various offerings with the leading EMM/MDM platforms, including Microsoft Intune, VMWare AirWatch and MobileIron. These mobile threat protection solutions not “emerging” technology, they are “here now” technology. DHS can make these tools available to every agency, allowing them to receive off-setting CDM DEFEND dollars to help pay for them.
CDM DEFEND was designed to make it easier for government agencies to protect themselves from cyber threats. As the mobile threat landscape continues to evolve in a post-perimeter world, smoother acquisition processes and funding for the best possible security must keep pace.
Bob Stevens is vice president of the Americas at Lookout.