Implementing BYOD is not easy, but here are ways to start
It’s already apparent that implementing BYOD won’t be simple for agencies, and in many ways the technology part will be the easiest. Policy and cultural changes will be needed, as will broad-based educational programs. First solutions for these are being devised.
As early as it is in the government’s consideration of bring-your-own-device policies, one thing that’s already evident is that implementing BYOD won’t be a simple process for agencies. In some respects, the technical part will be the easiest.
The Obama administration outlined the problems agencies face in its recently published BYOD Toolkit:
“Implementation of a BYOD program presents agencies with a myriad of security, policy, technical, and legal challenges not only to internal communications, but also to relationships and trust with business and government partners. The magnitude of the issues is a function of both the sensitivity of the underlying data and the amount of processing and data storage allowed on the personal device based on the technical approach adopted.”
It would also be a mistake for agencies to go into this believing that BYOD has to apply to everything that employees do, said Donald Kachman, director of mobile and security assurance at the Department of Veterans Affairs. BYOD might turn out to provide a system more comfortable to users for their specific jobs, and that could require policy and cultural changes.
Additionally, he said, employees will have to be educated across the government about what BYOD requires.
“The fact is that many individuals do not even set a simple password on their personal mobile devices, even though they have many apps that contain a large portion of their lives,” he said. “Connecting to unknown networks, downloading apps that may be malicious, etc., are all things that must get all federal employees’ attention.”
GovLoop, in a report following its survey of government “digital innovators,” came out with five steps it believes agencies can take to smooth the path to BYOD:
1) Meet with key stakeholders to develop a pilot plan. At the onset of developing a BYOD policy, agency leaders should sit down with key stakeholders within the agency to discuss what a BYOD initiative looks like. Staff members from all functional areas should be present to provide input and feedback. This will also help develop buy-in and create a unified vision for the agency’s BYOD program.
2) Meet with the legal team. BYOD is new in government, and there is a lack of legal precedent. So be sure to meet with legal advisers to mitigate legal risks.
3) Craft an internal policy for BYOD. After you have met with key stakeholders and the agency’s legal team, begin to craft the BYOD policy. Be sure to incorporate feedback from the legal team and agency leaders.
4) Announce the program to employees. As with any program, announcing and selling it to employees is critical. If it is a pilot program, be careful how you select employees and develop a team.
5) Iterate, review outcomes and improve the BYOD strategy. Once the program has been initiated, be sure to set up periodic checkpoints with end users and administrators so they can provide feedback on the program.
There is no single fount of BYOD best practices, but there are some sources with suggestions about what to use when forming BYOD policies. GovLoop’s report has many, and the National Institute of Standards and Technology’s current revision of SP 800-124 gives general guidance on how to accommodate BYOD in the context of an overall approach to mobile devices.
The BYOD Toolkit also provides five examples of BYOD policies that agencies could use in forming their own:
— Policy and Guidelines for Government-Provided Mobile Device Usage
— BYOD Policy and Rules of Behavior
— Mobile Information Technology Device Policy
— Wireless Communication Reimbursement Program
— Portable Wireless Network Access Device Policy