Recently, the Office of Management and Budget (OMB) sent government agencies a 104-page instruction manual for securing government-owned commercial smartphones and tablets. Prior to this point, there was no consistency across agencies when it came to mobile device security, resulting in disparate software and policies across the board – which oftentimes was not adequate to protect against today’s threat landscape.
As part of the digital government strategy the White House laid out about a year ago, calling on agencies to “adopt a coordinated approach to ensure privacy and security in a digital age,” these guidelines are a first step in creating a cohesive mobile security strategy for the U.S. Government. The guidelines were developed by the Departments of Homeland Security and Defense, along with the National Institute of Standards and Technology, and are recognized as a baseline starting point. After the initial guidelines are in place, the focus will likely turn towards the continuous monitoring of controls, cryptography, securing the data instead of just the device and ensuring data is only shared with authorized users.
While these guidelines will help agencies start moving in the right direction to create a consistent approach to mobile security, the government still has some work to do to ensure the right protocols are put into place.
Currently, the guidelines focus on safeguarding the device as opposed to the data, which in our experience is not as imperative. At a time when BYOD is the new normal, the idea that you can manage all devices is merely a pipedream. With the proliferation of smart phones and tablets on the market today, it’s a certainty that government employees are using their personal devices to access government networks and data. By focusing on securing the data, agencies can be confident their mission-critical data and applications are protected regardless of the platform from which they are being accessed.
These guidelines are a great start, and we applaud OMB for taking the lead to establish mobile device security guidelines. While we think there is more that can be done, we look forward to working with the federal government to create a unified strategy to protect against malicious threats.