“As domestic and international travel picks up, GFE mobile devices … will facilitate government employee work productivity during foreign travel, including remote connections to office enterprise networks and databases,” FMG wrote in an Oct. 19 blog post.
“However, the FMG report stresses that government employees traveling to a foreign country or embassy within the U.S. should be aware that because of their portability and always-on state mobile devices are susceptible to compromise, theft, physical damage, and loss,” the post continues.
The document is open for public comment through the end of December.
The FMG is chartered through the Chief Information Officers Council. It’s co-chaired by mobile leaders from the Cybersecurity and Infrastructure Security Agency (CISA), the General Services Administration (GSA), and the National Institute of Standards and Technology (NIST).
The group also sponsors a Federal Information Security Modernization Act (FISMA) Mobility Metrics Working Group (FMMWG) focused on updating FISMA mobility metrics starting this year.
In September, the working group and the Advanced Technology Academic Research Center (ATARC) jointly published “An Overview of the Mobile Security Ecosystem.” Targeted toward cyber and IT decision makers, the paper identifies ways agencies can secure their mobile devices.
“The recent COVID-19 pandemic event has increased the attack surface associated with mobility as the government has transitioned to a highly mobile and dispersed workforce,” the paper states.
Kevin Gallo, director of Technical Account Management within GSA’s Office of Enterprise Technology Solutions, said the FMG is currently “crunching some government wide data to get a better handle on helping agencies acquire secure mobile solutions.”
He said agencies purchase many mobility solutions, including security tools and products, through GSA”s multiple-award schedules, as well as its Enterprise Infrastructure Solutions vehicle. Gallo said GSA “is in the process” of expanding wireless solutions available through EIS.
“We can gain insight into inventory spend, contracts leveraged, and then by using this data, the FMG is able to identify best practices which in turn influence governmentwide buying behavior,” Gallo said during an event hosted by ATARC this week. “So this data is one of the keys to understanding the threat landscape and evaluating each agency’s level of threat preparedness.”
Agency reporting requirements for mobile devices have increased in recent years, even before President Joe Biden’s cybersecurity executive order in May. Last year, for instance, agencies had to start reporting on the percentage of their mobile devices that are covered by a Mobile Threat Defense capability.
Meanwhile, the White House Office of Management and Budget issued new logging requirements in August, including logs specific to mobile environments.
David Harris, security architect at the Department of Interior, is leading FMG’s mobile security working group as it looks at updating FISMA reporting requirements. He said it’s important for agencies to understand “mobile devices do not exist in a vacuum” as agencies consider their mobile security strategies and potential future requirements.
“We have networks in play, operating systems, mobile applications, and we have the supporting cloud services,” Harris said. “We try to think, what are the best metrics that can really capture areas that really need attention from an OMB and CISA perspective.”
Vincent Sritapan, section chief in CISA’s Cyber Quality Services Management Office, said FMG is looking for as much feedback as possible from industry as it further refines guidance like the new international travel document.
“Very much that’s an area where we look to engage with industry,” he said. “You want to tell us about the latest and greatest that’s going on.”