Agencies soon will have a minimum set of cyber standards for securing their iPhones, Androids and BlackBerry devices.
The Chief Information Officers Council and the Homeland Security Department are receiving comments on the draft version of mobile cyber standards called for under the Digital Government Strategy.
The document is split into two parts: a security architecture and a security baseline.
“Essentially, what’s being published is a narrative of how the baseline will work, a framework by which an agency can walk through understanding what their mission requirements are, working to balance out the economics against capabilities against security, and trying to find that sweet spot, and then moving into the many risk areas — what we are calling tailored risk, operations, finance, security, etc.,” said Kevin Cox, the program manager for the information security tools tiger team of the CIO Council, at TechAmerica’s 23rd Annual CIO Survey Conference in Washington, D.C. Thursday. “From that framework, once the agency has worked through that, they will have a good sense of what their architecture will look like. Then, they can go to the reference architecture and build out what the ultimate mobility will look like for their agency.”
Cox said the working group is overlaying the mobile cyber standards with the National Institute of Standards and Technology’s Special Publication 800-53 Revision 4 on security and privacy controls, which was released earlier this week, so agencies can focus on the specific security standards for mobile computing.
For instance, NIST added a section on mobility in the operational environment considerations. The section also includes specific access controls for mobile devices and promotes the idea of tailoring the codes for specific environments — fixed versus mobile.
Cox said the CIO Council has been working on the secure baseline and architecture for several months.
“Two key events we’ve held, one in December and one in March, held up at NIST was a technical exchange meeting to really brief out what we were finding, brief out the direction and, again, receive agency feedback and input on this. We’ve also had input from industry as much as we can,” Cox said. “One key thing that we have looked to do is to align as much as possible with the existing security standards that they already need to meet. That’s why it was key that we aligned everything with 800-53 Revision 4 so it wasn’t a new set of requirements coming down, but simply a scaled down overlay of what you need to focus on specifically for mobility.”
The CIO Council, NIST, and the departments of Defense and Homeland Security will review agency comments over the next few weeks with a goal of releasing a final version by May 23 — the one-year anniversary of the Digital Government Strategy, Cox said.
While the CIO Council finalizes the security standards, agencies are moving forward with mobile computing. Many have pilots or full production approaches to mobile devices and apps.
But several CIOs said the security baseline and architecture will provide several long-term benefits. Simon Szykman, the Commerce Department CIO, said while he hasn’t seen the latest draft document, the obvious advantage is how standards improve security across the board.
“There are other advantages as well. There are some organizations that don’t have the level of depth and skill sets and maturity in the mobility area to really do it well themselves, so it also saves them the effort of having to struggle to develop that kind of a baseline for their own use,” he said. “The other benefit is it helps create some type of standardization so there is some type of standards that provide at least some minimum waterline everyone has to reach.”
Szykman said the baseline and architecture also will help vendors because they will know where to start when developing mobile apps and software.
He compares the security baseline and architecture to the Federal Desktop Core Configuration standards developed in 2008. The FDCC, now called the U.S. Government Configuration Baseline, helped usher in a more secure and simpler desktop operating system environment.
DoD’s Brian Teeple, principle director to the deputy CIO, said products that meet the security baseline also could be vetted once by the government and used by everyone, which would cut down the time and costs.
It also will award a contract for mobile device management software in the very near future.
Priorities remain the same
Security remains one of the top priorities for agency CIOs.
TechAmerica’s survey found CIOs listed addressing budget reductions, ensuring a properly trained workforce and cybersecurity as their top three priorities.
George DelPrete, a principal with Grant Thornton, oversaw the survey development, and said a big challenge for CIOs is how best to secure mobile devices.
“There are a lot fewer controls on mobile devices than there are within a network, and it’s creating great opportunities for cyber terrorists,” he said. “CIOs are still working to try to navigate through that.”
DelPrete added CIOs also see the potential of mobility-as-a-service, and said they need help around data sharing and retention policies.
He said there is growing acceptance of a bring-your-own-device (BYOD) policy. Almost 48 percent of the CIOs said they have such a policy, but federal IT managers also said they needed a better approach to overseeing how mobile apps are developed and used within the agency.
DelPrete added CIOs see great promise in pairing identity management with mobile devices as a way to improve security.
Darren Ash, the CIO of the Nuclear Regulatory Commission, said his agency recently implemented a BYOD policy. He said about 10 percent of the workforce is voluntarily taking part in the BYOD initiative.
Ash added NRC also is piloting mobile devices for nuclear reactor construction inspectors.
“What we want to focus on, what we have to focus on really, is around the concept of working from anywhere,” Ash said. “But really, fundamentally, it is the information. So when we think about application modernization, app design, everything about how our employees work and interact, we have to design around the information layer. We know as we modernize, if we have to re-modernize, if we have to redo something in a couple of years, I’d rather have dealt with the information first and foremost, and we can deal with the presentation layer later.”
Ash added NRC hasn’t gone down the path to develop mobile apps yet, instead focusing on capabilities and tools for their inspectors, such as recording data and sending it back to the server.
But Ash said NRC will begin the app development process in the coming months with an eye toward what types of apps will help employees do their job better.
DoD’s Teeple also said application rationalization is a major priority for the military. He said DoD is virtualizing apps and reducing the number they are using before they move software to the cloud.
There were several other interesting highlights from the survey.
One is that CIOs said OMB’s 25-point IT plan is past its prime. They said while things such as moving commodity IT to the cloud and data center consolidation will live on, and the plan did what is was supposed to do, it is no longer the driving strategy.
CIOs also said OMB’s memo on CIO authorities from last fall hasn’t had a major impact.
“CIOs are working through challenging times and they need to do things differently, need better control over IT spending, and the acquisition process needs to be better for IT,” DelPrete said summing up the conclusions from the survey.