Insight by Zimperium

Who says mobile devices need protecting? FISMA, NIST and the DoD for starters.

This content is provided by Zimperium.

For years, the conversation surrounding mobile security has struggled to mature at the same rate as traditional security. However, to quote Bob Dylan, “The times they are a changin.”

The reality is that mobile threats are real and increasing exponentially. Not only is mobile often the most vulnerable endpoint when it comes to corporate security, it is also the Achilles heel when it comes to Zero Trust efforts. And the most vulnerable endpoint is under attack.

As the global leader in mobile security, Zimperium protects thousands of enterprises and government agencies worldwide. It is no surprise that 100 percent of our customers have detected mobile threats including compromised and jailbroken devices, mobile phishing campaigns, malicious/risky apps, and network attacks.

Fortunately, the United States federal government acknowledges the risk mobile devices pose and has taken action:

FISMA FY 2021 CIO Metrics

The Office of Management and Budget (OMB) and the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) have a joint role in overseeing the information security programs of the Federal enterprise. OMB issues an annual Federal Information Security Modernization Act (FISMA) guidance document covering agency cybersecurity reporting requirements. This guidance provides metrics on assessing agencies’ progress toward achieving outcomes that strengthen Federal cybersecurity.

In particular, the FISMA metrics assess agency progress by:

  1. Ensuring that agencies implement the Administration’s priorities and best practices; and
  2. Providing the OMB with the performance data to monitor agencies’ progress toward implementing the Administration’s priorities.

Within the “Identify” section – for the first time – FISMA asks:

  • “What percent of your mobile devices (GFE and BYOD) are covered by a mobile threat defense (MTD) solution? (NIST SP 800 – 124 Rev.2)”

Critical in answering this question is understanding the difference between mobile threat defense (MTD) and mobile device management (MDM) solutions. An MDM is a management tool. It allows compliant devices to access corporate email, apps via the corporate app store, and data, and it secures data-in-transit between the mobile device and the corporate network. MTD solutions detect and prevent mobile device, network, phishing, and malicious app attacks.

NIST Mobile Device Security: Bring Your Own Device

“The NCCoE collaborated with industry stakeholders – including Zimperium – to provide a guide that businesses can use to integrate and configure the example mobile solution within their organization’s enterprise and to help achieve enhanced security and privacy throughout their enterprise,” said Gema Howell, NIST Computer Scientist.

This practice guide is for organizations that want to allow employees to use personal mobile devices to conduct their work while protecting organizational assets and end-user privacy.

“With this project, the NCCoE focused on applying robust standards, industry best practices, and commercially available products to address real-world challenges businesses face when deploying mobility programs,” Howell said. “The Mobile Device Security: Bring Your Own Device (BYOD) guide provides an example of how businesses can protect organizational assets and end-user privacy.”

Zimperium views BYOD as the direction most organizations are heading, not just in response to the dramatic shift to distributed and remote work, but also for the cost savings. This NIST guide brings forth what is needed by decision-makers to ensure that  BYOD can be executed more securely. MTD specifically enables device integrity, which is critical to the popular notion of Zero Trust.

U.S. DoD: A Watershed Moment for Mobile Endpoint Security

The DoD announcement is not only an important milestone for Zimperium but also a watershed moment for the MTD and traditional endpoint security (EPP/EDR) markets overall. For many of its users, the DoD believes mobile devices will be the primary endpoints for productivity and communication in the future.

“DOD must protect mobile devices from attacks such as phishing, malicious risky apps, operating system exploitation and network attacks. Previous methods aimed at addressing this gap in security had been minimally successful.” – Rick Simon, cyber portfolio program manager at DIU.

And the DoD position is consistent with industry data supporting the adoption of advanced mobile endpoint security to protect the increasing number of endpoints accessing corporate and agency data. In Gartner’s 2021 Market Guide for Mobile Threat Defense, the analyst firm emphasized the importance of MTD solutions within the modern security infrastructure, supporting both Zero Trust and XDR architecture.

“Emerging use cases envisage MTD as a component of zero-trust network access (ZTNA) architecture and of an extended detection and response (XDR) system for detection and response, which can serve as a pilot for unified endpoint security. This is in addition to the use of MTD for mobile phishing protection.” – Gartner

As data access matures and evolves, so must the security architecture surrounding trust and security. Zimperium provides the best-in-class, FedRAMP authorized mobile threat defense platform, equipping agencies to secure the forgotten endpoints connected to their networks.

For those wanting to comply with the latest Federal governance related to mobile security, please contact us for a demo today.


About Zimperium

Zimperium, the global leader in mobile security, offers the only real-time, on-device, machine learning-based protection against Android, iOS and Chromebooks threats. Powered by z9, Zimperium provides protection against device, network, phishing and malicious app attacks. For more information, visit