Insight by Zimperium

Beyond Mobile Management: Moving from Compliance Spare to Security Strike

This content is sponsored by Zimperium.

Federal agencies know compliance. From FISMA to CDM and NIST to OMB, they need to comply with various regulatory compliance mandates. In the wake of Executive Order 14028, they now need to add zero trust architecture maturity to their roster of compliance requirements. The problem? Compliance is not security; it’s a set of minimum baselines for basic cyber hygiene. In security, compliance is like getting a spare in bowling....

READ MORE

This content is sponsored by Zimperium.

Federal agencies know compliance. From FISMA to CDM and NIST to OMB, they need to comply with various regulatory compliance mandates. In the wake of Executive Order 14028, they now need to add zero trust architecture maturity to their roster of compliance requirements. The problem? Compliance is not security; it’s a set of minimum baselines for basic cyber hygiene. In security, compliance is like getting a spare in bowling. It’s close but still not a complete knockdown strike. To achieve a “perfect game,” federal agencies need solutions that move them from mobile device management to mobile device security. 

Increasing Pressure on Federal Agencies to Secure Mobile Devices

As agencies accelerated their cloud and remote work strategies, securing mobile Government Furnished Equipment (GFE) and Bring Your Own Device (BYOD) devices became mission-critical. Federal workforce members want to connect to their job resources from their mobile devices, like smartphones and tablets. At the same time, threat actors continue to target mobile devices and apps. Zimperium’s 2022 Global Mobile Threat Report found that 42% of respondents said mobile devices and web applications led to a security incident. 

Protecting federal networks is more important than ever. To ensure agencies enhance their security to meet evolving threats, new compliance mandates have been passed down. Further, regulatory bodies are recognizing the important workforce-enabling role that mobile devices play. 

Looking at the last year alone, new mandates for Federal agencies highlight this shift:

  • CISA Zero Trust Maturity Mandate (ZTMM): specifies mobile phones under the “Device” pillar”
  • OMB M-22-01: specifies mobile phone monitoring under its description of Endpoint Detection and Response (EDR) capabilities
  • OMB M-21-31: specifies collecting Mobile (Smart-phones and Tablets) EMM(UEM) /MTD Server Logs
  • OMB M-22-09: requires “device attestation” for compliance with the “Device Pillar” 

Finally, the recent Department of Homeland Security Appropriations Act 2002 appropriations bill also highlights the importance of mobile device security. The Congressional Appropriations Committee allocated $32,334,000 funding for enterprise mobility management investments across the Federal Civilian Executive Branch (FCEB agencies to address the mobile device landscape. 

The importance of the appropriations bill cannot be understated. Congress recognizes that agencies need technologies to secure mobile devices, and it’s willing to pay to help achieve those goals. 

Getting a Management “Spare”

Many agencies use a combination of Mobile Device Management (MDM), Mobile Application Management (MAM), Enterprise Mobility Management (EMM), or Unified Endpoint Management (UEM) tools for device security. 

Each of these tools solves various problems. For example:

  • MDM enables agencies to provision devices and set basic configurations. 
  • MAM focuses on managing and controlling specific business applications by creating an enterprise app store or updating apps remotely. 
  • EMM combines MDM and MAM for using a secure container to protect business data
  • UEM offers a single location for all endpoints, not just mobile devices, with policy compliance, app customization, data security, document security, and network directory services. 

All of these tools give agencies a way to set and enforce basic mobile device configurations, yet they all fail to address risks associated with:

  • Advanced threats
  • Mobile phishing attacks
  • Device health, particularly in real-time
  • Cloud application security 
  • Malicious applications downloaded from untrusted sources 

Mobile Threat Detection (MTD): Augmenting Tools for the Security “Perfect Game”

MTD is often referred to as “Mobile EDR.” According to Gartner, MTD:

 plays as important – if not a more important role – by providing active protection and better visibility around devices and applications where it either cannot exist because UEM does not apply or can’t be applied, or is not in place because UEM alone simply won’t provide that richness.

To meet the intent of regulatory requirements as aligned to the Congressional allocation language, agencies need MTD for complete mobile security enabling zero trust architecture initiatives.

Agencies can augment their current endpoint security and management tools using MTD’s unique mobile-focused capabilities, such as:

  • On-device, machine learning-based detection against the latest mobile threats, including zero-day malware
  • Send users alerts when detecting abnormal activities on devices
  • Block activities, like preventing a phishing link from loading
  • On-device remediation and UEM driven compliance actions
  • Ability to protect from threat actors disconnecting or redirecting traffic when connected to a cellular tower 

Zimperium Mobile Threat Defense for Federal Mobile Security Initiatives

While mobile device management may meet the letter of compliance, mobile security is the underlying spirit of those requirements. 

MTD is critical to securing mobile devices, providing the visibility into threat and risk postures that impact overall user and device attestation necessary for successfully implementing zero trust strategies and securing federal mobile workforces. Zimperium augments an agency’s IDM, EMM/MDM, and CASB, integrating critical data collection and advanced mobile endpoint security.

Zimperium is a trusted solution across the Federal landscape. Zimperium was the first mobile threat defense (MTD) provider to be granted an Authority to Operate (ATO) status from the Federal Risk and Authorization Management Program (FedRAMP). Further, the U.S. Department of Defense (DoD), through its Defense Information Systems Agency (DISA) and Defense Innovation Unit (DIU), selected Zimperium to deliver comprehensive Mobile Endpoint Protection (MEP) to service members around the world. Zimperium’s MTD solutions will protect DoD mobile endpoints against phishing, malicious/risky apps, OS exploits, and network attacks.

Zimperium’s advanced mobile threat defense solutions provide mobile endpoint security to enterprises and governments around the world. Built with advanced threat security in mind, Zimperium zIPS meets the mobile security needs of enterprises and governments around the world.

For more information on contract vehicles and how to leverage your cybersecurity funding or fiscal year-end spending, please click here: https://get.zimperium.com/leverage-fy22-cyber-funding/.