There are no uniform BYOD security requirements for tapping into the cloud.
Various national security agencies would like the White House to provide guidance on how to handle mobile devices in the workplace. Employees are clamoring to use their personal smartphones and managers fear falling behind the technological curve.
Currently, there is no governmentwide policy on mobile device security.
Each agency has its own rules for bring-your-own-device programs, with varying levels of oversight. For work-issued smartphones and tablets, there are a hodgepodge of guidelines.
Gregory Youst, the chief technology officer and chief mobility engineer at the Defense Information Systems Agency, said the White House's Federal Chief Information Officers Council should develop one federal-level security policy so smartphones and tablets can be assessed and deployed more quickly.
"What is the actual government policy on BYOD?" Youst asked the National Institute for Standards and Technology's Information Security and Privacy Advisory Board on Oct. 22.
The board members couldn’t answer.
"If we have uniformity, then we can leverage across the board and be able to do a consolidated government enterprise vetting process" for mobile devices, he said.
Among the many risks of letting employees work on their own phones without proper controls is that they might inadvertently save data to unapproved storage spaces, such as iCloud or Dropbox.
The Defense Department has created its own policies and procedures for locking down mobile devices that connect to unclassified and classified networks. For example, just last week, Samsung’s Galaxy S5 was approved for classified use, under the National Security Agency's National Information Assurance Partnership program and placed on NSA's approved products list.
Defense has mandated that all military smartphones and tablets meet the NIAP criteria.
"We have moved all our mobility requirements to NIAP," Youst said. "We’re using the same requirements for unclassified."
The Pentagon is almost finished with the latest NIAP policy – a mobile app security-requirements guide, he said.
In the civilian space, there are various broad cyber polices that pertain to mobile, including NIST security and privacy controls, annual rules for complying with the 2002 Federal Information Security Management Act and a Homeland Security Presidential Directive – known as HSPD-12 – requiring smartcards for accessing federal networks.
But Youst pressed for a mobile-specific federal memo distinct from NIST guidelines and HSPD-12.
The most recent BYOD guidance is a two-year-old CIO Council toolkit that does not address cloud access.
On Monday, White House officials said they could not provide further information at this time on upcoming policy.
Officials pointed to the general cyber rules, 2012 BYOD guidance and NIST recommendations as what agencies should be using to ensure device purchases and security are up to par.