Working Group Breaks Down the Keys to Securing Mobile Devices

Even before the pandemic, the government was working hard to integrate mobile devices into its networks. The sudden need to send employees home to work—often on their own devices—stepped up that effort to bolster security.

The Federal CIO Council, through its Federal Mobility Group, or FMG, has now released its Mobile Security Capability Ecosystem Overview through the Advanced Technology Academic Research Center and hosted a webinar Oct. 21 about its findings and suggested actions.

“The FMG has been an absolutely phenomenal forum” for working through mobile security strategies, said Kevin Gallo, director of technical account management in the General Services Administration’s Office of Enterprise Technology Solutions. “Never has the FMG been more important … [when] vast numbers of federal employees are working remotely.”

“Mobile devices don’t exist in a vacuum,” said the Department of the Interior’s Office of the CIO Security Architect David Harris. He has been studying this issue for a long time as the leader of the FISMA Mobility Metrics Working Group. 

Harris says that one of the most important things that federal agencies needed to do in order to create a working mobile device security plan was to collect detailed metrics on everything from devices to use cases. That was the only way to capture which areas needed the most attention.

“Metrics really help to drive those best practices,” he said.

What the FISMA group came up with was four strategic pillars that together can form the foundation of mobile security within government. The four pillars include:

• Unified endpoint management, or UEM,
• Mobile threat defense, or MTD,
• Native mobile OS security features, and
• Mobile app vetting, or MAV.

Everything begins with the UEM component. “UEM—unified endpoint management—is a new term, the legacy term was mobile device management,” Harris explained. “You enforce standard configurations and policies. If not, you can subject yourself to all kinds of threats and vulnerabilities. It’s very important for departments and agencies to put out policies now for standardizing.”

UEM serves the role of control and compliance for mobile devices, Harris said. It can report when devices aren’t in compliance or, just as important, when they go out of compliance. It also can remotely wipe the contents of a lost or stolen device. 

Mobile threat defense is the second pillar. It helps provide near-real-time monitoring of a device’s state, and shares that information with the UEM and the Security Information and Event Management, or SIEM system, with all of them working in partnership to protect the security of the mobile device, Harris said.

“We introduced in fiscal year 2021 a metric requiring agencies to report the percentage of devices covered by MTD,” he said. “We look at the security state and release new metrics.” One of the biggest endpoint threats, phishing, is mitigated by MTD capabilities, he added.

The third pillar focuses on the security features embedded in a mobile device’s own Android or iOS operating system. The government welcomes the baked-in security, Harris said. “They continually add new features in the OS lifecycle. As a best practice, we want agencies and departments to keep up with their OS updates.

“In 2020, we introduced a metric asking if they’ve got a way to [block a device] if the updates aren’t current. We want them to have the ability to deny access through their UEM or MDM if the updates aren’t current,” he said.

MAV is the final pillar that makes up the new foundation of mobile security in government. Harris suggested starting with SP 800-163 Rev. 1, “Vetting the Security of Mobile Applications,” issued by the National Institute of Standards and Technology. Making sure the applications that are running on government devices comply with security will be key in keeping networks safe for the future.

“We’re studying this right now for future metrics,” Harris said.

The pandemic may have rapidly accelerated the move to mobile devices within government, but the formation of the four security pillars and the new foundation of mobile security means that agencies can now experience all the benefits of mobile computing without so many of the associated risks.