Working Group Breaks Down the Keys to Securing Mobile Devices

oatawa/istockphoto.com

Featured eBooks
The IT Modernization Mission
Read Now

Ransomware Threat

Read Now

What's Next For Government Cloud

Read Now

Federal Agencies Exploring Computing at the Edge

Read Now
Patience Wait By Patience Wait,
Contributor, Nextgov

By Patience Wait

|

The Federal Mobility Group’s new guidance includes four strategic pillars that form the foundations of mobile security.

Even before the pandemic, the government was working hard to integrate mobile devices into its networks. The sudden need to send employees home to work—often on their own devices—stepped up that effort to bolster security.

The Federal CIO Council, through its Federal Mobility Group, or FMG, has now released its Mobile Security Capability Ecosystem Overview through the Advanced Technology Academic Research Center and hosted a webinar Oct. 21 about its findings and suggested actions.

“The FMG has been an absolutely phenomenal forum” for working through mobile security strategies, said Kevin Gallo, director of technical account management in the General Services Administration’s Office of Enterprise Technology Solutions. “Never has the FMG been more important … [when] vast numbers of federal employees are working remotely.”

“Mobile devices don’t exist in a vacuum,” said the Department of the Interior’s Office of the CIO Security Architect David Harris. He has been studying this issue for a long time as the leader of the FISMA Mobility Metrics Working Group. 

Harris says that one of the most important things that federal agencies needed to do in order to create a working mobile device security plan was to collect detailed metrics on everything from devices to use cases. That was the only way to capture which areas needed the most attention.

“Metrics really help to drive those best practices,” he said.

What the FISMA group came up with was four strategic pillars that together can form the foundation of mobile security within government. The four pillars include:

  • Unified endpoint management, or UEM,
  • Mobile threat defense, or MTD,
  • Native mobile OS security features, and
  • Mobile app vetting, or MAV.

Everything begins with the UEM component. “UEM—unified endpoint management—is a new term, the legacy term was mobile device management,” Harris explained. “You enforce standard configurations and policies. If not, you can subject yourself to all kinds of threats and vulnerabilities. It’s very important for departments and agencies to put out policies now for standardizing.”

UEM serves the role of control and compliance for mobile devices, Harris said. It can report when devices aren’t in compliance or, just as important, when they go out of compliance. It also can remotely wipe the contents of a lost or stolen device. 

Mobile threat defense is the second pillar. It helps provide near-real-time monitoring of a device’s state, and shares that information with the UEM and the Security Information and Event Management, or SIEM system, with all of them working in partnership to protect the security of the mobile device, Harris said.

“We introduced in fiscal year 2021 a metric requiring agencies to report the percentage of devices covered by MTD,” he said. “We look at the security state and release new metrics.” One of the biggest endpoint threats, phishing, is mitigated by MTD capabilities, he added.

The third pillar focuses on the security features embedded in a mobile device’s own Android or iOS operating system. The government welcomes the baked-in security, Harris said. “They continually add new features in the OS lifecycle. As a best practice, we want agencies and departments to keep up with their OS updates.

“In 2020, we introduced a metric asking if they’ve got a way to [block a device] if the updates aren’t current. We want them to have the ability to deny access through their UEM or MDM if the updates aren’t current,” he said.

MAV is the final pillar that makes up the new foundation of mobile security in government. Harris suggested starting with SP 800-163 Rev. 1, “Vetting the Security of Mobile Applications,” issued by the National Institute of Standards and Technology. Making sure the applications that are running on government devices comply with security will be key in keeping networks safe for the future.

“We’re studying this right now for future metrics,” Harris said.

The pandemic may have rapidly accelerated the move to mobile devices within government, but the formation of the four security pillars and the new foundation of mobile security means that agencies can now experience all the benefits of mobile computing without so many of the associated risks.

NEXT STORY: House Passes Bill to Protect Telecom Networks from Foreign Threats

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.