BYOD is evolving for a cyber-conscious age

Mobile devices have been a staple of the federal workplace for years, going back to the days when everyone relied on BlackBerries to bang out email when away from the office.

The smartphone world looks quite different today. Although a few diehards still refuse to surrender their BlackBerries, iPhone and Android devices dominate the landscape. And increasingly, employees would rather use their own devices at work rather than carry a personal and a work phone.

The bring-your-own-device practice has gained ground at the federal level, but it brings a mix of issues with which CIOs and other IT leaders must grapple. Experts caution that agencies have serious security matters to consider before throwing open the doors to mobile access to key assets.

Kimberly Hancher, former CIO at the Equal Employment Opportunity Commission, helped craft the White House BYOD policy in 2012. That document outlines a broad set of guidelines that agencies can use to establish the proper parameters for mobile access. Yet four years later, she said, there aren't enough clear policies at federal agencies.

"I don't think most agencies are really undertaking the effort and due diligence to address BYOD policy," she said. "They're just sort of letting people do whatever they can get away with, and very few agencies have actually put formal policies in place."

She points out that there are consequences to that approach. "If the agency doesn't undertake due diligence to create the rules of behavior for bringing a device, then people will simply do it and put agency data at risk by doing so," Hancher said. "It's really important to state the policy [and] put the security measures in place if you're going to allow some BYOD. And if you're not going to allow it, you should make that decision and say [that] until further notice, it's not allowed."

Hancher, now a principal at Deep Water Point consulting firm, said agencies must decide whether a BYOD program makes sense for them and then determine which devices to support and what types of security to use.

The fundamentals

Many agencies have a BYOD environment and don't even know it. According to research by mobile security company Lookout, nearly half of federal employees access work email from a personal device. Furthermore, nearly one-quarter send work-related documents to their personal email accounts, and 17 percent store work documents in their personal cloud storage service.

With teleworking making such activities common, the National Institute of Standards and Technology issued a report in March that outlines some best practices for teleworking and BYOD security. Among the recommendations:

• Use mobile device management software, which allows agencies to containerize particular data and wipe it, when necessary, without affecting the user's personal content.
• Require employees to stick to approved application stores and tell them not to root or jailbreak their devices to avoid threats from nonsecure networks or apps.
• More broadly, NIST concluded that agencies must create clear-cut policies describing what's allowed and what's off-limits when it comes to email, documents and other government data.

The hurdles

The biggest driver of BYOD policy is security, said Tom Suder, president and founder of Mobilegov. Suder, who regularly advises agencies on mobile device strategy, said security and the corresponding legal issues are leading the discussions.

"The biggest issue to this day is legal," he said. "What happens if there is data spillage on a personal device and by policy I have to destroy the device? Who pays for it? Do I get to keep my phone number? What rights do I give up if I agree to a government BYOD policy?"

Such issues must be spelled out in a policy, he added. If they're not, employees might be reluctant to allow critical information to be stored on their devices.

He said containerization solutions such as Samsung Knox and Good Secure EMM Suites can segment the government data from the rest of the phone. Another option is Hypori, a startup that uses virtualized app technology to access sensitive information without actually storing it on the device.

Some agencies are issuing guidelines that set boundaries and tell employees what they are allowed to do with sensitive information and how to access work email on their personal devices. NASA, for example, is managing several projects that will facilitate the use of personal devices for varying levels of network and system access, according to an agency spokesman. Although those projects have not reached the user testing or trial stage, employees are allowed to use personal mobile devices to connect to the agency's email system via Microsoft's Exchange ActiveSync, where a set of security requirements are applied.

"NASA's mobility vision...states that NASA personnel 'will be able to securely and seamlessly access and share any authorized information, anyplace, anytime, using any device,'" Enterprise Applications Service Executive John Sprague wrote in a newsletter published by NASA's Office of the CIO in late 2013. "The aim of NASA's mobility vision is to provide services while protecting sensitive data."

He added that participation in the BYOD program is voluntary, and NASA will not compensate employees for the costs associated with using their personal devices for work. Furthermore, participating employees must use lockout code protection and keep their devices up-to-date with the latest security patches.

Although a key appeal of BYOD for agencies are the savings that come with not buying devices, the endeavor is hardly cost-free.

"It saves money if you replace a company phone, but it's not a cost of zero," Suder said. "You still have the licensing fees from mobile device management, the company doing the containerization and any costs that come from additional security measures."

The challenge for IT leaders is determining whether or not to embrace BYOD and, if so, how to craft a policy. BYOD doesn't make sense for every agency. But the fact that so many employees are creating their own shadow networks means that all levels of government should have some type of policy that explicitly states the expectations.

Hancher, who helps federal agencies craft BYOD policies, has a three-part test that should serve as the foundation for any BYOD initiative:

• Does your agency deal with classified data?
• Do you have sensitive personally identifiable information? This is usually less secure than classified information but can include important details such as Social Security numbers.
• Does your agency, as part of its mission, handle information critical to the infrastructure of the country? This could include data about the energy grid, water sources or other information that terrorist organizations would deem valuable.

A "yes" answer to any one of those questions can complicate the task of crafting a workable approach, Hancher said.

Next steps

Some agencies might determine that BYOD is not appropriate, but that doesn't mean IT leaders should consider the matter closed. Instead, it means the agency should formulate a policy that states why BYOD isn't appropriate and details the expectations for how employees treat government data.

"I would want to be clear with my employees that we do not allow BYOD, we do provision for people in these kinds of jobs, and that's it. Or we do allow BYOD and here are the rules," Hancher said. "It's critical to be clear with employees what you do and don't allow under certain circumstances. I don't think most agencies have done the proper due diligence and made employees aware of what the policy is."

And although the focus of much of the debate has been smartphones, it's worth noting that the discussion extends to tablets and laptops as well. In general, Suder said, agencies that want their employees to have a tablet or other mobile tool, such as the Surface Pro 4, are providing those devices. He cited the departments of Defense and Agriculture as examples.

"On the tablet side, Microsoft is doing well because the Surface Pro 4 is really the next generation of your laptop as you can also use it as tablet," he said. "I see a lot of those, but of course, a lot of folks are still using the iPad for its ideal form factor."

Whatever the device, managers and employees must know what the expectations are, even if BYOD isn't allowed. There is too much critical information at stake to ignore the issue.