How to Make Mobility Work for Government

As defense and civilian federal agencies ensure the safety and welfare of the American people, they must meet mission requirements with the most relevant, cost-efficient, secure solutions possible—while balancing legacy technologies and an ever-changing digital landscape.

The portable and mobile devices now ubiquitous in everyday life have become a significant part of this digital landscape. Booz Allen Hamilton commissioned Market Connections to poll 200 workers across agencies. Among those surveyed, 86 percent said a mobile device is critical to performing their job. Respondents also cited the several benefits of workplace mobility: cost savings, employee retention, and improved morale and efficiency/productivity, along with reduced absenteeism, tardiness, and burnout.

So why have government agencies been slow to adopt strategies for workforce mobility? Security is a big reason. In a 2017 survey by cybersecurity company Lookout, 60.5 percent of government agencies had experienced a security incident involving a mobile device. Some mobile device users have taken security into their own hands, drilling out cameras or filling USB ports with crazy glue in attempts to make them compliant for use in a sensitive compartmented information facility, or SCIF. This devalues a new device and defeats the goals of both security and cost savings.

Understandably, agencies have been proceeding with caution into mobility enablement. Our survey reported that nearly six out of 10 defense organizations have stringent security controls that inhibit mobility in the workplace. Less than half (44 percent) provide full device functionality, regardless of where an employee is working, compared to more than two-thirds (69 percent) of civilian organizations.

As organizations experience the tension between intended security and de facto mobility, workers are growing frustrated, and government agencies are falling behind.

What’s standing in the way of a more mobile government workforce?

For many government agencies, mobile technologies in the marketplace—often rolled out quickly with default security settings—don’t go far enough to protect their systems or accommodate their wide-ranging mission requirements.

Administrators aren’t able to adjust location-based security or modify device settings and policies from a central administration point. Device security doesn’t automatically adjust to a specific environment, and it can be difficult to enforce mobile security policies for each space. Furthermore, existing security solutions may not penetrate deeply enough to extend full protection to device hardware, leaving systems vulnerable during the boot period.

Our survey respondents cited the following capabilities as key for secure mobility:

• The ability to lock down capabilities via hardware disablement at the firmware level and quickly adjust device settings (73 percent).
• Automated, centralized control of mobile device behavior for protecting, monitoring and securing assets (70 percent).
• The ability to constantly adjust a device based on the user and work (66 percent).
• The ability to dynamically modify a device, based on location, to enforce different policies (66 percent).

Adapting Security Postures to Organizational Needs  

While complete threat elimination is impossible in today’s ever-changing cyber and digital worlds, it is possible for agencies to gain the flexibility, adaptability, and cost savings of a mobile workplace with reduced risk. One way is through a centrally administered, automatically enforced, context-aware solution that provides situation-based control over devices and data access.

Via a web application, administrators can enable or disable a camera, microphone or USB port based on the device’s location or connection status to a specified network. Agencies can set and enforce time-based policies for individual users, groups, or the full enterprise based on mission requirements. And dynamic device configuration can establish security settings that are as stringent or permissive as necessary—for example, automatically limiting capabilities or data access or rendering devices inoperable as employees move across locations and situations.

With such a solution, security gaps are closed and endpoints protected through:

• Security below the operating system.
• Hypervisor-based architecture, which isolates the user’s operating system from firmware and hardware.
• Location awareness of enterprise IT assets.
• Powerful enforcement of data-at-rest encryption.
• Secure, pre-boot, full-disk wipes for long-term data protection.

Agencies don’t have to sacrifice security as they modernize legacy systems and entrust mobile devices with agency data. They can use a secure, flexible mobility platform to equip employees with SCIF-compliant devices that can work as a classified, unclassified, or personal device depending on the situation. They can adaptively reduce their attack surface and protect against the loss of intellectual property and sensitive data. And they can achieve a truly mobile and secure federal workforce with all of the benefits of cross-domain, multi-use mobility—increased productivity, cost savings, and improved employee morale.

Andy Linn is a vice president at Booz Allen Hamilton.