Does the Government’s Mobility Program Go Far Enough to Protect Security and Privacy?

Julie M. Anderson is managing director of Civitas Group and an expert with SafeGov.org, an online IT forum promoting secure cloud computing security.

From checking email to editing presentations on the fly, more federal employees are using mobile devices as part of their job. But technology policymakers at federal agencies, by and large, are still playing catch-up.

Agencies are looking to buy technologies that can manage and secure the large and increasing number of employee-owned devices. In an attempt to curb duplicative efforts, the General Services Administration unveiled its Managed Mobility Program last May.

But it hasn’t proven to be the last word on either protecting government-owned or private employee data. Among the lingering questions remaining to be answered: How can the government secure itself against the proliferation of devices and apps? And how will federal employees’ personal information stored on such platforms be protected?

What is GSA’s Managed Mobility Program?

Created as part of the Obama administration’s 2012 Digital Government Strategy, the GSA mobility program was established to provide agencies with a governmentwide platform for managing employees’ mobile devices, using vendors selected by GSA technical experts with prices negotiated to be less expensive. The program currently includes seven approved providers.

Yet, there are still key questions and considerations agencies should take when considering GSA’s option or striking out on their own for mobile device management.

For one thing, GSA’s Managed Mobility Program functions differently from some of the other well-known technology programs at the federal level.

Unlike FedRAMP – the federal government’s security and authorization program for commercially-provided cloud services – GSA’s Managed Mobility Program relies on a static set of requirements that vendors must fulfill with written applications. In addition, the program does not have the same robust auditing mechanisms as FedRAMP, which include third-party evaluations that occur on a periodic basis to ensure vendors are complying with security requirements.

With Proliferation of Devices, Are Agencies Losing Control?

This setup does not necessarily reflect a mobile market that is evolving much faster than almost all other technologies.

Mobile providers and app developers are producing and introducing new devices, software patches and applications on a weekly or even daily basis.

With users bringing their own devices – known as BYOD devices -- to work, static requirements do not adequately address a constantly changing technology environment. Mobile devices are also growing in computing power, as well as becoming more integrated into the daily work life of federal employees. Without stronger mandates, how can agencies ensure that the government-owned data and information that these devices access and utilize isn’t breached or compromised?

These issues are exacerbated by the importance of supporting multiple devices and operating systems.

In a BYOD world where users can access third-party applications from any location, agencies can lose control over the technologies – and the threats and vulnerabilities associated with them – that enter the agency’s IT environment. Despite the emergence of safeguard technologies, such as secure containers and “sandboxing,” there is still a lot of gray area and uncertainty in terms of what agencies can actually do to prevent users from inadvertently or maliciously exposing their organization to cyber threats.

For instance, it’s still unclear whether federal organizations are legally allowed to scan their users’ BYOD devices to ensure compliance with cybersecurity requirements or if this is a violation of privacy.

Moreover, it’s even less likely that federal IT managers have the time or the budget to do so anyway.

What About Federal Employee Privacy?

Federal employees should ask important questions as well.

For example, will their privacy be protected in these new mobility management programs?  The GSA Managed Mobility Program requirements discuss privacy only to a limited extent, dedicating just a paragraph of text to the matter, which predominately discusses government requirements issued by the National Institute of Standards and Technology on “personally identifiable information,” known by the acronym PII.

While these requirements do specifically say that vendors providing mobile device management must not operate on an advertising model, it doesn’t go into further detail about other portions of the mobile supply chain.

The federal government can and should make some changes to address these issues by taking the following three steps:

1. Create a “bill of rights for federal employees,” covering how and if their personal data can be used by agencies and contractors. While this may primarily apply to mobile device initiatives at first, this can also act as the framework for how agencies treat future technologies as well.
2. Establish rules for how agencies and contractors are allowed to leverage metadata. For instance, companies should still be allowed to collect such data anonymously and in an aggregated way in order to collect information on system bugs and fixes. However, in order to prevent abuse of this information for profitable purposes, such cyber metadata should either be public or, at the very least, shared among similar organizations to further continuous cybersecurity monitoring and automated information-sharing initiatives currently in process.
3. Create a model for auditing and authorization for mobility, similar to FedRAMP. Regular auditing processes for mobile providers can enforce these rules and ensure that mobility contractors do not take advantage of their status as service providers. Such a model is already being advocated, spurred on by recent revelations that proved even common apps and platforms like Gmail and Android are not immune to weaknesses and are currently not fully vetted.

While GSA’s Managed Mobility is a step forward in allowing agencies to more easily oversee mobile devices and procure mobile-device management services, agencies must still be cautious about selecting device management providers that can be compatible across multiple devices, while also keeping in mind the unanswered questions regarding security and privacy.

Greater mobility will undoubtedly improve the productivity and effectiveness of federal users, but it also introduces risk.

Agencies should be aware of these risks and be comprehensive when selecting options for securing these tools.

(Image via Stuart Miles/Shutterstock.com)