Agencies are anxiously awaiting governmentwide standards for securing smartphones and tablet computers.
Come May, they will have a checklist of security standards to use, organized by the sensitivity of data employees share or access on mobile devices and who data is shared with, whether another federal agency or citizens.
Federal officials working on the project refer to the guidelines as a playbook or list of security standards that agencies should consider when using mobile devices. The playbook will include five common ways that most agencies use mobile devices and provide recommendations for securing devices in those environments, said Margie Graves, deputy chief information officer at the Department of Homeland Security.
Graves, who spoke at mobile security event Thursday, is working with the National Institute of Standards and Technology, the Defense Department and the Justice Department to develop the playbook.
The security standards are based on revised NIST standards released Tuesday for final comment. Ron Ross, a senior computer scientist and information security researcher at NIST, said the final document is expected in April.
While many of the existing NIST standards can be applied to mobile devices, some may not be applicable, Ross said. For example, one NIST security standard recommends agencies disable or restrict unnecessary functions or services that their information systems may provide. For mobile devices, that may mean restricting what applications employees can download or disabling mobile capabilities that aren’t needed for work and could be a security risk.
DHS’ Graves described the playbook as an itemized checklist of security standards categorized by use case. However, she wouldn’t provide details on the use cases. DHS CIO Richard Spires has said these standards will help agencies in developing bring-you-own-device programs, where employees are able to use their personal devices for work.
How agencies implement or tailor security standards to meet their needs will vary, Graves said. For instance, the intelligence community, law enforcement agencies and DoD may use similar use cases for mobile, while DHS’ Federal Emergency Management Agency would need to use mobile devices to communicate with the public during a natural disaster.
Some guidance will be released in March on how agencies can best secure mobile devices used for communicating with other agencies. The entire playbook, however, will not be released until May.