Federal Tiger Team Crafted Mobile Security Guidelines
Agencies earn tribute for defying odds, collaborating on baseline to enable secure adoption of mobile technologies.
Ever since government agencies began allowing their employees to use commercial mobile devices for official duties, they have been challenged by the need to establish sound security policies for using the devices. That challenge increases by several orders of magnitude when attempting to craft a mobile security policy that might work across the federal government.
That's why the success of a group of specialists known as the Mobile Technology Tiger Team, who developed a common, government-wide policy for mobile security, appears to have defied the odds -- and earned special tribute at the 2013 (ISC)2 U.S. Government Information Security Leadership Awards (GISLA) ceremony Oct. 29. The International Information Systems Security Certification Consortium (ISC)2 is a nonprofit organization which trains and certifies information security professionals.
The Mobile Technology Tiger Team (MTTT) -- comprised of 46 members across numerous government agencies -- set out to develop a common criterion for mobile computing programs in response to the Digital Government Strategy, issued by federal CIO Steven VanRoekel and the Office of Management and Budget in May 2012.
Under the leadership of David Carroll, chief security architect at the Department of Homeland Security, Kevin Cox, assistant director of information security at the Department of Justice (DOJ), Chi Hickey, security program manager at the General Services Administration (GSA), and Raj Pillai, identity management systems architect at GSA, the team also included experts from National Institute of Standards and Technology, the Defense Department, DOJ and GSA.
Part of the challenge was developing a policy that could also keep up with continuing changes and expanding complexity of smartphone, tablet and other mobile technology. Government CIOs also needed a way to quickly update, implement and enforce effective use policies.
"I have always heard others use the term 'herding cats', but now I can say I have experienced it," said Roger Seeholzer, CISSP, security architect at DHS headquarters, regarding the initial efforts to develop a security baseline. "This effort was the first time in my government career that I witnessed so many agencies coming together that resulted in a solution amicable to all."
This diverse group of chief mobility engineers, chief information security officers, chief security architects, chief scientists, network engineers, information assurance specialists, plus specialists from the Defense Information Systems Agency, were allotted six months to develop a security baseline approach that would ultimately save other federal agencies significant costs. The team also had to satisfy the larger, ongoing efforts by departments and agencies "to enable safe, secure delivery of digital information and services to the American people anytime, anywhere and on any device" -- a central tenet of the Digital Government Strategy.
"We had to review over 500 controls in six months and come up with an agreement on an accepted set of controls," said Seeholzer. "Solutions had to be considered for agencies of all sizes. Needless to say, this took a lot of negotiating."
Aside from managing the dynamics of such a diverse group and an aggressive timeline, several other factors worked against the MTTT.
First, while other agencies had previously implemented mobile technologies, they had varied results. The MTTT had to develop a common set of requirements for implementing security technology with repeatable results. While NIST had published Special Publication (SP) 800-124 Revision 1, Guidelines for Managing and Securing Mobile Devices in the Enterprise, the guidance was not easy to apply in a uniform way, given the diversity of agency mobile security challenges.
Federal CIOs also needed a common set of approaches to mobile device management (MDM), mobile application management (MAM), identity and access management (IAM), and common data standards. Without them, their ability to accelerate the secure adoption of mobile technologies would be limited. But there was little available to help MTTT assemble a common set of practices.
Just when the team started making progress, the government's foundation for guiding agencies on security controls (NIST's SP 800-53) was revised, requiring the team to pause and reconcile its progress. With NIST's help, the team created a baseline of security controls considered to be a minimum set that could meet personally identifiable information (PII) requirements. The resulting Federal Mobile Security Baseline, released in May 2013, would enable any department or agency to assess its risk and build what it needed to meet its mobile mission.
The new baseline, along with the Mobile Computing Decision Framework and the Mobile Security Reference Architecture documents, currently housed on the CIO.GOV website, allowed agencies and mobile solution providers to begin building solutions that map to a common set of standards.
Federal CIO Steven VanRoekel recognized the importance of the MTTT's efforts in a blog post. He wrote: "Because mobile devices and wireless networks have unique security challenges, we published the first government-wide mobile and wireless security baseline, to help agencies identify appropriate security solutions and share them across the federal government."
While it may be too early to say how agencies are actually using the guidance overlay, the MTTT provided a starting point from which controls can be enhanced at different levels. "The accomplishments of the MTTT demonstrate an exceptional ability to lead, collaborate and negotiate for the greater good of government," said Marc H. Noble, 2013 GISLA judge and director of government affairs for (ISC)2. "This team's commitment to excellence will enable agencies and departments to stay one step ahead in this complex mobile security environment."
InformationWeek Tech Digest, Nov. 10, 2014Just 30% of respondents to our new survey say their companies are very or extremely effective at identifying critical data and analyzing it to make decisions, down from 42% in 2013. What gives?