Large bureaucracies, whether public or private, have a variety of ways to effectively avoid adopting a popular policy or practice. One way is to make that policy or practice a long-term goal while promising to keep evaluating it periodically.
That's what the Defense Department has done with its BYOD -- bring your own device -- policy.
There's no question that the department has made strides on mobility, enterprise mobile device management, and the use of commercial devices and even General Services Administration contracts. But BYOD?
Here's what Defense CIO Teri Takai said about BYOD in a February 2013 memo on commercial mobile device (CMD) implementation:
"Despite the benefits, existing DOD policies, operational constructs, and security vulnerabilities currently prevent the adoption of devices that are unapproved and procured outside of official government acquisition." The memo said that BYOD is a long-term objective and, "in conjunction with the Digital Government Strategy, DOD will continue to evaluate BYOD options."
[Beware, iPhone owners. Read iPhone Thefts Rise: Protect Yourself. ]
Based on public comments from the CIO's office since then, it's fair to say that the DOD's position hasn't changed. In other words, when it comes to BYOD, don't hold your breath. Although the department officially holds out the possibility of a future BYOD policy, I don't see it happening in reality, at least not in the foreseeable future.
Why? The risk of security breaches are simply too great and the consequences too dangerous.
Not a month after the DOD CIO's office issued its implementation plan, the Defense Department's inspector general released a tough report on security holes in the Army's use of commercial mobile devices. Investigators visited West Point and Army Corps of Engineers locations and examined Android, iOS, and other commercial mobile devices in use.
The IG found they weren't covered by mobile device management (MDM) software, and weren't subject to remote wiping. Many devices were in use, yet the Army wasn't even aware of them. Hundreds were purchased by users without authorization in a sort of self-created, unofficial BYOD program.
If the DOD is going slowly in adoption of mobility devices, it's going more slowly still in BYOD. DOD IT planners realize, as everyone should, that mobility doesn't equal BYOD. Mobile devices have special -- and by now, widely understood -- requirements for becoming secure. Two of the most important:
- Mobile device management. The government has been rushing headlong into mobility ever since former federal CIO Vivek Kundra pushed for it back in 2009. Devices, applications, application stores, and associated pilot projects arrived at agencies before CIO shops even thought about comprehensively managing potentially thousands or tens of thousands of devices. Not until early 2013 did the GSA begin to look for government-wide contracts for MDM and mobile application management products. Without MDM in place, it's nearly impossible to have strict configuration control, a security must-have. Now the government has gotten serious about MDM. This GSA site lists vendors with FIPS 140-2 MDM and MAM products.
- Sandboxing of applications. This involves partitioning mobile devices in ways that create virtual machines on them, so that only approved apps can access certain data sources.
It's not as if policies aren't in place to help implement mobility in Defense Department components. The IG report mentions DOD instructions (5010.40) covering internal control programs. There's also a memo that predates Takai's memo, dating back to early 2011. It has comprehensive instructions on protecting commercial mobile devices.
Policy is fragmented
In spite of the best efforts of the DOD CIO's office, I see the policies toward mobile devices varying widely from one defense branch to next.
DOD doesn't lack for initiatives to unify policy and practice. The Defense Information Systems Agency has been designated to provide unified technology programs across the DOD and has made some headway. For example, DISA continues to strengthen its role in the Joint Information Environment (JIE), providing 1.4 million users secure access to DOD cloud email accounts. It also created an Army-Air Force enterprise license agreement for Microsoft products.
The JIE is presumably the right place to develop and manage mobility capabilities for individual defense branches and even DOD-wide. But to put it charitably, the JIE is very much a work in progress.
DOD managers can also avail themselves of mobility guidance from the National Institute of Standards and Technology and even the Office of Management and Budget. Yet nothing in the accumulated policy and technology guidance makes a strong case for advancing BYOD as a subset of a military mobility framework, much less compels it.
Contractors seeking to work in the DOD market would be wise not to oversell the idea of enabling any and all mobile devices. Despite the promises of technology, BYOD simply won't happen in the DOD, at least not in any meaningful numbers.
I know, I know. BYOD situations have broken out in a few civilian agencies. But they have different and often less dangerous security considerations. And let's not forget about the Snowden effect that's making every agency nervous about trusted people on its network.
More likely, DOD agencies will establish a choose-your-own-device plan. (Dare I coin a new term, "CYOD"?) Employees, uniformed and civilian, will select from a list of approved devices depending on the flavor each person prefers. But the devices will be government-furnished, delivered with the agency's configuration and security controls already in place.
Incidents of mobile malware are way up, researchers say, and 78% of respondents worry about lost or stolen devices. But while many teams are taking mobile security more seriously, 42% still skip scanning completely, and just 39% have MDM systems in place. Find out more in the State Of Mobile Security report. (Free registration required.)