DHS to publish mobile security playbook in May

Tools

A checklist of mobile device security standards to guide agencies on when to allow or restrict data and who that data can be shared with will be published this May, said panelists at a recent ACT-IAC event.

The security standards will govern devices and data, and are aimed at common ways agencies and employees use mobile devices, Margie Graves, deputy chief information officer at the Homeland Security Department said in a panel discussion last Thursday.

Graves said the standards will provide recommendations for securing the devices for each common use in multiple types of environments. "It depends on the implementation as to how an agency should set their security posture."

For example, she said law enforcement and the intelligence communities should adjust mobile security to restrict many outside services in order to protect data, while the Federal Emergency Management Agency needs to focus on mobile devices and apps that allow for the best communication of information to the public in times of disaster.

Graves said the standards are being developed jointly with the National Institute of Standards and Technology and the Defense and Justice departments. The security standards playbook from DHS will be based on NIST standards (.pdf), last revised on Feb. 5.

The current timetable, according to Graves, is to release some initial guidance in March, followed by final NIST controls and recommendations in April and a finalized and published DHS playbook in May.

The standards can be used to help agencies develop bring-your-own-device programs, but paenlists said there will be no mandate for a BYOD policy.

Brad Nix, the CIO of the Food Nutrition Service at the Agriculture Department, said USDA and others welcome the guidance because BYOD is one mobile security area they struggle to secure.

"It's a very difficult challenge for us to meet and find solutions for," he said. Once the agency started to draft a BYOD policy and seek internal approval "the discomfort with the actual capability became very apparent."

For more:
see the event page for the ACT-IAC Executive Management Series on Mobility

Related Articles:
CBP seizes $900,000 worth of tablet computers with falsified safety markings
DISA expands mobile plans
Interest on mobile device exploitation ramps up in intelligence community