Balancing Security and Capability Remains Challenge for Mobile Adoption
The Mobile Work Exchange held its fall 2013 town hall meeting on September 12, 2013. The conference explored strategies for deploying a more mobile workforce, offering insight from over 20 speakers from both government and industry leadership.
In his opening address, the Bureau of Alcohol, Tobacco, Firearms, and Explosives’ Rick Holgate noted shifts in technology adoption over the last five to ten years. Holgate, the Assistant Director for Science & Technology and Chief Information Officer, cited findings from two surveys saying, “One thing I think we would all agree on is that the federal workforce is extremely optimistic about the productivity that mobility represents and the potential productivity gains.” Indeed, the impact of mobility spans various areas like productivity, transportation, and real estate. Potential savings estimates range from $12 to $14 billion per year in efficiencies. These untapped areas for efficiency mainly fall into two areas in areas related to increasing workforce productivity and consolidating real estate.
Along with increased mobile capabilities over the past 5 to 10 years, the work environment has evolved. These advances in mobility have introduced new challenges, particularly related to security and privacy. Referencing the Mobile Security Framework, Holgate applauded “agencies that have somewhat different security perspectives and baselines and ways of thinking about security” collaborating to establish a government-wide baseline for mobile security. Traditionally, guidance documents from the National Institute for Standards and Technology (NIST) have identified security controls but left it up to individual agencies to determine how to apply them. This baseline guidance allows agencies to make progress with mobile adoption efforts, particularly around shared mobile device management solutions.
The theme of security challenges continued throughout the day. In his luncheon keynote, the Air Force’s Major Linus Barloon described various issues he’s encountered related to information security. Challenges persist around identifying ways to improve prevention of security incidents, spill containment, and re-establishing security. Current technology has evolved to where previous approaches, like wiping machines and reintroducing them to computing environments, are no longer considered as effective.
Based on his experience, Barloon suggested that getting devices in the hands of users is only a quarter of the problem around mobility. Noting the numerous contract vehicles and acquisition mechanisms, Barloon observed, “It’s very easy to get that device into your users’ hands.” Once that’s achieved, however, questions arise about governance, extending to legal, ethical, and acceptable uses for devices. With the shift to mobile environments, issues emerge around translating and applying risk management frameworks to mobile devices, determining how to apply risk principles to these devices, and also defining how these devices will factor into continuous monitoring. It’s a balancing act, as Barloon described it. One the one hand, agencies aim to limit risk. On the other, they’re looking to increase operational capability.
In his closing, Holgate suggested the development of the next generation for the Digital Government Strategy is likely to assess agencies in terms of maturity of mobile adoption. This next step would also look to determine how to bring lagging organizations up to speed. Another area for development, Holgate noted, is in establishing metrics for program impact, especially in areas like workforce productivity and quality of citizen services.
The next Mobile Work Exchange session is scheduled for April 10, 2014. More information is available through the event site.
NIST Guidance Tackles Mobile Authentication
The Commerce Department’s National Institute of Standards and Technology (NIST) recently updated its guidance to government agencies for electronic authentication (e-authentication) for federal IT systems and services providers.
NIST’s Electronic Authentication Guidance (Special Publication 800-63-2) covers remote authentication of users (e.g. employees, contractors, and private individuals) leveraging open networks to interact with government information systems. As a supplement to the Office of Management and Budget’s (OMB) guidance, E-Authentication Guidance for Federal Agencies, the NIST work builds on levels of assurance that are defined by the consequences of authentication errors and credential misuse. The OMB guidance from 2003 provides federal agencies with criteria for determining the level of assurance needed for applications and transactions. These four levels of assurance address identity proofing, registration, tokens, management processes, authentication protocols and related issues.
The guidance from OMB also provides a five step process for agencies to fulfill their e-authentication requirements. The guidelines from NIST target third step in this process, which involves selecting “technology based on e-authentication technical guidance.” Outlining specific technical requirements for each of the assurance levels, the NIST document addresses:
· Registration and identity proofing;
· Token (e.g. cryptographic key, password) for authentication;
· Token and credential management mechanisms;
· Protocols to support authentication mechanisms;
· Assertion mechanisms used in communicating remote authentication.
The lowest level achieved in any of the technical areas listed above determines the overall authentication assurance level. Agencies may use additional risk management measures to adjust the level of assurance. In particular, privacy requirements and legal concerns may contribute to a context in which an agency may deem additional authentication measures appropriate.
Previously, NIST released updated guidance that reflected authentication token technologies and restructure the e-authentication architectural model for increased clarity. Among other changes, that revision also added technical requirements for credential service providers, protocols used in transporting authentication data, and assertions related to implementation within the e-authentication model.
The most recent edition provides a more limited update with most of the changes focused on processes for registration and issuance of professional credentials. Two general categories of threats for the registration process are impersonation and compromise of the infrastructure. Since infrastructure threats are addressed by normal security controls, the NIST guidance emphasizes mitigating the threat of impersonation. Two approaches are presented for deterring impersonation: either make it more difficult to accomplish or increase the likelihood of detection. The technical guidance provides several strategies for making impersonation more difficult and describes general requirements for each of the four assurance levels.
Despite budget limitations, agencies continue to look for ways to make information more accessible and empower an increasingly mobile workforce. System risk assessments and technical requirements associated with specific assurance levels will shape the solutions they implement mobile strategies. While assurance requirements will vary across the government, this technical guidance provides a structure for describing agency security requirements and provides vendors with a framework for articulating how solutions will fulfill those needs.
Telework Progress Report to Congress: Technology as an Enabler and Barrier
A recent Office of Personnel Management (OPM) report to Congress on finding of a survey of agency telework programs shows that 21% of federal employees now telework under The Telework Enhancement Act of 2010. However, we are still in the early stages of telework and there will be challenges ahead. The study had some interesting findings on IT as an enabler and barrier to telework. We predict that the bulk of future telework challenges will come, not as much from hardware or software, but from “wetware”—the wet stuff between the ears!
The2012 Status of Telework in the Federal Governmentreports findings of a baseline survey for evaluation of Federal telework programs. This year’s survey is a benchmark from which to measure the progress of federal telework under The Telework Enhancement Act going forward.
After years of telework hype and then disillusionment, it took the mandate of a law to finally make telework happen, and progress has been slow but steady. It has now been year and a half since The Telework Enhancement Act of 2010was signed into law and about a year since agencies were required to notify eligible employees that they could telework (up to 20% every two weeks) and begin to enable them to do so. In the next two years, look for telework momentum to pick up steam as even more federal employees begin to telework.
Besides the law, technology-related forces have converged to create a growth spurt for this market in 2012, including the consumer ubiquity of smart mobile device use that enable working remotely, unified communications architectures, and cloud communications services that keep employees productive, well-connected and collaborating with their colleagues.
The report points out that the concept of telework is going through a paradigm shift of benefiting primarily individual employees to being a strategic organizational change program for agencies. In this environment of “Do-More-With-Less and do it more efficiently” telework becomes even more strategic because it does offer efficiency gains. It can improve employee performance and job satisfaction, as well as help attract or keep good talent. At the same time, it also reduces agency costs (in telecommunications services, real-estate, and energy) and provides agency continuity of operations and mitigates potential disruptions to workplace productivity, for example, from severe weather.
The OPM report was a census of those teleworking as of September 2011. Although this period of reporting was just a few months after the deadline for meeting Act requirements, a quarter of all employees deemed eligible to participate were reported as teleworking. The numbers are thought to be low because some agencies were not yet set up to capture and report the statistics.
The Data Call Survey of Agencies
This year, the Call, which is the name of the longitudinal benchmark survey of agencies, included questions about technology to enable telework. Survey responses indicated that while technology is a major enabler, they likewise recognized that when technology is inadequately addressed in a telework program, it can be a significant barrier.
The survey found that the majority of agencies provide equipment (such as computers) to telework participants, or share the cost of equipment with participants (46 agencies). However, 61% of agencies ask teleworkers to pay the entire cost of technology services, such as Internet connectivity, that support telework. A smaller percentage of agencies share the cost and only 8% of agencies pay for the services. The austere budget environment will hamper telework in agencies that require that employees use only agency-issued equipment.
Because telework is part of agency continuity of operations plans, it is important to test the IT capacity for supporting telework and most agencies do test this. But only 8% of agencies conduct tests on a regular basis. Most agencies believe that their IT systems have adequate capacity for handling increased usage due to telework emergencies, despite the fact that most are not testing regularly. Vendors advising agencies on telework policies and technical capabilities should provide counsel to test regularly and at known peaks to ensure that their clients aren’t being lulled into a false sense of security, should something bigger than Snowmageddon or a derecho hits.
We anticipate that as telework takes off other IT-related challenges or potential barriers may surface, including technology disparities, security and privacy, unanticipated infrastructure requirements (such as storage shortages). However, in the end, our prognosis is that human factors, such as difficulty adjusting to new management and work styles and tools and cultural resistance to change will have the biggest drag effect on telework.
To BYOD, or not to BYOD, That is the Question
At the Telework Exchange Town Hall Meeting last week, it was apparent that a paradigm shift is underway in most federal agencies about the value and inevitability of mobility as a standard enterprise means of delivering capabilities to users. The cloud will figure prominently in enabling mobility. Most agencies are moving more quickly to embrace both telework and, more broadly, mobility, than other emerging technologies in the past. Perhaps the biggest question still remains the practicality of the “bring your own device” (BYOD) approach.
Driven by high consumer adoption of smartphones to manage our lives and the desire to avoid device proliferation, federal agencies seem to be moving toward BYOD, at least in initial pilots. Many have taken the agency perspective when evaluating BYOD policies, citing concerns about security of agency networks when a multitude of disparate personal devices are allowed to access government networks. Another major concern is privacy, both the privacy of the personal data on a federal employee’s own devices and the privacy of citizen data that might find its way onto a federal employees device since agencies have a high level of accountability to protect personally identifiable information (PII).
However, at the Town Hall, Casey Coleman, the CIO of GSA, which currently has a BYOD pilot going on with couple of dozen people, noted that it might actually be federal employees that reject BOYD policies. This despite employees’ current active use of their own devices on their agencies’ networks in the absence of a formal policy (NextGov reports that 60% respondent to a recent survey said there are no restrictions on what types of personal mobile devices can access their agencies' networks). Coleman pointed out that policies such as who takes responsibility for support of devices, consent of employee for their own devices to be agency managed and monitored, and a policy to wipe their devices of clean data if lost, may actually inhibit employees from opting to use their own devices. Who would want their personal contacts and family pictures automatically deleted, without even an attempt to recover the device, if lost. Security experts say that loss of smartphones is actually one of the biggest security challenges. Partitioning personal data from government data on personal devices and wiping only the government portion might help some in that regard. The more likely scenario, Coleman believes, is that agencies will only take advantage of safer “opportunistic instances” to allow employees to use their own devices, such as allowing them to only viewing a doc on the network, but not downloading it to their own personal device.
Allowing access to email and web-based applications is feasible, but panelist made it clear that connecting personal devices to internal secure networks is clearly the greatest challenge and risk. FCW reported that at GSA’s Federal Systems Integration and Management Center, before a personal device can be connected to GSA’s network, the agency requests that the employee sign several agreements, including one allowing remote wiping of the device. Only about 10% of the employees have opted to sign the agreement for network access for their devices due to the remote wiping policy.
Peter Tseronis, the CTO of the Department of Energy said that his agency is allowing BYOD with role-based segmentation; in other words, it is being allowed only for certain roles of functions. He also noted the need for agencies’ general counsels to be involved up front in the discussion on BYOD policies. However, the most likely role type—executives—are likely the very ones who are the targets of security threats from foreign agents or hackers.
One of the most forward looking panelists at the Town Hall meeting, Dr. Sasi Pillay, the CTO at NASA, assumes that BYOD will be the way agencies will have to eventually go in the future given demands of users and the speed of technology advancement. However, most likely by that time security advances will need to have also been made. Former White House cybersecurity adviser Richard Clarke recently said of the growing BYOD trend, “this is the newest and largest vulnerability now.”
The White House is working on a government-wide mobility policy, the Federal Digital Strategy (former the “Federal Mobility Strategy”), which should provide policies for cost-effective, standards-based adoption of mobility that relies on common principles of security, manageability, and device and application deployment for all agencies. It will be very interesting to see if they issue government-wide policies related to BYOD or leave it to the discretion of agencies.