FMG Offers Mobile Security Advice for National Cybersecurity Awareness Month

Introduction

It's National Cybersecurity Awareness Month, meaning there's no better time for agency CIOs and CISOs to reexamine the cybersecurity and cyber hygiene of their agency's mobile devices. As this year's NCSAM theme states: "Do Your Part. #BeCyberSmart!"

Agency-managed mobile devices may be at higher exposure to threats and therefore need periodic scrutiny to ensure your agency's mission security is safeguarded. These exposures come in many forms. Mobile devices are small in sizeBecause and special features such as mobile apps, location services, and numerous wireless network interfaces introduce risk.

Recommendations

The Federal Mobility Group (FMG), a Community of Practice chartered by the Federal Chief Information Officer (CIO) Council, launched several initiatives to educate agency mobility stakeholders on how to connect and protect mobile devices in unsecured environments. Among FMG initiatives are the following:

• Evaluated and enhanced Federal Information Security Management Act (FISMA) mobility data reporting elements to capture endpoint-related data to assess federal government-furnished equipment threat postures. Get more information here.
• Aggregated and published secure telework guidance such as device management best practices culled from resources developed by the experts at the National Security Agency, National Institute of Standards and Technology (NIST) and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency.
• Evaluated Operating System, Mobile Device Management, and Mobile Threat Defense ecosystems to identify the robustness of device configuration and management and threat protection.
• Educated and advised federal agencies on successful D-PIV implementation techniques for identity and credential management.

Additionally, FMG recommends agencies follow NIST guidance to secure mobile devices. NIST Special Publication 800-124 Revision 2 describes threats to the mobile enterprise, explains mobile security technologies, offers threat mitigations, and recommends lifecycle management practices.

NIST's special publication also recommends agencies implement the following guidelines to improve the security of their managed mobile devices:

• Conduct a threat analysis of mobile devices and any backend information systems accessed by mobile devices.
• Employ Enterprise Mobility Management, Mobile Threat Defense, and other applicable enterprise mobile security technologies.
• Leverage the Enterprise Mobile Device Deployment Lifecycle, where applicable.
• Implement and pilot test a potential mobile device management solution before putting that solution into operation agency-wide.
• Fully secure all organization-issued mobile devices before allowing users to access the organization's backend systems or information.
• Keep mobile operating systems and apps updated.
• Regularly maintain mobile device security.

FMG continues to identify common challenges and share solutions and best practices for mobile device cybersecurity as well as other relevant mobile areas such as implementation of 5G technology. We'll share more recommendations with you over the coming year. For more information about FMG and its activities, email us at: wireless@gsa.gov.