With Local, State and Federal agencies assigning their workforce mobile devices in the field; mobile device security has become a major player amongst these agencies. Managing Iphones, Ipads, and Android devices is a task in itself let alone identifying proper security measures. Dedicated guidance is not really published in terms of security controls for these devices such as National Institute of standards and technology Special Publication (NIST SP) series, or Department of Defense (DoD) 8500 series. NIST has their own documentation on mobile devices that includes PDA’s and cell phones however; this documentation is somewhat out of date for the current level of technology that is encompassed into today’s smart phones. DoD does have Security Technical Implementation Guidance (STIG) documentation for Android, and Apple Operating system (OS) which provide a checklist of features to go thru and identify for security configuration but this should not be considered a Certification and Accreditation(C&A) on the actual OS or device. Along with that; DoD only identifies the Dell Streak device as a valid Android device to be used on the DoD network since the hardware has been certified.
This has become an issue amongst both manufactures who want to sell their devices to these agencies and users who want to use the devices for increased productivity and convenience. A lot of this comes down to potential malicious software and users. One-Click root solutions are available for Android devices that gives you root level access of your Android OS phone. Apples IOS phones also offer jail breaking solutions to their devices from various 3rd party exploits. This begs the question:
So If we really want these devices on our networks, how do we control them and how can we properly Certify and Accredit them?
DoD Approved Partner Software Good Technology has created a product that will help control access to all Android OS Devices (Regardless of version and hardware specification) as well as Apple IOS. Maas360 is also another solution that seems to offer mobile management as well. Solving the device management issue is one thing, but Certifying and Accrediting these devices would require cooperation from the manufacturer and a list of defined controls which currently no one seems to have at the moment.
An effort Aerstone would be happy to work on with NIST Directly.
Next up in the Government Mobility series:
IOS and Android device showdown, which one should the Government Choose….. ?