What Agency CIOs Really Think of Mobile Security
Updated FISMA requirements could help agencies better keep up with cyberthreats.
Steve Charles is executive vice president at immixGroup.
Some government technology leaders think restructuring Federal Information Security Management Act requirements is necessary to keep up with growing security threats to government information systems.
That opinion was expressed during the recent Executive Leadership Forum: “Securing Government’s Mission on the Go,” presented by immixGroup. The forum also provided an overview of what these leaders consider important in an enterprise mobile strategy.
Held Sept. 9, the Executive Leadership Forum panelists included Andre Mendes, director of global operations for the Broadcasting Board of Governors, Dr. Barry West, CIO of the Pension Benefit Guaranty Corporation, and Mark Goodge, chief technology officer of the Defense Health Agency.
A question from the audience asked about the growing gap between the compliance checklist nature of the new guidance as agencies face rapidly morphing security threats. In response, West called for “some restructuring of FISMA.”
Controls keep growing, he said. “It takes up an enormous amount of labor, which is good for contractors but bad for taxpayers,” he added. He noted that compliance requires “too much time checking boxes.”
He added, “We have to ask whether that’s keeping up with the threat."
BBG’s Mendes agreed government should re-examine burdensome technical requirements, using his own organization as an example. BBG runs all U.S. civilian broadcasting abroad, including such well-known organizations as Voice of America. The service reaches 100 countries in 63 languages.
According to Mendes, because BBG is FISMA compliant, “on paper, we’re not bad.” He stressed, however, that “gigabytes of data are being exfiltrated by the enemy.”
Speed of technology creates a tremendous challenge in ensuring security, Mendes said, adding, “there may not be a legislative cure.”
DHA’s Goodge was more direct in his assessment.
“We may have a self-licking ice cream cone” when it comes to delivery of services under requirements like those mandated in FISMA back in 2002, he said.
Mobile Strategy: Think Security First
Asked to provide their advice to peers on the requirements for an enterprise mobility strategy, each panelist offered a unique perspective.
Mendes stressed that security is foremost for his organization’s mobile strategy. He noted that security is an important issue in controlling wireless access when moving from computer to meeting room to remote locations.
Security problems pose a serious challenge for BBG, Mendes said. His organization conducted a study with Freedom House of the 13 most repressive countries. The findings were that the “entire tech stack” – including towers, central offices, phones, apps and configurations – were often controlled by a repressive regime.
Those governments, Mendes said, often aggregate big data results from personal-use patterns to persecute people.
Data analytics on patterns of use and connections has enabled some regimes to predict dissident meetings, leading to the capture of dissidents meeting even outside their own country.
“We need to make sure that consuming our content isn’t a death sentence,” Mendes said.
What’s available to mitigate this?
Mendes stressed the need for encryption between devices. The organization draws on its Open Tech Fund for development of device-to-device encryption and uses other anti-censorship encryption devices as well.
“It’s essential for our stringers,” he said.
BBG’s mobile security strategy is to place functionality off-premises, and ensure contractors are properly certified and spending budget appropriately.
“Our job isn’t to run a large security environment,” Mendes noted, adding that the organization’s five-year plan includes only networking and end user equipment.
BBG also relies on content distribution networks, Mendes said, explaining the agency's vendor, Akamai, deals with security concerns and mobility adaptation to ensure compliance with new devices.
Understand Tech Requirements and Capabilities
Because the enterprise environment is volatile, PBGC’s West stressed the importance of periodic intrusion testing to look at new tools and the viruses they combat. An organization “can’t rest on the laurels of a good FISMA rating,” he said.
West said enterprise mobility strategy feeds off the IT strategic plan, which also addresses the convergence of that technology with cloud, big data, collaboration and overall security. He said tech executives have to ask how their organization is pursuing user requirements so users “don’t go under the radar and do their own thing” to address their needs.
This requires risk analysis and planning with business units, not just IT. Technologists need to “engage every step of the way” to understand tech requirements, he said. Additional information on tech requirements can be obtained through requests for information and industry days, and by leveraging the knowledge base of engaged industry associations..
DHA’s Goodge noted that each year the Military Health System, from which DHA was developed, creates a strategic plan for IT architecture and alignment. This plan essentially offers “a lexicon for information sharing” and includes data and repeatable security requirements “both inside and outside the fence.”
Especially in areas such as security architecture, Goodge recommended looking through past implementations to “fit for purpose, fit for need.” It may be the case that 90 percent of the solution already exists in some way within the organization, and 10 percent may require vendor development. This approach allows the organization to close gaps in the portfolio while maintaining meaningful private partnerships through smaller, more agile engagements.
DHA is now in Revision 2 for its current IT policy, Goodge said, and mobility is an important aspect of that. The organization is starting to move from a modified mainframe approach to supporting the enterprise, but that smart devices are still seen as more of an option.
Enterprise mobility for DHA is more than just phones, Goodge explained. The organization uses many medical devices that include telemetry and monitoring to interpret data over public network connections.
The "Internet of Things" is causing DHA to take a very close look at providing any data from any devices safely and securely, he added.
(Image via Maksim Kabakou/Shutterstock.com)