CIO Council identifies mobile security concerns


Encryption gaps and rising costs may compromise security as federal agencies continue to adopt mobile technology, says the Federal Chief Information Officers Council.

In a report (.pdf) dated Dec. 11, the CIO Council says that agencies are moving ahead with the implementation of mobile device strategies despite increased risks and outlines areas of concern that agencies should review.

A key worry, says the report, is technical limitations of devices and services that hinder security and access policies. For example, it says agencies must work harder to ensure they use mobile devices that adequately support the personal identity verification system of two-factor authentication, a problem already known but not sufficiently addressed.

Mobile device management solutions and application stores also have security gaps in user authentication, as well as data encryption and device sanitation. The National Institute of Standards and Technology is working on guidelines for testing and vetting third-party applications, which the council says will alleviate some concerns.

The report says a lack of validated encryption modules to secure data on mobile devices already limits the ability to protect sensitive information on these products. Agencies also expressed concern about the time it takes to get security methods validated, says the report.

"The lack of consistent configuration guidance for mobile devices and their rapid refresh cycle make it difficult to develop operating system hardening configurations for mobile devices," it says.

The report notes that the lack of a governmentwide contract vehicle for devices and data plans can make cost a barrier. However, the report says, some agencies are far enough into the planning stages for mobile technologies and will not delay their deployment in anticipation of a new acquisition vehicle.

Another cost concern comes after policy implementation because immature support infrastructure may drive up costs in order to support an increasing number of devices and products. The infrastructure also will have to handle security protocols on and through the network regardless of hardware changes among new and old devices.

For more:
- download the report, "Government Use of Mobile Technology: Barriers, Opportunities, and Gap Analysis" (.pdf)

Related Articles:
NIST: Mobile devices inherently insecure
PIV not the only route to mobile authentication, says panel
CIO Council releases governmentwide BYOD guidance