HHS mobility strategy shuns Android


The Health and Human Service Department won't buy Android devices, the agency says in a mobility strategy (.pdf) that otherwise approves of BlackBerry, Windows OS-based and Apple iOS devices.

"Android-based devices have not been approved for government use due to the variances in OSs based on the device manufacturer," says the strategy document. In addition, Android devices are currently not certified under the government encryption standard FIPS 140-2, nor in the process of gaining certification, the strategy adds. 

The strategy was obtained through a Freedom of Information Act request and published Oct. 8 by GovernmentAttic.org, but the document indicates the strategy has been in place since Jan. 20, 2012.

In instances where HHS operating division chief information officers allow employees to use personal mobile devices, employees can use any device they please--so long as the employee pays for the service and the added configurations that ensure security not inherent in the device, says the strategy. The strategy does not explicitly ban the use of Android devices for BYOD, or "bring your own device."

It adds that employee-provided devices "can only be used in conjunction with explicit approval" from the division CIO after determining it complies with baseline security requirements. Division CIOs must also pay for the software needed to ensure a secure connection to HHS networks and a FIPS 140-2 compliant enclave or container.

The strategy outlines eight security control requirements. At a minimum, a centralized management system must identify the device and associated user, and authenticate that the user has permission to access the device and its data. For government-furnished devices that means the Central BlackBerry Enterprise Service, Exchange ActiveSync service or a third party mobile device management solution. Personally-owned devices must use a secure enclave or container in place of an MDM.

All mobile devices must also use an eight-character password which includes capital letters, numbers and special characters to access the device or the secure container, says the strategy. The devices or the contents of the container should be locked after six consecutive, failed password attempts, it adds.

The division CIO is responsible for determining when two-factor authentication is necessary. Two-factor authentication for government-furnished devices should use HHS public key infrastructure certificates, personal identification verification cards, hardware tokens or two-factor soft tokens, says the strategy document.

"Handling, storing or accessing sensitive government information on a personal mobile device is not allowed and the storing and/or transmittal of sensitive data are prohibited," says the plan, although sensitive government information can be stored in a FIPS 140-2 approved container.

All government furnished and employee-provided devices should use a maximum 15-minute inactivity timeout that requires users to log back in using their password. They should also be capable of encrypting communications and encrypting internal and removable storage. No jail-broken devices will be allowed to connect to the HHS network, and all devices must have a clear firmware version, operating system, patch level and vendor, notes the document.

At a minimum, approved mobile devices must be capable of being remotely erased or have a secure enclave that is capable of being remotely erased or otherwise placed in a state where the information on the device is not recoverable, says HHS.

The department acknowledges that there are other security considerations beyond those it lists as minimum security requirements. For example, the HHS CIO must still develop mobile device enforcement and monitoring capabilities, and craft standardized methods for data encryption, key recovery and disposition, says the document.  

Even with all the risks and mitigation techniques outlined in the strategy, HHS says there is still a very strong business case for mobile use at the department. The document outlines business drivers for using the technology, such as data collection, access to clinical materials, real-time document review and paper reduction.

The strategy also suggests the department move forward with a simultaneous, two-pilot approach to more closely examine its mobile device deployment. In one pilot, HHS should test the use of government-provisioned mobile devices in a controlled and managed environment and in another it should test the use of personally-owned mobile devices with a FIPS 140-2 certified secure enclave.

For more:
- download the strategy document from GovernmentAttic.org (.pdf)

Related Articles:
DoD releases comprehensive mobile strategy
VA happy to follow on BYOD, says Baker