Shows & Panels
- The 2014 Big Picture on Cyber Security
- AFCEA Answers
- Ask the CIO
- Connected Government
- Consolidating Mission-critical Systems
- Constituent Servicing
- Continuous Monitoring: Tools and Techniques for Trustworthy Government IT
- The Data Privacy Imperative: Safeguarding Sensitive Data
- Eliminating the Pitfalls: Steps to Virtualization in Government
- Federal Executive Forum
- Federal Tech Talk
- Government Cloud Brokerage: Who, What, When, Where, Why?
- Government Mobility
- Mission-critical Apps in the Cloud
- Mobile Device Management
- The Modern Federal Threat Landscape
- The Path from Legacy Systems
- Understanding the Intersection of Customer Service and Security in the Cloud
Shows & Panels
Agencies slowly knocking down cybersecurity barriers to going mobile
Friday - 2/8/2013, 5:22am EST
"We are hosting it so the platform is secure, it's certified and accredited, and compliant with different federal rules," said Gwynne Kostin, director of the Digital Innovation Center at GSA, in an interview with Federal News Radio after she participated on a panel discussion at the ACT-IAC Executive Management Series on Mobility in Washington. "The other piece about it that's really important, all the themes we are offering on it are all mobile ready. We are actually hoping to help achieve what we are seeing in the federal Digital Strategy and help agencies do that through this platform."
Gwynne Kostin, director, Digital Innovation Center, GSA
"We are just starting it off," she said. "We don't have all the answers yet so as we get clients and folks in the federal sector who are using this system they will be telling us what they need and help us build it out."
The use of the platform is free during the Alpha stage, but GSA is looking at a charge-back model for the future.
"This is a way for people who don't have an open content management system to actually achieve that part of it," Kostin said. "In addition to the tool itself, we have a number of best practices. We have recommendations. There's training and all these other tools that will help them if they are using this sites.usa.gov or looking to migrate within their own platform, we will be able to help them."
Several tools under development
The platform is one of several new tools called for in the Digital Government Strategy and created by the Digital Innovation Center and other agencies.
The center also recently launched a website analytics tool, which is a governmentwide capability to analyze how well agency Web services and mobile services are doing in terms of meeting customer needs.
Under the Digital Government Strategy, which laid out a series of 3-6-and-12-month milestones, the Chief Information Officer's Council released a bring-your-own-device toolkit and a report on the barriers and a gap analysis for mobile devices.
Agencies are working on nine more goals due by May under the Digital Government Strategy, including a governmentwide mobile device management platform and a shared mobile app development program.
The Homeland Security Department last summer drafted a security baseline architecture and now is using this blueprint to develop more in-depth use cases to describe a common approach to securing mobile devices.
Security use cases under review
Margie Graves, the deputy CIO at DHS, said in creating the security baseline, a tiger team interviewed 21 agencies to come up with five mobile use cases.
Margie graves, deputy chief information officer, DHS
Graves clarified what is coming and by when. In March, DHS will publish the use case for moderate security for mobile computing, which would show government-to-government security needs; By May, DHS would publish the playbook to give agencies help with implementing the use case.
There are four other uses cases in the works. Graves declined to offer more details on what they will specifically address.
The National Institute of Standards and Technology is leading several security initiatives as well.
Adam Sedgewick, a senior IT policy advisor at NIST, said they are focusing on securing applications as well as the devices.
"NIST has also done some work with Defense Advanced Research Projects Agency on how to analyze applications using open source analysis tools, to vet the application. We started with Android," Sedgewick said. "This is something that they did with DARPA so that they could vet apps that were going to be used by the warfighter. That work and the proof of concept we did in a portal, we will be turning that into guidelines that will come out later this year that will show agencies the methodology for testing and vetting third-party apps."
NIST also is finalizing several mobile security-related publications, specifically around BYOD and creating trust among devices at the internal chip level.
BYOD still too risky for some
Security remains the biggest obstacle to mobile computing, especially bring-your-own-device (BYOD).
Brad Nix, chief information security officer, USDA Food & Nutrition Service
Nix said the government's aversion to risk was one of the main reasons for the decision to cut out that part of the policy.
"We have a very good mobile policy that is going through the approval process authorities now and we hope it will be published in the not too distant future," he said.
The Food and Nutrition Service set up a program management office to oversee the move to mobile. Additionally, USDA recently awarded Digital Management Inc. a $20 million contract to provide device management, application delivery and secure container technology services.
At DHS, Graves said they are taking four steps to improve security of mobile devices.
She said DHS is implementing an enterprisewide mobile device management application and creating a mobile app store around a process called the "car wash."
"That's not just the store itself, but that's also how do you follow applications through the lifecycle, how do you vet them, how do you make sure they are tested, how do you continuously validate them and make sure you are creating that community of trust where those applications can be exchanged with other government agencies, and sometimes in the case of DHS, we've developed some citizen apps," she said. "That kind of an application is developed for the citizen space, but it has to be tested and validated, and it has to be secured and certified for it to be included in the areas like the Apple iStore. These are the kinds of things we are working through right now."
DHS also is looking at identity management and access control, with an eye toward labeling and tagging the data to better controls who can see what information or access which systems and when.
Graves said DHS is applying this tagging and labeling concept to the screening mission as a test case.