Agencies slowly knocking down cybersecurity barriers to going mobile

Friday - 2/8/2013, 5:22am EST

Jason Miller, executive editor, Federal News Radio

Download mp3

The General Services Administration is testing out a new approach to host and manage online content. GSA wants the content management platform to help agencies make websites and other applications mobile ready more quickly.

"We are hosting it so the platform is secure, it's certified and accredited, and compliant with different federal rules," said Gwynne Kostin, director of the Digital Innovation Center at GSA, in an interview with Federal News Radio after she participated on a panel discussion at the ACT-IAC Executive Management Series on Mobility in Washington. "The other piece about it that's really important, all the themes we are offering on it are all mobile ready. We are actually hoping to help achieve what we are seeing in the federal Digital Strategy and help agencies do that through this platform."

Gwynne Kostin, director, Digital Innovation Center, GSA

She added the content management platform still is in the early testing stage, called Alpha, and only the website sites.usa.gov is using the platform today. Kostin said a few other agencies are close to signing on.

"We are just starting it off," she said. "We don't have all the answers yet so as we get clients and folks in the federal sector who are using this system they will be telling us what they need and help us build it out."

The use of the platform is free during the Alpha stage, but GSA is looking at a charge-back model for the future.

"This is a way for people who don't have an open content management system to actually achieve that part of it," Kostin said. "In addition to the tool itself, we have a number of best practices. We have recommendations. There's training and all these other tools that will help them if they are using this sites.usa.gov or looking to migrate within their own platform, we will be able to help them."

Several tools under development

The platform is one of several new tools called for in the Digital Government Strategy and created by the Digital Innovation Center and other agencies.

The center also recently launched a website analytics tool, which is a governmentwide capability to analyze how well agency Web services and mobile services are doing in terms of meeting customer needs.

Under the Digital Government Strategy, which laid out a series of 3-6-and-12-month milestones, the Chief Information Officer's Council released a bring-your-own-device toolkit and a report on the barriers and a gap analysis for mobile devices.

Agencies are working on nine more goals due by May under the Digital Government Strategy, including a governmentwide mobile device management platform and a shared mobile app development program.

The Homeland Security Department last summer drafted a security baseline architecture and now is using this blueprint to develop more in-depth use cases to describe a common approach to securing mobile devices.

Security use cases under review

Margie Graves, the deputy CIO at DHS, said in creating the security baseline, a tiger team interviewed 21 agencies to come up with five mobile use cases.

Margie graves, deputy chief information officer, DHS

"What we are doing now is taking that middle use case and we are driving it down to what could be really implemented in that world," Graves said. "We are taking the actual Federal Information Processing Standard (FIPS) framework and working through each of those security controls to give people a playbook, if you will, about how I would implement that case in terms of security. That's where we are going right now. We expect to deliver that probably in the March timeframe with the full deliverable being delivered in May."

Graves clarified what is coming and by when. In March, DHS will publish the use case for moderate security for mobile computing, which would show government-to-government security needs; By May, DHS would publish the playbook to give agencies help with implementing the use case.

There are four other uses cases in the works. Graves declined to offer more details on what they will specifically address.

The National Institute of Standards and Technology is leading several security initiatives as well.

Adam Sedgewick, a senior IT policy advisor at NIST, said they are focusing on securing applications as well as the devices.

"NIST has also done some work with Defense Advanced Research Projects Agency on how to analyze applications using open source analysis tools, to vet the application. We started with Android," Sedgewick said. "This is something that they did with DARPA so that they could vet apps that were going to be used by the warfighter. That work and the proof of concept we did in a portal, we will be turning that into guidelines that will come out later this year that will show agencies the methodology for testing and vetting third-party apps."

NIST also is finalizing several mobile security-related publications, specifically around BYOD and creating trust among devices at the internal chip level.

BYOD still too risky for some

Security remains the biggest obstacle to mobile computing, especially bring-your-own-device (BYOD).

Brad Nix, chief information security officer, USDA Food & Nutrition Service

Brad Nix, the chief information security officer at the Agriculture Department's Food and Nutrition Service, said his office created a mobile policy with BYOD only to have the legal folks take it out when the policy some raised concerns.

Nix said the government's aversion to risk was one of the main reasons for the decision to cut out that part of the policy.

"We have a very good mobile policy that is going through the approval process authorities now and we hope it will be published in the not too distant future," he said.

The Food and Nutrition Service set up a program management office to oversee the move to mobile. Additionally, USDA recently awarded Digital Management Inc. a $20 million contract to provide device management, application delivery and secure container technology services.

At DHS, Graves said they are taking four steps to improve security of mobile devices.

She said DHS is implementing an enterprisewide mobile device management application and creating a mobile app store around a process called the "car wash."

"That's not just the store itself, but that's also how do you follow applications through the lifecycle, how do you vet them, how do you make sure they are tested, how do you continuously validate them and make sure you are creating that community of trust where those applications can be exchanged with other government agencies, and sometimes in the case of DHS, we've developed some citizen apps," she said. "That kind of an application is developed for the citizen space, but it has to be tested and validated, and it has to be secured and certified for it to be included in the areas like the Apple iStore. These are the kinds of things we are working through right now."

DHS also is looking at identity management and access control, with an eye toward labeling and tagging the data to better controls who can see what information or access which systems and when.

Graves said DHS is applying this tagging and labeling concept to the screening mission as a test case.

RELATED STORIES:

Inside the Reporter's Notebook: Web analytics tool, reaction to FAS commissioner and FedRAMP

OMB unveils ambitious digital mobile strategy

NIST gives agencies tips to secure mobile devices

Agencies struggle to grasp mobile cybersecurity