hallways.cap.gsa.govhallways.cap.gsa.gov/system/files/MSCT BYOD Guidance... · Web viewMobile...

Mobile Services Category Team (MSCT)

Bring Your Own Device (BYOD)Guidance

May 2018

Table of Contents

1 Introduction...........................................................................................................41.1 Bring Your Own Device Definition.............................................................................41.2 Document Purpose...................................................................................................41.3 The Context for BYOD Consideration.........................................................................5

2 Key Considerations to Implementing BYOD Policy..................................................52.1 BYOD Potential Benefits............................................................................................6

2.1.1 Device Familiarity / Employee Satisfaction....................................................................62.1.2 Increased Productivity & Employee Driven Innovation.................................................62.1.3 Cost Savings...................................................................................................................6

2.2 BYOD Potential Challenges and Risks........................................................................72.2.1 Security..........................................................................................................................72.2.2 Government Compensation and Reimbursement Policies............................................82.2.3 Legal and Privacy...........................................................................................................92.2.4 Geographic Deployment..............................................................................................10

3 Legal Implications and Regulations.......................................................................10

4 Guidance, Considerations, and Parameters of BYOD............................................104.1 Total Cost of Mobility..............................................................................................124.2 Voluntary Participation...........................................................................................124.3 Device Ownership and Approvals............................................................................134.4 Device Confiscation.................................................................................................134.5 Remote-Wipe in connected and non-connected states............................................134.6 Privacy/Search........................................................................................................134.7 Applications and Data Segregation..........................................................................134.8 Device Settings........................................................................................................144.9 Third Party Access...................................................................................................144.10 Overtime................................................................................................................144.11 Acceptable Use.......................................................................................................144.12 Intellectual Property...............................................................................................144.13 Liability and Safety..................................................................................................144.14 Device Upgrade or Ownership Transfer...................................................................154.15 End of Participation.................................................................................................154.16 Records Management.............................................................................................15

5 Rules of Behavior and Guidelines.........................................................................155.1 Rules of Behavior....................................................................................................15

5.1.1 User Guidelines Summary:..........................................................................................165.1.2 Agency Management Guidelines Summary:................................................................17

5.2 Penalties for Non-compliance.................................................................................17

6 Current Implementations of BYOD in Government...............................................17

7 BYOD Implementation Options............................................................................187.1 Enterprise Mobility Management (EMM) – MDM, MCM, MAM...............................197.2 Virtual Mobile Infrastructure (VMI).........................................................................20

2

7.3 Application & Data Containers................................................................................227.4 2-Factor Authentication for Agency Applications – Using PIV/CAC and Secure Browser - (e.g. Thursby Software – Sub Rosa).....................................................................................23

8 Preparation for Key Events...................................................................................24

9 Summary and Recommendations.........................................................................25

10 APPENDIX: Case Studies, User Agreement Example, and Reference Material.......2710.1 CASE STUDY: U.S. Equal Employment Opportunity Commission (EEOC)...................2710.2 CASE STUDY: U.S. Nuclear Regulatory Commission..................................................3110.3 CASE STUDY: Navy Reserve – Replace GFE with BYOD.............................................3210.4 USER ACKNOWLEDGEMENT AGREEMENT EXAMPLE................................................3610.5 Legal References.....................................................................................................3810.6 Document Definitions:............................................................................................39

3

BRING YOUR OWN DEVICE GUIDANCE

1 Introduction

1.1 Bring Your Own Device Definition

This document addresses the voluntary use of employees’ personal mobile devices for government related work. This document is not intended to address the personal use of an enterprise owned device. A “Bring Your Own Device” (BYOD) program allows employees and other approved associates of an Agency or enterprise to use their personal mobile devices for work related communication, data access, and use of organization owned applications. These mobile devices include smartphones and potentially tablets but the document is not intended to address the use of laptops or other primarily computing devices.

Most organizations have many devices accessing their email platforms as well as other systems that may not have been previously approved. Often, the organization is not aware of these unauthorized devices; a well-defined and implemented BYOD program can manage these devices under an approval process to eliminate risk. If implemented properly, a BYOD program can provide convenience, improved productivity to its staff, improved security, and potential cost savings for the organization. A BYOD program will also create official guidelines and requirements for employees to connect via their own devices and will allow IT teams to better manage, control, and ensure compliance.

1.2 Document Purpose

The document updates prior BYOD guidance1 with the goal to provide Federal Government agencies clear guidelines for evaluating and potentially establishing a “Bring Your Own Device” (BYOD) program. Furthermore, the document brings together and consolidates multiple resources and best practices across several agencies, which have already established or evaluated BYOD programs. It also draws upon lessons learned from commercial programs. It is not intended to be a Federal Government policy document or a requirements document for BYOD.

The document seeks to provide a set of minimum guidelines, considerations, and recommendations to be evaluated for an effective solution while meeting Federal requirements involving the use of personally owned devices coupled with the critical need to maintain a secure environment for voice and data communications. These guidelines address the employee sign-up process, training, user agreements, approved devices, mobile security, user support, accessible data sources, cost and usage issues, employee privacy, and on-going compliance and procedures. While the document provides guidelines for broad government-wide use, individual agencies will need to tailor their respective processes for employee participation, sign-up, training, security requirements, groups or individuals eligible for participation, opportunities for cost savings, standardization, and simplification, and the final solution to be adopted to meet employee and enterprise needs.

1 BYOD Toolkit, issued by White House (8/23/2012)

4

Several government agencies have successfully implemented BYOD in spite of the questionable viability of such a program due to regulations and policies. Successful implementations are highlighted in Figure 1 and further details on each are provided in the Appendix.

Figure 1 - Government BYOD Implementations

1.3 The Context for BYOD Consideration

BYOD has been an option that both commercial and government organizations have reviewed and considered in recent years to improve internal and external communications and to provide employees who do not have enterprise provided devices, a way to connect either after hours or when traveling. Program acceptance and success is improving as mobile, data security, and other important factors have been addressed and are continuously being enhanced. Additional factors positively impacting BYOD acceptance and participation include:

The percentage of personal smartphone and tablet ownership reaching saturation levels Increasingly remote employee base A greater reliance on mobile communications when away from work either during travel

periods or after regular work hours Devices becoming much more personalized and customized with applications, music,

personal email access, and other forms of personal media and productivity tools Employees wanting to carry their own personal devices and use them to access work related

information and data when necessary. Employees not wanting to carry multiple devices for the same functionality Wireless carriers offering unlimited plans to include voice and data, which limits

organizational cost exposure for reimbursements and limits personal users’ incremental service cost

Enhanced mobile security capabilities including the ability to separate personal and business-government use on a given device

5

2 Key Considerations to Implementing BYOD Policy

Considerations of a BYOD program for any agency must ensure that it fits the agency’s operational environment, supports its mission goals and requirements, and meets the needs of its staff. Because of these and other critical issues addressed in this document, BYOD is not intended nor is expected, to be a good fit for all agencies. The business case for implementing BYOD programs will vary from agency to agency.

The growing trend of BYOD demonstrates that IT leaders within agencies need to evaluate benefits and limitations of BYOD for their individual agency mission. New technologies must be integrated in an agile, interoperable, and secure method to meet changing agency and customer needs. Device agnosticism is more important than ever. Software, hardware, and applications must be compatible across common systems and personal devices. Information security controls must also be consistent with existing laws and standards to ensure confidentiality, integrity, and availability. As previously stated, BYOD is not necessarily a good fit for all government agencies – it has to fit the agency’s environment, security tolerance, mission requirements, and meet the specific staff and management needs. While the business cases for implementing BYOD, programs will vary from agency to agency, they will often include the following drivers: increases in program productivity and effectiveness, improved security, adaptability to a changing workforce, continued improvement of the user experience, and potential net cost reduction. Figure 2 below is a list of benefits and challenges to consider when determining whether a BYOD program is right for your agency and its staff. It is important to note that this is not an exhaustive list; each agency needs to evaluate benefits and challenges based on their agencies missions and risk tolerance.

Figure 2 - BYOD Implementation Benefits & Risks

BYOD Implementation – Benefits/RisksPotential Benefits Potential Challenges and Risks

Device/OS Familiarity and Satisfaction Increased User Productivity/Innovation Agency Cost Savings

Mobile Device and Data Security Compensation and Reimbursement Legal and Privacy Concerns Geographic Deployment

2.1 BYOD Potential Benefits

2.1.1 Device Familiarity / Employee Satisfaction

Familiarity with one’s own device, OS, and applications can be a leading factor in employee satisfaction. A user's familiarity with a device, OS, or applications can significantly affect the overall user experience and may also decrease support costs through a reduced need to contact the help desk. Millennials tend to be stronger advocates of BYOD due to their habits of embracing newer technologies as well as their desired personalization of devices and content. The ability to use the same applications at work and at home has the potential to improve employee satisfaction.

2.1.2 Increased Productivity & Employee Driven Innovation

Increased familiarity has the potential to translate into increased worker productivity. A 2012Study conducted by Cisco Internet Business Solutions Group (IBSG) showed that IT leaders cited increased productivity as a result of BYOD allowing employees to work when and where they liked. Furthermore, this study linked employees' ability to choose when and where to work with an

6

increase in employee driven innovation. Being connected to company data around the clock also allows employees to develop good ideas as they happen, whenever they happen, rather than waiting until the next time they are in the office.2

2.1.3 Cost Savings

Perhaps the most intuitive rationale behind adopting BYOD is the reduction or the avoidance of capital expenditures (CAPEX) and operating expenses (OPEX) for an organization. Since the organization is not responsible for procuring or maintaining the devices in a BYOD environment, this can represent significant savings or avoidance of increased costs compared to Government Furnished Equipment (GFE) programs. The amount of savings varies from agency to agency, depending on how much direct IT support the company provides to employee owned devices. Agencies need to conduct an in-depth evaluation of their total-cost-of-mobility prior to implementing BYOD. BYOD may increase an organization’s mobility management effort.3 This will allow an agency to determine exactly where costs savings will be established and will provide metrics for on-going review, comparison, and analysis. Software licenses (i.e. MDM, secure browser, container, security, etc.), helpdesk support, and other support costs can sometimes outweigh the upfront, expected cost savings. Potential cost savings include:

Hardware costs: This cost is shifted from agency to employee Voice / Data Service Plans: Agencies may (or may not) reimburse whole or part of the

service cost via a reimbursement plan Cost savings from increased productivity Internal agency management costs of acquiring and managing mobile devices

While it is difficult to quantify the exact costs and benefits resulting from increased productivity, as per a Forbes article,4 Intel employees who took advantage of the BYOD program have reported saving 57 minutes per day. If Intel Corporations 23,500 employees saved this much time with a 0.5 productivity factor, Intel states that it would gain roughly $700 million in value just from BYOD.

2.2 BYOD Potential Challenges and Risks

While there are several benefits to BYOD, there are some potential drawbacks to consider while implementing a BYOD program within an Agency.

2.2.1 Security

For CIO shops within Federal agencies, the biggest challenge to implementing a BYOD policy is the security implications resulting from use of personal devices and the resulting potential exposure of government information contained on those devices. Government data (including PII) are perhaps the greatest risk resulting from poorly implemented BYOD in that many past BYOD programs in commercial and government environments have not implemented necessary security measures. Agencies must have strict policies on data storage and encryption to protect sensitive data. If an enrolled personal BYOD is lost, the agency must have the right to wipe the device of government data requiring protection.

2 The Financial Impact of BYOD, Economic Analysis, Cisco IBSG Horizons, 20133 BYOD Security and risk considerations for your mobile device program by EY, 20134 Calculating the True Cost of BYOD, by Elise Ackerman, May 28 2013

7

With anytime/anywhere connectivity, it is assumed that users will connect outside of the secured enterprise infrastructure, which could include open Wi-Fi networks, and less secure home-based networks, which would certainly increase the threats to the device and the data at rest or in motion from the device. Agencies wanting to implement a secure BYOD solution must first develop clearly outlined policies, standards, and guidelines for their employees and contractors. This guidance should be written in consultation with government counsel to protect the agencies’ interest and data.

The following are some high-level security concerns CIO offices are faced with: Lost, stolen or unauthorized access to devices Attacks and threats, such as malware, scams and fake apps Unmanaged proliferation of Device Types and Operating Systems – Without a clear policy on

approved list of devices and operating systems, BYOD can introduce a host of devices/OS’s that can make the enterprise architecture more vulnerable

Employees could bypass security rules of behavior – Employees could browse sensitive information without authority, and access websites or cloud services thereby introducing vulnerability

With enterprise data being accessed via government owned devices and BYOD’s, lines are blurry on information ownership and liability. It is vital for IT shops to clearly partition or separate government and personal data and applications, respectively

Threats to Enterpriseo Loss of Device Integrity

Lost or stolen device Network manipulation Malicious application

o Spillage and unauthorized Removal of Enterprise Data from Enterprise Controlo Mobile App vulnerabilities and malware

Threats to Userso Erasure of Personal Datao User privacy compromiseo Device bricking – Over reaching enterprise control via MDM policy on the deviceo Improper enterprise policy modifications – Policy/Privacy changes via MDM, without

user consent

2.2.2 Government Compensation and Reimbursement Policies

CIOs have to deal with concerns about the implications of device subsidies or reimbursements on compensation. For example, if employees receive a stipend, is that considered income, and would it be taxed accordingly? What happens if an employee leaves after receiving the stipend or before the end of a smartphone contract? Do they pay it back? Who’s responsible for the remaining contract or cancellation fees? For many agencies, these remain open questions.

Federal District courts have ruled against Federal Government reimbursement approaches: In accordance with 31 U.S.C. § 1342, “an officer or employee of the United States

Government or of the District of Columbia government may not accept voluntary services for either government or employ personal services exceeding that authorized by law except for emergencies involving the safety of human life or the protection of property.” Thus, Federal Agencies cannot request employees perform government work on BYOD devices

8

nor require the procurement of services to perform government work without compensation. This legal requirement is the basis for the recommendation that Federal BYOD programs be limited to voluntary participation and only in situations where there is a tangible benefit to the employee.

Paying a fixed stipend for data usage reimbursement is illegal unless funds are specifically appropriated (5 U.S.C. § 5536). GAO opinions limit reimbursement to “actual expenses” for official Government use of personal devices to avoid violating 5 USC 5536 (prohibiting supplements to salary fixed by law or regulation).5,6

Occasional BYOD users may not expect or require a stipend, but for many users a reimbursement program to provide compensation for cost related to government applications may greatly incentivize transfer from GFE to BYOD, encourage the transition, and allow a stronger legal claim if the user violates privacy or security policy. A minimal number of potential reimbursement options are available. Nevertheless, a centralized stipend program, such as the Mass Transportation Benefit Program,7 is considered the most practical reimbursement approach and the best model to adopt for BYOD due to the cost efficiencies and internal management controls.

BYOD is an optional program for employees and therefore, does not require an employee to obtain a personal cellular or mobile device and service plan to conduct official Government business. Federal programs are not required to reimburse participants for wireless voice/data, hardware, software, or other costs incurred due to the use of personally owned mobile devices for official business. This includes loss of access to hardware, data, and mobile applications. The program policy and User Agreement (UA) should specify whether the program would reimburse users for all or any portion of associated costs. If the BYOD program plans reimbursement for all or a portion of the user’s wireless voice/data costs, the reimbursable amount must be based on an actual expense, and not on a flat rate. For example, there may be specialized services that are required to be obtained and used by an employee and which can easily be identified and verified on an employee’s wireless services bill. Those employees may be reimbursed for the specialized required services.

Reimbursement Guidelines: Reimbursement policies and cost ranges or exact amounts must be decided and approved in

advance of the program being launched and those policies must be communicated clearly, in writing to all employees.

5 Note that any stipend program would require updating Principles of Federal Appropriations Law, Vol. 1 and GAO B-229406 policy, which does not currently allow the use of appropriated funds to reimburse employees on a flat rate. 6 GAO opinions limit reimbursement to “actual expenses” for official Government use of personal devices to avoid violating 5 USC 5536 (prohibiting supplements to salary fixed by law or regulation)

-B-287524, Oct 22, 2001 (West. Area Power Admin.)-B-291076, Mar 6, 2003 (NRC)-See also B-308044 (Jan. 10, 2007) (installation of Internet at Federal employees’ homes)-Phones calls (or perhaps text messages) that exceed a user’s personal plan might be itemized and documented by invoice, but how would you allocate the “actual” cost of the user’s personal base activation plan or data usage to Government use?

-See GSA Memo, May 22, 2012 (John Cornell, Sr. Ass’t G.C., to Teresa Curtis, regarding legal options for using appropriated funds to support personally owned devices)

7 http://www.dtic.mil/whs/directives/corres/pdf/100027p.pdf

9

Employees must be approved in advance for allowed reimbursement for fixed fee specialized services.

Employees are required to submit a form that clearly states the reimbursement amount requested along with the itemized cellular bill that shows the exact amount associated with each of the services being requested for reimbursement.

Reimbursement requests cannot be submitted beyond the current fiscal year.

2.2.3 Legal and Privacy

BYOD can potentially expose the agency to legal concerns as summarized below: If an organization remotely wipes an employee's device and causes the employee

to lose personal digital media library permanently, the agency might be liable for the value of the digital media. Given the storage capacity of devices that media could be worth thousands of dollars.

Security breaches - workers may maintain connectivity when working off-site, retaining and deleting data, etc.

Search & Seizure – surrendering and unlocking of personal devices. A significant risk of BYOD is the invasion of employee privacy. This risk affects both the

agency and the employee. Agencies seeking overly broad control and monitoring over employee-owned devices may find themselves in legal battles over invasion of privacy.

From the employee's perspective, there is the possibility that the employer will be able to track user locations, user behavior, and view all written communications from that device, whether business-related or not. These are well-founded concerns given the technology capabilities of mobile applications and OS software.

2.2.4 Geographic Deployment

International deployment increases risk levels for the organization because of both geographic distribution as well as regional / international legislation, which may impact privacy or security controls. Internationally, compliance with local laws may be impactful if the devices are obtained in a non-US country or territory.8

3 Legal Implications and Regulations

While it is feasible in many situations to use personally owned mobile devices to access the enterprise, doing so may require device owners to make significant voluntary concessions regarding some of the rights and expectations normally associated with private ownership. As with Government Furnished Equipment (GFE), mobility program owners must ensure that personally owned mobile devices meet Cybersecurity, records management, and other applicable requirements. Considerations regarding personally owned mobile devices identified in the previous section were drawn from Federal Agencies, the Department of Navy9, and past Federal Guidance.10,11 Applicable considerations must be mitigated by program policies and user agreements (UA) that

8 Bring Your Own Device, Security and Risk Considerations for your mobile device program; EY 20139 DON Memo10 BYOD Toolkit, issued by White House (8/23/2012)11 IT Security: Guidelines for Managing the Security of Mobile Devices in the Enterprise, NIST Special Publ. 800-124 rev. 1 (6/2013)

10

have been carefully crafted by Federal Agencies in consultation with their appropriate legal counsel. Legal references can be found in the Appendix.

4 Guidance, Considerations, and Parameters of BYOD

This section establishes a set of baseline considerations for permitting personally owned mobile devices access to Federal organizational information, which are summarized in Figure 3. There is varying degree of mobile requirements across Federal Agencies. Therefore, guidance and recommendations are intended to be flexible enough to allow access to diverse enterprise resources using various technologies, while allowing agencies to structure their BYOD programs to meet their needs. Agencies may face distinctive legal and technical concerns, requiring program policy and User Agreements (UA) to be tailored appropriately. It is the responsibility of every approved program owner to proactively analyze that program and modify it appropriately.

Figure 3: Summary of BYOD Program Considerations

In this section, “program” refers to the mobility system providing enterprise access for personally owned mobile devices; including the hardware, software, and policy. “Private” refers to the portions of the mobile device used for personal functions by the device owner (e.g., applications, phone calls, messaging, and data storage). “Organizational” refers to the component of the mobile device used to process or store enterprise data. There are many different technologies (e.g., container, virtual desktop, web browser) that meet Federal Cybersecurity requirements and might be used to enable a personally-owned mobile devices to access the enterprise, which means the “organizational” component of a mobile device will vary between mobility programs.

4.1 Total Cost of Mobility

As an Agency evaluates the cost structure, it is necessary to review the Total Cost of Ownership (TCO) model. If not calculated from a TCO perspective, it is possible that savings achieved from eliminating or reducing device costs or service plan costs could be offset from increased costs in other areas such as management and software in a BYOD program (Note: mobile devices for agencies currently tend to be service enabled devices (SED’s) that are subsidized or free from the Carriers but there are commercial pricing trends that remove or limit subsidization that may impact government in the future).

11

Cost is clearly not the only factor for consideration or perhaps not even the most important factor in determining whether or not to implement a BYOD program. However, it is important to review and understand the impact or Agency costs in the context of BYOD implementation and one of the best ways to evaluate cost is by conducting a Total Cost of Mobility analysis. It is up to the individual agencies to determine and prioritize their criteria.

Agencies will need to determine the impact to each cost factors with the implementation of BYOD. Some of the associated cost categories for agencies to consider with BYOD are listed below.

Voice/Data plans and usage Accessories – i.e. CAC/PIV reader EMM / MDM Software Endpoint Security Other End-User Client Licenses Productivity increases Help Desk / Service Desk GFE vs. BYOD Program Management IT or Other Development Costs Engineering or Technology Services

BYOD can and should be cost-effective, but a cost-benefit analysis is essential as the policy is developed. Such a cost-benefit analysis should take into account potential cost avoidance, cost savings, additional costs, and increases in employee productivity as well as possible increase in Agency mobility program management costs. For example, providing employees access to government services on their personal devices should help reduce the number of government devices that are provided to staff as well as the life-cycle asset management costs associated with these devices. BYOD programs may, however, necessitate government reimbursement for actual voice/data costs incurred when employees use their personal mobile devices instead of government-issued mobile devices and additional enterprise infrastructure costs in handling the support of BYOD users. Overall costs may increase for personnel who frequently communicate outside of the coverage area of their primary service provider and incur roaming charges and who use large amounts of voice or data if their respective service plan is not associated with an unlimited service from the wireless carrier.

4.2 Voluntary Participation.

Participation in approved BYOD programs using enterprise-enabled personally owned mobile devices must be voluntary. Under no circumstances will Federal Agencies’ personnel be directed or required to use personally owned mobile devices for official business. Personnel assigned roles requiring mobile device use must have the option of using a GFE device but may choose to voluntarily use their personally owned mobile devices for convenience or personal preference. Reimbursing mobile device owners for costs incurred cannot be used to change the voluntary nature of the program.

12

4.3 Device Ownership and Approvals

BYOD programs are for employee owned mobile devices. It is recommended that Agencies use an approved list of Devices, Operating Systems (OS), and required updates to OS as determined by government agencies such as NIAP, DISA, or if required and feasible, the Agency establishing the BYOD program.

4.4 Device Confiscation

There are circumstances that may result in a personally owned mobile device being confiscated for physical destruction, for electronic search, or for a factory re-set and device wipe. The confiscation may be temporary or permanent. To confiscate a personally owned device, the program must have a legitimate requirement (such as a classified spillage), the requirements must be documented in the program policy, the program must have the user’s consent (as spelled out beforehand in the UA), and enforcement of the requirement must be consistent. The program policy must define the various situations that could result in confiscation, identify requirements justifying the possible actions, resulting actions, and stipulate that prior user consent to the program policy must be addressed by and obtained through the User Agreement.

4.5 Remote-Wipe in connected and non-connected states

This guidance document recommends that BYOD agreements are inclusive of “remote-wipe” capability in connected and disconnected states, as directed by the OMB.

4.6 Privacy/Search

Federal personnel have a reasonable expectation of privacy on personally owned mobile devices, even when those devices are used to access organizational data. To facilitate this, the program and technology should be designed with the intent of ensuring segregation of the private and organizational portions of the mobile device. However, implementations may be imperfect, which could result in situations that require program access to the private portion(s) of the device. Consequently, the program must reserve the right to search the private portion of the device. To ensure the program may legally access all portions of the owner’s device (private and organizational); the program must have a legitimate regulation or policy supporting the need, must apply the requirement consistently, and must have prior user consent. The program policy and its enforcement may be used to satisfy the first two conditions, and the UA may be used to capture prior user consent.

4.7 Applications and Data Segregation

Program policy and the UA should specify which applications might be used for organizational purposes. This will help ensure that mobile device owners do not inadvertently contaminate the private portion of the device with enterprise data. Program designers should consider what enterprise functionality users will require and ensure that tools and applications are available within the organizational portion of the device to enable keeping those functions separate from the private side.

13

4.8 Device Settings

The program may need to apply, or control personally owned mobile device settings (such as minimum length device access PIN) to ensure enterprise information security. Device settings will vary among programs based on the level of enterprise access, sensitivity of enterprise information, the technology enabling access, and other factors. Through the UA, participants must consent to the application of or modifications to enterprise security controls on their privately owned mobile devices prior to entering the program.

4.9 Third Party Access

Depending on the program security controls and policies applied to the mobile device, and the technology securing access to the enterprise and the organizational portion of the device (if any), the program may limit device usage to the device owner. The program may also require immediate notification if the device is lost, stolen, or an unauthorized third-party gains access, including family members.

4.10 Overtime

Use of a personal device for enterprise access does not alter overtime approval policies. Local policies and procedures for overtime approval applied to the use of GFE devices should be used to govern how and when a person may use a personally owned device for enterprise access.

4.11 Acceptable Use

Use of a personal device does not alter the standards of acceptable workplace behavior, and the restrictions for use of GFE mobile devices also apply to the user’s personal mobile device. The UA must clearly state that use of the mobile device is subject to all applicable use guidance (such as the Acceptable Use Policy for [Agency]).

4.12 Intellectual Property

Program managers may add specificity to program policy and the UA. However, use of a personal mobile device does not confer ownership of intellectual property from the Agency to the employee if the employee creates the intellectual property due to a job requirement, regardless of whether the intellectual property is created on personal time.

4.13 Liability and Safety

Use of a personally-owned mobile device for official Federal purposes does not obviate the requirement for user compliance with all applicable safety related law, regulations, and policy (such as prohibitions against using a mobile device while driving). This should be expressed in the User Agreement. From the perspective of liability, there is no significant difference between a personally owned or GFE mobile device being used for work purposes. The same regulations and policy governing the safe use of mobile GFE devices should be applied to the use of personal CMDs for duty purposes.

14

4.14 Device Upgrade or Ownership Transfer

To ensure removal of enterprise data, it is recommended that a program participant either provide notification and receive written approval before upgrading a personally owned mobile device to a newer model or transferring ownership of it to another individual (third party or family member) OR notify the respective Agency’s Mobility Manager, to ensure the device has been wiped of government content, such as applications and data. However, the exact process should be determined by each Agency and should be expressed in the User Agreement. The purpose is not to hinder the upgrading of devices but to ensure all appropriate security measures are taken prior to a device being upgraded or provided to another individual for use. The UA should inform the user that a device upgrade or transfer would automatically end participation in the BYOD program.

4.15 End of Participation

Individuals who voluntarily use personally owned devices must agree to have the enterprise data and supporting data segregation technologies removed from their devices at the end of their participation. Program participation can be voluntarily terminated by the user, directed by the organization, or be the result of an individual’s voluntary or involuntary organizational separation. All attempts should be made to limit loss of data from the private portion of the device; however, inadvertent data loss cannot be ruled out. UAs must address potential data loss, device search, and any reimbursement considerations.

4.16 Records Management

Electronic messages created or received in the course of conducting Agency business are Federal records and must be properly managed by the Agency. According to National Archives and Records Administration (NARA) guidance, electronic messages include emails, text messages, voicemail, social media, and mobile device applications. Program policies and User Agreements must clearly instruct participants on their obligation to capture any Federal records created or received by the personal accounts on their personally owned devices. A device owner who receives such a record must forward it to an official electronic message account within 20 days if the record was not copied to an official account by the originator. Full compliance with this requirement should also enable the Federal Agency to access and retain, as needed any Federal records subject to litigation holds and electronic discovery efforts.

5 Rules of Behavior and Guidelines

5.1 Rules of Behavior

The intent of Rules of Behavior section is to summarize guidelines from various Agency and other Federal documents, most specifically OMB Circular A-130 and Section 208 of the E-Government Act of 2002. All agencies that implement a BYOD Program should refer to the User Guidelines Summary and the Management Guidelines Summary below as well as the example User Agreement found in the Appendix of this document. These guidelines are intended to hold users accountable for their actions and responsible for information security. Rules of Behavior establish standards of behavior in recognition of the fact that knowledgeable users are the foundation of a successful security program. Users of a BYOD program need to understand that taking personal responsibility for the security of their device and the data it contains is an essential part of their job. These guidelines

15

must extend to all agency personnel who voluntarily participate in a BYOD program. All users should be fully aware of, and abide by, Agency security policies as well as related Federal policy contained in the Privacy Act, Freedom of Information Act, and Agency Records Management Regulations.

5.1.1 User Guidelines Summary:

Participation in the BYOD program is voluntary and can be terminated by the employee at any time.

Participant shall adhere to all established Agency Rules of Behavior and associated Agency IT Security guidance and behave in an ethical, informed, and trustworthy manner.

Participant shall not attempt to override technical or management controls and/or configurations installed as part of the BYOD program, unless the user is voluntarily ending participation by self-deleting the government-managed solution’s configuration profile resulting in the automatic loss of all government content from the user’s device.

Participant will not download or transfer Controlled Unclassified Information (CUI) to their personal devices except only if authorized by the BYOD program in accordance with the Agency’s BYOD policy.

Participant agrees to delete any sensitive work-related files that may be inadvertently downloaded and stored on the device through the process of viewing email attachments if required by the BYOD solution.

Participant is responsible for carrier service plan costs and any other costs that are not reimbursable by the Agency, unless a device is permanently confiscated, damaged, or destroyed by an Agency.

Participant will abide by the law governing the use of mobile cell phones and/or smartphones; for example, while driving (e.g., hands-free use and/or texting);

Access to agency IT resources via the BYOD program is in accordance with agency’s Information Technology Security Policy.

Participant shall take precautions to secure government information and information resources.

Participant should notify the Help Desk or other designated contact prior to the transfer/disposal/upgrades of BYOD device(s).

Participant should physically protect BYOD device from theft, abuse and unauthorized use. Participants should be particularly aware of the threat of loss during periods of travel. The use of the device password is recommended in addition to the agency BYOD program password.

Participant should immediately report loss or theft of the BYOD device to the help desk or other designated contact for remote removal of the Mobile Device Management solution and redirection of e-mail.

Participant shall follow agency password policy, and protect passwords from access by other individuals, e.g., do not store passwords in login scripts, batch files, or elsewhere on the device.

Participant shall report security incidents or any incidents of suspected fraud, waste or misuse of agency systems to appropriate officials immediately.

Participant agrees to maintain the original device operating system and keep the device cur-rent with security patches and updates, as released by the manufacturer.

Participant will not “Jail Break” or “Root” the device (installing software that allows the user to bypass standard built-in security features and controls)

16

Participant agrees that the device will not be shared with other individuals or family members, due to the business use of the device (potential access to government e-mail, etc.).

5.1.2 Agency Management Guidelines Summary:

The agency management guidelines as summarized below will require agencies identify specific management resources responsible for each:

Agency shall ensure that Fair Labor Standard Act (FLSA) covered employees are not participating in the program without appropriate approval.

Agency shall review authorizations annually to ensure that a bona fide business need exists for employees to participate in the program. In addition, management officials must identify any accounts to OCIO that should be terminated.

Agency shall ensure that personnel granted participation in the BYOD program follow established agency IT security policies, guidelines and procedures.

Agency shall notify OCIO of any separation, transfer, or termination from the Department of any employee participating in the BYOD program, so that OCIO can take the appropriate actions.

Agency reserves the right to terminate government provided services for non-use, or termination.

5.2 Penalties for Non-compliance

All users are required to comply with the agency Rules of Behavior and End-User Guidelines, which should be included in an Agency User Agreement provided to employees, contractors, and other qualified users of a BYOD program. By signing the agency Rules of Behavior / User Agreement, the employee indicates that s/he understand, accept, and agree to comply with all identified terms and conditions. Failure to comply with these rules could result in a verbal or written warning, removal of system access, termination of employment, and/or found guilty of a misdemeanor punishable by fines.

6 BYOD Implementation Options

The implementation of a BYOD program presents the agency with a host of security, policy, technical, and legal challenges. Adapting BYOD solutions requires an understanding of the sensitivity of the data, the amount of processing, and the data stored on the personal device. Each agency has to assess its own security requirements and select a solution that fits their agency needs. This section provides different BYOD options currently in use by the government as well as other proposed implementations.12 These options are summarized in Figure 4; however, this is not a comprehensive list and some options can be combined.

12 MITRE Technical Report MTR150360, Secure Enterprise Access and Personal Enablement of Mobile Devices, by Michael Peck, Carlton Northern, Glenn Bell, Curt Ryersen, and David Keppler, September 2015

17

Figure 4 - BYOD Implementation Options

6.1 Enterprise Mobility Management (EMM) – MDM, MCM, MAM

Agencies are increasingly reliant on Enterprise Mobility Management (EMM) to meet basic device management and security needs13. EMM generally includes Mobile Device Management (MDM), Mobile Content Management (MCM), and Mobile Application Management (MAM). These capabilities typically invoke functionality built-in to the device operating system and underlying platform, such as Android Enterprise (formerly known as Android for Work), Samsung Knox, and Apple iOS’ managed applications and accounts. A BYOD user must enroll the device with their agency MDM system, which may require authorizing the management system to enforce security policies upon the device, and/or monitor certain aspects of the device.

Some solutions provide “per-application Virtual Private Network (VPN)” capabilities that can be used to send enterprise-managed application network traffic through a VPN to enable access to enterprise resources, while prohibiting unmanaged applications from traversing the VPN and gaining access to enterprise resources. Per-application VPNs can help maintain the privacy of the network traffic of personal activities performed on the mobile device. Enterprises should consider the trade-off between maintaining user privacy and the ability to monitor all device traffic for malicious content, enterprise data exfiltration, and other threats, in addition to the performance impact and overhead imposed by enterprise monitoring. Certain solutions may also enable enterprises to provision Public Key Infrastructure (PKI) certificates to the device that can only be used by the enterprise applications and accounts, not by personal applications.

With some solutions, the device-wide authentication (screen unlock) mechanism equally controls access to both enterprise-managed and non-enterprise-managed (personal) resources. This method simplifies authentication but may cause complications if the device is shared (for example, a

13 MITRE Technical Report MTR150360, Secure Enterprise Access and Personal Enablement of Mobile Devices, by Michael Peck, Carlton Northern, Glenn Bell, Curt Ryersen, and David Keppler, September 2015

18

personally owned device shared with family members). Other solutions provide a separate authentication mechanism that controls access to enterprise resources. This method adds an extra authentication step and may provide better user interface clarity between personal and enterprise applications and data (e.g., separate “desktops” for each). In either case, the authentication mechanism is often used as a cryptographic factor involved in the protection of data-at-rest encryption keys (usually combined with an underlying hardware protected key to increase the difficulty of performing password guessing attacks).

The security of these solutions depends on the integrity of the underlying mobile device.Since the EMM solutions leverage the APIs of the mobile device platform itself, they may be well positioned to make use of underlying device security features to perform integrity checking.

The built-in enterprise management solutions are generally provisioned by enrolling the device with an enterprise mobile device management (MDM) server, providing that MDM server with some level of administrative access over the device. Particularly in the BYOD use case, this naturally introduces concerns about threats to user privacy and device functionality. The MDM server does not have access to all data on the device nor control over all aspects of device operation but rather is limited to the interfaces provided by the mobile device platform and to the permissions requested by the MDM at enrollment time. The available interfaces and permissions vary significantly between mobile device platforms.

Advantages: Enterprise flexibility to install mobile applications into the enterprise managed area without

requiring modifications to each application Enterprise option to leverage Volume Purchase Programs to provide device users with app

access (without each user having to purchase the apps individually) – applies to both GFE and BYOD

Ability to utilize underlying device security features for purposes such as data-at-rest protection, storage of cryptographic keys, and integrity checking

Disadvantages: Limited to devices that support the required built-in enterprise management capabilities

(this support is quickly broadening) Privacy and user functionality concerns with granting the enterprise administrative access

over personally-owned devices Many MDM systems defaults to asking for a significant level of access to the device,

regardless of whether that access is actually needed or used

Two examples of how this approach has been implemented in the Federal government can be found in the EEOC and NRC use cases located in the Appendix.

6.2 Virtual Mobile Infrastructure (VMI)

VMI is an emerging capability that offers an alternative to on-device storage of sensitive data on untrusted devices14. VMI, as shown in figure below, employs a thin client technology that enables data storage and processing on trusted computing resources within a secure facility. The only data 14 MITRE Technical Report MTR150360, Secure Enterprise Access and Personal Enablement of Mobile Devices, by Michael Peck, Carlton Northern, Glenn Bell, Curt Ryersen, and David Keppler, September 2015

19

passed between the user device and the enterprise is inputs (e.g., swipes, gestures, sensors) and outputs (e.g., displays), hence eliminating the need for on-device data storage of enterprise data other than authentication credentials.

VMI Architecture Diagram

The VMI thin client on the user equipment is an app that connects to a virtualized Android instance within the organization’s enterprise. Sensitive data and applications are maintained within the enterprise, eliminating on-device data-at-rest. VMI thin client applications are available for Windows, iOS and Android platforms. Licensing issues currently limit mobile OS virtualization (the backend platform) to Android platforms only.

VMI solutions ideally eliminate on-device storage of enterprise data other than authentication credentials; however, VMI does not mitigate all threats. VMI solutions (like other solutions) are potentially vulnerable to device-based attacks, such as Mobile Remote Access Trojans (MRATs) and network-based attacks, such as Man-in-the-Middle attacks. Additionally, the underlying virtual machines may be subject to potential exploitation and must be protected and maintained as a critical enterprise resource.

VMI solutions provide strong separation of personal and enterprise information, and minimize the requirement for device management privileges, addressing potential privacy concerns with built-in device and container solutions. Finally, VMI solutions require reliable network connectivity; accordingly, VMI may not be a viable solution for critical capabilities and those requiring disconnected operations. When reliable network connectivity is unavailable, no ability exists to work offline, for example to review documents or draft e-mails. Enterprises should ensure robust Wi-Fi access is available (including to personally-owned devices if implementing the BYOD use case) within their facilities, particularly if indoor cellular coverage is poor.

Advantages: Ability to run on any device without dependence on built-in device management

capabilities. Personal privacy and functionality of the device is preserved.

20

The enterprise can obtain full control over the backend virtual machines and potentially implement advanced security solutions that are not practical to implement on real mobile devices. Enterprises may be able to also implement device snapshot and backup capabilities on the virtual machines.

Disadvantages: Requires constant network connectivity when in use. Requires a virtual mobile OS for every BYOD user. Threats to the end device still pose a risk (such as screenshots, input injection, or theft of

stored enterprise access credentials) but have less of a potential impact than with other solutions.

May introduce an extra expense to the enterprise. VMI does not address disconnected use cases, so enterprises may need to invest in a second solution for those use cases requiring “off-line” capability.

6.3 Application & Data Containers

Application-level containers provide and manage access to enterprise resources at the application level, minimizing reliance on built-in device management functions15. A container application typically includes email, calendar, web browser, and related capabilities. Mainstream mobile applications cannot run in the container environment without modification. However, managed apps, while not in the container, still have some controls for data access if leveraging an EMM. Container vendors may provide an Application Programming Interface (API) that can be incorporated into other applications with source code modifications to run in the container environment or may provide an application wrapping solution to automatically modify application binaries to run in the container environment. However, both approaches depend on the cooperation of the vendor of the desired application, limiting the ability to use mainstream applications ((for example, the Microsoft Office native applications for iOS and Android or the iOS built-in Mail client and Safari browser) in application-level container environments. While both approaches depend on the cooperation of the vendor of the desired application, there is an increasing number of mainstream applications (for example, the Microsoft Office native applications for iOS and Android) in application-level container environments.

While container vendors typically provide alternatives to mainstream browsers and email clients, it is unclear that they can offer the same features and response to security issues as the mainstream product vendors. The most popular browsers including Internet Explorer, Safari, Firefox and a few others are large, complex, well-funded software development efforts that receive frequent updates to address discovered security vulnerabilities as well as to add new web features. If using a web browser provided by a container vendor, we recommend ensuring that the vendor is properly resourced to also keep up with emerging vulnerabilities and expected new features.

Application-level container solutions provide the benefit of clearly isolating enterprise data into a single application or set of applications and may avoid the need to request access to device management privileges, addressing potential privacy concerns with built-in device solutions. Application-level container solutions generally provide their own authentication mechanism separate from the device-wide authentication and their own data-at-rest encryption of enterprise 15 MITRE Technical Report MTR150360, Secure Enterprise Access and Personal Enablement of Mobile Devices, by Michael Peck, Carlton Northern, Glenn Bell, Curt Ryersen, and David Keppler, September 2015

21

data. These mechanisms may or may not make use of underlying device security features (for example, hardware-backed cryptographic key store capabilities). Even though application-level containers do not strictly require access to impose device-wide policies, agencies should consider providing vendors access, because of their dependence on the security of the underlying device. For example, the effectiveness of many of the Apple iOS device security protections depends on a device screen lock being in place, so containers may enroll devices with an enterprise MDM server to impose and monitor compliance with a screen lock policy. If the container enrolls the device with an enterprise MDM server, the same privacy and user functionality vulnerabilities that exist with the device built-in capabilities, will continue to exist.

Some risks related to application level containers include: Application-level containers rely on the sandboxing and other security protections provided

by the underlying mobile device platform. If the device is compromised, the device may be vulnerable to container access and protected data or may allow access to enterprise resources. Container solutions perform device integrity checking and can take action if an integrity violation is detected. However, container application usually does not have privileged access to the mobile device platform to perform more sophisticated checks. In some cases, the mobile device platform vendor may provide interfaces that the container application can leverage to provide more effective integrity checking. For example, Good and IBM have partnerships with Samsung KNOX that allows Good to make use of Samsung-provided security APIs. The benefit of these APIs would obviously only apply when using Samsung devices.

Some container products bundle multiple “containerized” applications into one large application from the perspective of the operating system. In this architecture, the mobile device’s sandbox protections are partly negated. If vulnerability in one of the “containerized” applications is exploited, it may be possible to gain access to other enterprise data stored within the container environment.Application wrapping techniques depend on the ability to intercept and modify every potential network socket or file storage call from the application to instead use the container-provided method, which is a difficult problem. If all calls are not correctly intercepted; data may be inadvertently put at risk.

Advantages: Ability to run on any device without dependence on built-in device management capabilities May provide stronger personal privacy protections than built-in device approaches, since

the container only encompasses enterprise uses

Disadvantages: Applications must be modified or written using a custom SDK in order to run in the container

environment, reducing the ability for enterprises to make use of mainstream mobile applications

Some containers are dependent upon the security of the underlying operating system and device and therefore, are subject to the underlying vulnerabilities

22

6.4 Two-Factor Authentication for Agency Applications – Using PIV/CAC and Secure Browser - (e.g. Thursby Software – Sub Rosa)

This solution, which has been implemented by the US Navy Reserve in their Ready2Serve (R2S) application, leverages a custom application built by Thursby Software based on Thursby’s Sub Rosa browser to meet BYOD requirements.16 It is a locked down solution to allow only R2S users to go to a secured website (application) to access enterprise resources. The URL field and bookmarks are disabled and not accessible. The application is only accessible via CAC, and will direct the user to only pre-determined applications like email, timesheets, SharePoint, file servers, etc. More details can be found in the Appendix.

Advantages: Does not need native apps, containers, backend servers, or an MDM Features and policies can be custom set by the organization Application has been fully accredited Meets multiple regulatory requirements (e.g., OMB, NIST, FICAM) Runs in a secure browser accessed via DoD PKI two-factor CAC/PIV authentication that

prevents downloading and saving of content (zero data-at-rest)

Disadvantages: No access to information in disconnected environments/situations. Limits future of more advanced mobile use cases/applications, which would require

persistent data and expanded access to device capabilities/sensors. Since the application does not monitor the device’s integrity and patch status, there is a risk

of malware, which could record the devices screen/capture screenshots potentially exposing sensitive information. The risk of malware increases on devices, which are not actively patched.

Requires user to carry CAC-Reader and CAC at all times. Without lack of device management, potential for storage/use of derived credentials is

limited. Lacks ability for users to create/modify files on the go (e.g., PowerPoint, Word documents).

7 Preparation for Key Events

Key events for which Agency’s must be prepared to address include the following: On-boarding New Users:

Agencies must establish a specific set of procedures and a timeline to qualify and approve users, to evaluate and approve an end-user mobile device, to load approved applications and software, and to train end-users.

End-User Change of Employment, Employment Status, or Participation Status:If staff has been given approval to use a personal mobile device and is leaving the employment of the Agency or changing positions within the same Agency, that employee might be required to provide the mobile device for some level of sanitization. Specifics guidelines will be determined by each individual agency. It is recommended that there be a stated time period with which a device must be wiped clean upon change of employment or position. Depending upon Agency requirements, the device may need to be returned for a

16 US Air Force (USAF) leverages the same approach for their BYOD program that uses the USAF Connect app.

23

security check or will need portal acknowledgment that a container, EMM, or other BYOD implementation are wiped clean from the device – if neither has occurred after the specified time period, the agency should terminate all services related to the BYOD implementation, conduct remote wipe procedures, and end any government paid for mobility services on the device. Employees must work with each office’s mobility device manager to ensure proper device management, transfer, and security.

Security Breach: Each Agency, depending upon their security profile, must develop a response process for any security/data breach or classified spill. The response process must be made known to all BYOD users to enable their understanding and reporting process if a breach occurs.

8 Summary and Recommendations

A holistic BYOD strategy is needed for Federal Government wide adoption. Government agencies can leverage lessons learned from existing BYOD and telework deployments. They can also partner with Industry on applicable solutions that meet mission needs. Recommendations include:

BYOD should not be considered as secure as GFE implementations, but be used to supplement and not replace GFE mobile capabilities.

Personal devices are not granted the same protections as GFE, which are excluded from aggregated location tracking data programs.

BYOD is applicable for some unclassified use cases where operational roles are primarily administrative and in CONUS environments. However, there are some conditions where personal devices should not be leveraged in the Federal government:

o OCONUS/tactical environment - personal devices should not be used for tactical operations since they have not been fitted with the appropriate security measures to protect the user from adversaries (e.g., geolocation, TRANSEC)

o Classified missions - personal devices should never be used to process classified information or operated in classified environments as they do not meet National Security requirements

o VIP communications - personal devices that process senior level data increases the chance for attacks and potential tracking of senior leaders

o Any other highly sensitive government missions that require the additional data protections offered by GFE.

Each Agency must develop a BYOD policy that has been reviewed and approved by the agency’s legal, security, IT, and privacy groups prior to piloting and/or establishing a BYOD program. Agencies must also evaluate and potentially update existing policies where use of personal devices is not allowed to remediate policy conflicts.

Agencies that incorporate BYOD solution should develop Wi-Fi capabilities to maximize use of personal devices across their facilities. Since it is anticipated that BYOD mobile solutions will be used not only in the home but also as a support device at work, access to a government Wi-Fi network will mitigate concerns over voluntary services. Wi-Fi permits the offloading of carrier cost and transfers the connection cost from the employee to the government.

A major weakness of BYOD solutions is that the user is responsible for maintaining the security of the ‘personal side’ of the device. While government data may be protected with a given BYOD solution, the general assumption is that personal applications and data are

24

unprotected and subject to a wide variety of attacks. The general concern is that as BYOD gains popularity new ‘crossover’ threats will try to target personal applications seeking to provide malware on government applications. Specific recommendations include:

o User agreement should prohibit the transfer of data from private to personal and personal to private applications.

o Agencies should provide a baseline security service to monitor the integrity of the personal applications and overall device.

o Agencies should impose a minimum OS version and security patch level. If reimbursements are not possible, each Agency, or OMB, should approach carriers for

discounts like commercial organizations get through national account / group discounts. Security guidance and compliance:

o The lack of specific BYOD security guidance forces agencies to develop their own certification procedures. An aspect of the problem is that available security guidance often does not address existing vendor products and discusses BYOD as a general architecture without specific security objectives. NIST and NIAP guidelines need to be updated and made relevant to established BYOD programs. In addition, proper Identify and Access Management solutions that are commensurate to the information systems they will be accessing (see NIST SP 800-63-3) should be clearly identified.

o BYOD Programs need to align with Federal security policies and procedures and have solutions validated in accordance with Federal security processes (e.g., NIST, NIAP, RMF) for standardization of each approach across the Federal government.

25

9 APPENDIX: Case Studies, User Agreement Example, and Reference Material

In the right environment, BYOD programs can be an enormous success. The MSCT BYOD Working Group members developed a collection of case studies that highlight the implementation of a BYOD program at a government agency. These studies include a brief synopsis, which summarizes the specific challenges, approaches, and lessons learned of each. None of the BYOD programs discussed in these case studies involve the transmission of classified information. Agencies should consider the applicability of the discussed technical and policy approaches to their own environments. The following case studies are discussed below:

1. Nuclear Regulatory Commission (NRC)2. Navy Reserve – Ready2Serve (R2)3. US Equal Employment Opportunity Commission (EEOC)

9.1 CASE STUDY: U.S. Nuclear Regulatory Commission

Agency-Wide Use of Personal Smartphones or Tablets to Access the Agency Network

BackgroundIn order to facilitate access to agency resources, in February 2013, the U.S. Nuclear Regulatory Commission (NRC) implemented technical capabilities enabling access to the NRC network from smart phones and tablets. Also, the Agency has enabled authorized BYODs such as smartphones and tablets to access certain agency resources. Consistent with Federal directives, the NRC has established rules of behavior for individual users to govern the secure use of information technology (IT) computing resources. In June 2013, there were 514 BYOD users, which accounted for 20% of NRC employees. While initiated back in 2013, the implementation of BYOD at NRC is currently one the most successfully implemented BYOD programs within the Federal government, approaching a 25% opt-in rate. Users with NRC local area network access can use BYOD to connect to NRC resources. BYOD is an optional NRC service. Individuals choosing to use their personally owned device for agency business must acknowledge and agree to the NRC Rules of Behavior user guidance. The BYOD solution enables users to access, view, edit, and add documents/folders to their network drives, SharePoint sites, and view NRC Intranet content. BYOD was provided access to approved internal NRC content for:

Device Resource Management (limit OS Versions, use of local storage, camera, audio, etc.)

Application Distribution

Personal Information Management (PIM) Synchronization (email, calendar, address book, etc.)

Access to Network Resources (SharePoint, Network Drives, Intranet)

After evaluation of eight vendors, the NRC selected IBM’s MaaS360, a FedRAMP authorized cloud based, software-as-a-service Mobile Device Management (MDM) vendor. Using an MDM, NRC has the capability to manage various devices including Android, Apple iOS, Blackberry, Mac OS, and

26

Windows devices from a single management console. Via containerization deployed via the MDM solution, users have access to secure - browser, email, contacts, calendar, document sharing, as well as other features. Leveraging the MDM’s Selective Wipe functionality, any personal device that is lost or leaves the government, can be wiped of apps, documents, Wi-Fi/VPN/email profiles that were pushed via the container. Personal apps, music, photos, etc. will not be touched. Advantages:

MDM solution is widely used within the federal community.

MDM solution is FedRAMP authorized.

Same solution is used for both BYOD and GFE (keeping support costs lower).

Integrates with Microsoft Exchange ActiveSync, Active Directory, and Office 365.

Metadata does not transverse or reside on vendor cloud server.

Minimal hardware is needed; no appliances are needed.

Security Vendor Agnostic – MDM solution provides a framework that is agnostic to how customers choose to protect their data on end user smart devices.

Scalability – Solution can quickly scale from 1 to over 100,000+ devices without the addition of any additional infrastructue.

Supports multiple devices/OSes:

o iOS 11.xo Android 5.xo Windows 10 o Mac OS

Disadvantages:

MDM vendor has no on-premise solution – Cloud only or hybrid cloud solution

Requires training of O&M staff

Overall Approach Begin with the POLICY. Assemble a cross-divisional working group to develop the policy

and guidance. Make sure the policy is solution and device agnostic. Review existing policies to see if any need to be updated (for example, reimbursement policies, travel policies, etc.).

Secure EXECUTIVE SPONSORSHIP. BYOD changes the way people work. Executive sponsorship is critical to support and communicate changes to policies and processes.

Select important SECURITY features for implementation. Work to identify prioritized security settings or policies. Provide regular (yearly) reviews of all settings and compare to updated guidance (STIGs, NIST, etc.)

Select the solution based on PRIORITIZED REQUIREMENTS. The Requirements (Mission, Use case, Security) drive the service offering and additional capabilities and features. (Know what you need to do, what you are trying to do, where you need to go). Do not select a solution and then try to “make it fit.”

COMMUNICATE. Spend time explaining and demonstrating the BYOD concept to the workforce, including senior and executive staff. Attend all-hands meetings and

27

informational events. Find office “ambassadors” that will share their experience with other staff members.

Work with the agency’s LEGAL COUNSEL and UNION early in the process. Seek input on the BYOD program and policies.

SOLICIT FEEDBACK AND INPUT. Constantly be looking at the next release. Look for what needs to be corrected, removed, updated, or added.

Know your INVENTORY and installed base. Have a means to react to security alerts (for example, Meltdown/Spectre), control access based on apps and patch/OS levels, and have executive support of mitigating activities (for example, if a device is not patched to the appropriate level, the device is blocked from agency content).

BE PREPARED. Know how to respond to spills, lost devices, and international travel requests.

9.2 CASE STUDY: Navy Reserve – Replace GFE with BYOD

Ready-2-Serve Secure Web Browser Application – Communications Efficiency with Significant Cost Savings

Background:Department of Navy Reserve had a need to reduce costs significantly and improve efficiency and security on their Government Furnished Equipment (GFE). Navy Reserve explored BYOD as potential to replace GFE, thereby, saving costs significantly, and improving security and efficiency. Navy Reserve explored multiple options (i.e. in the range of 10-14 BYOD implementation options), and after careful evaluation of options, the settled on a secure browser application, that was device agnostic, called Ready-2-Serve (R2S) by Thursby Software Inc. This application has the potential to serve all of DoD.

R2S mobile application provides an out-of-the-box access to Outlook Web Access (OWA) with digital signing and encryption/decryption for official e-mail. R2S received its Authority to Operate (ATO) in May 2016, after only 18 months in development, and now has over 20,000 users since the production version was launched in October 2016. R2S was produced using agile software development and responsive web site design on a SharePoint (SP2010) portal (also with a current ATO) on the Navy Reserve Homeport. The next iteration of this application, for other DoD customers, would likely be similar but using a web app on the Microsoft Azure Government/DoD cloud. R2S uses an external CAC/PIV Card reader with proprietary middle-ware technology so there is no data-at-rest on the user’s smart device after a session has ended. Since this solution does not use native apps or containers, there is no requirement for expensive MDM, MAM, or MEM maintenance and development costs. This approach allows the user to access NIST 80-63-3, Identity Assurance Level (IAL) and Authenticator Assurance Level (AAL) 3 (formerly Level of Assurance 4 (LOA-4)) information on FIPS 199 systems within the agency/organization. Roles and permissions given to the user, in accordance with the NIST Cybersecurity Framework, are easily managed by the agency/organization. R2S uses an external CAC-card reader with a secure browser to a web site to provide mobile app experience. This also ensures no data is at rest on an individual’s mobile device which mitigates the risk of spillage on the personal smart device and the requirement for a Government “wipe” capability.

28

The below images show the iOS configuration with CAC reader and screen shots of some of the R2S application responsive web site. The “readiness meter” (green dot in the upper right-hand corner of the app) is based on medical and dental readiness along with status of security clearance:

DoD can have everyone on this BYOD solution for less than they currently pay to have a small percentage of DoD personnel on government provided devices that have a vastly inferior user experience. As an example, government furnished smart devices (GFE) for 800 personnel cost $800K annually, without CAC Capability. The R2S license costs $250K annually for 35,000 users, with CAC and access to official e-mail with ability to encrypt/decrypt and digitally sign messages.

The R2S application is run in a secure browser which is accessed through DoD PKI 2-factor CAC/PIN authentication, prevents downloading and saving of content (zero data at rest), and deletes transactional content at the end of each session. R2S has Authorization to Operate (ATO) from the U.S. Fleet Cyber Command Navy Authorizing Official (NAO) and is the first accredited Navy solution for secure mobile access via a BYOD.

Demand by Federal employees and military members continues to grow for a modern solution for BYOD technologies that they can use on their personal smart devices. Government Furnished Equipment (GFE) smart devices, cellular service subscription, Mobile Device Management (MDM), Mobile Application Management (MAM), Mobile Email Management (MEM) are expensive to procure and maintain.

29

The proposed R2S-like solution will use “multi-factor” authentication that will support solutions on personally owned Apple iOS and Android devices (both are on current R2S ATO). On-the-go access to CAC/PIV-enabled web portals with agency information needs to be available for military service members and Federal employees to accomplish their day-to-day mission objectives. There are a myriad of circumstances causing the workforce to be off-site, however it remains vitally important that they have access to the information and communication channels officially authorized by the government agencies.

The cyber vulnerability that results from not implementing something like R2S is “Shadow IT”. This is a term often used to describe any application or transmission of data, relied upon for business processes, which is not under the jurisdiction of a centralized IT or IS department; and not often in line with the organization's requirements for control, documentation, security, and reliability. Examples of these unofficial data flows are USB flash drives or other portable data storage devices, MSN Messenger or other online messaging software, Gmail or other online e-mail services, Google Docs or other online document sharing and Skype or other online VOIP software. R2S reduces the risk of shadow IT and meets multi-factor authentication requirements by giving the user the access to systems and secure e-mail that they need to conduct everyday business while complying with laws and regulations such as the Federal Information Security Management Act (FISMA) and Health Insurance Portability and Accountability Act (HIPAA).

Cost Implications:Estimated costs should be based on the following pricing model for the initial “out-of-the-box” capability using COTS technology customized through the use of “configuration code” input by the user’s organization. Software licenses must be purchased with annual support agreement priced at 20% of license cost. The pricing for the application varies by number of licenses ranging from 10-30K, 30-60k, and 60k plus, and cost factors include - software license, iOS or Android CAC readers.

Capabilities: Secure solution incorporating: personal mobile device (Apple iOS and Android), plug-in CAC

reader, R2S mobile application, CAC, and cellular or Wi-Fi internet connection Read, write, and manage Navy email (NMCI and others), contact list, and calendar Access to individual deploy ability / mobilization readiness status, training content, service

record, drill record, and pay data Search for opportunities to mobilize (order advertisements) and vacant officer billets View and manage IDT (drill) Secure web application with an Authority to Operate (ATO) Meets multiple regulatory requirements

o FICAM TFSo NIST, FIPS Publication 140, 201-2, 199, 200, PIV of employees/contractors, SP 800-

37o NIST Special Publication 800-63-3, Identity Assurance Level (IAL) and Authenticator

Assurance Level (AAL) 3 (formerly LOA-4) o NIST Framework for Improving Critical Infrastructure Cybersecurity, V1.0o OMB Memorandum M-16-4

Access select DoD and Navy websites to include:o Navy Standard Integrated Personnel System (NSIPS) - Electronic Drill Management

(EDM)

30

o Defense Finance and Accounting Service (DFAS) MyPayo Navy Reserve Homeport (NRH)o BUPERS Online (BOL)o Navy Knowledge Online (NKO)o Reserve Forces Management Tool (RFMT) – Apply / JO Applyo Total Workforce Management Systems (TWMS)o NMCI Homeporto Navy Family Accountability and Assessment System (NFAAS)o Enterprise Safety Applications Management Systems (ESAMS)o DFAS pay charts, information on Navy Ranks, and Government Travel Charge Card

9.3 CASE STUDY: U.S. Equal Employment Opportunity Commission (EEOC) – Pilot Study

Transitioning from Blackberry Usage to Bring-Your-Own-Device

Executive SummaryThe U.S. Equal Employment Opportunity Commission (EEOC) implemented a Bring-Your-Own-Device (BYOD) pilot program to meet urgent IT budget challenges. Employees who wanted to use their own smartphone for official work purposes agreed to have third-party software installed. This allowed the agency to manage security settings on the devices and remotely wipe devices of government emails and data if they were lost or stolen.

The EEOC were among the first Federal agencies to implement a BYOD pilot and the preliminary results allowed for important learning and insights. The EEOC was paying $800,000 for its Government issued BlackBerry devices. Subsequently, the EEOC’s IT budget was cut from $17.6 million to $15 million, nearly a 15% reduction. The EEOC’s Chief Information Officer, Kimberly Hancher, slashed the agency’s budget for mobile devices -- leaving only $400,000 allocated for the Fiscal Year. Along with the other cost reduction measures, CIO Hancher took the issue to the agency’s IT Investment Review Board. She suggested a two-pronged approach to cost reduction:

1. Optimize rate plans for agency provided mobile devices

2. Implement a BYOD pilot program

Optimization: Zero-use devices were eliminated, and all remaining devices were moved to a bundled rate plan with shared minutes. FY costs were reduced by roughly $240,000 through these actions.

EEOC decided to conduct research into how employees were using their agency-issued Blackberry devices – and the results were surprising:

“Seventy-five percent of our users never made phone calls from their BlackBerrys,” according to Hancher. “Email is the killer app. They either used the phone on their desk or they used their personal cell phone to make calls because it’s just easier. We also found there were a number of zero-use devices. People have them parked in their desk drawer, and the only time they use it is when they travel.”

31

BYOD Alpha PhaseDuring the alpha phase of the BYOD pilot, the EEOC’s IT group worked with the mobile device management cloud provider to configure the exchange of electronic mail between the providers’ host and the EEOC’s email gateway. The IT staff transitioned to a cloud provider, having managed the agency’s BlackBerry Enterprise Services (BES) for many years. The cloud provider assisted with setup, configuration and end-user support. Under the BYOD pilot, the cloud provider conducted all technical support for pilot participants with iOS devices (iPhone and iPads), as well as all Android devices (smartphones and tablets). The EEOC decided to use its existing on-premise BES for additional support as needed.

EEOC’s BYOD pilot focused on providing employees with access to agency email, calendars, contacts and tasks. With the mobile device management software, employees were able to read and write emails with or without Internet connectivity. A few senior executives who owned Apple iPads were provided "privileged" access to the agency’s internal systems through the secure Virtual Private Network (VPN).

The EEOC’s first draft of the BYOD Rules of Behavior was circulated among the advisory group, the technical team and the IT Security Officers. After a number of revisions, the Deputy CIO and Chief IT Security Officer met with the union several times to discuss the issues. Again, the Rules of Behavior document was revised and improved upon. An “expectation of privacy” notice was written in bold on Page 1 of the four-page policy.

The EEOC provided several choices for the 468 employees who still used agency-issued BlackBerry devices:

1. Voluntarily return your BlackBerry and bring your own Android, Apple or BlackBerry smartphone or tablet to work.

2. Return your BlackBerry and get a Government-issued cell phone with voice features only.

3. Keep your BlackBerry with the understanding that EEOC does not have replacement devices.

Acceptable Behavior PolicyEEOC developed an Acceptable Behavior Policy for personal mobile devices. The policy document was developed as part of a working group that included the agency's Office of Legal Counsel. Employees who choose to opt into the BYOD program were required to read and sign the policy document. EEOC used the pilot as an opportunity to obtain feedback and comment on the initial version of the Rules of Behavior.

CIO Hancher recommended agencies have documented rules for what employees can and cannot do with Government data on personally owned devices. Employees had to agree to let agencies examine those devices should it become necessary. EEOC's IT staff met with employees to determine which device or devices to use in the BYOD program. At rollout, personal smartphone devices were the only mobility option for new employees at EEOC.

32

BYOD Pilot ResultsThe initial alpha pilot was launched with 40 volunteers who turned in their Government BlackBerry to use a personally owned smartphone/tablet (Android, Apple iOS or BlackBerry). EEOC used cloud based, software-as-a-service for wireless synchronization of agency email, calendar and contacts, as well as mobile device management services.

During the first three months of the pilot and optimization process the number of BlackBerry devices was cut from 550 to 462 and monthly recurring costs were lowered by 20-30% by optimizing the rate plans. EEOC launched the beta pilot inviting all BlackBerry users to opt in to BYOD and return their BlackBerry. However, EEOC allowed employees to continue using an EEOC provided BlackBerry if they chose not to opt into BYOD.

The BYOD program required users to pay for all voice and data usage, including those for official work purposes. This cost issue prompted some users to keep the BlackBerry. Some EEOC employees, preferred their personal devices over GFEs for various reasons.

Lessons Learned Socialize the concept of BYOD. Since BYOD is a new concept and the acronym is taking

time to be universally recognized, it is advisable to spend time explaining the BYOD concept to the workforce, including at senior staff meetings and executive council sessions.

Work with the agency’s Legal Counsel and unions early in the process. Allow input on the BYOD program and policies from leadership officials.

Select important security features for implementation. Work to identify prioritized security settings or policies, implement them carefully, then cycle back to identify additional security measures after the first set are completed.

Hardware/Software

Notifylink MDM – Cloud provider licensed at $120 per user per year

GW Mail and GW calendar – $5 apps available through iTunes and Android Market

Disclaimer:

References to the product and/or service names of the hardware and/or software applications used in this case study do not constitute an endorsement of such hardware and/or software products. Some content of the EEOC BYOD overview were removed or summarized for readability and relevance to the Guidance document.

9.4 USER ACKNOWLEDGEMENT AGREEMENT EXAMPLE

Below is an example of a User Agreement, which can be used and customized by agencies.

It is [AGENCY NAME]’s right to restrict or rescind computing privileges or take other administrative or legal action due to failure to comply with the above referenced Policy and Rules of Behavior. Violation of these rules may be grounds for disciplinary action up to and including removal.

33

Authorized personal mobile devices include - iPhones, iPads, Android based phones and tablets that have not been "jail-broken" or "rooted". You must have iOS version 7.1 or later for Apple devices and version 4.1 or later for Android devices. Users must ensure that their devices are compliant with NIST 140-2, and industry standard for portable encryption devices. If you purchase a device that is not compliant with this standard, it will be incompatible with this BYOD policy.

By signing this agreement, the BYOD user is in agreement with these terms and conditions:

That as a BYOD user, I am responsible for all costs associated with the services and maintenance of the device I am using. This includes but is not limited to all international and / or roaming charges, and any additional charges or fees for data use or mobile device access related to my use of any BYOD application.

That any spillage of classified or sensitive information will require the removal of the application; any associated applications and may result in the complete destruction of my personal device.

That I will not store, transfer, or otherwise intentionally retain any official data from agency infrastructure on my personal device other than data use permitted within the BYOD application.

That as a government BYOD application user, I agree to unlimited government monitoring with no expectation of privacy from government authorities of my application whether at home or on travel.

That in the event of inspection or forensic assessment is required for any official purpose, including law enforcement or information security, I will be required to surrender my personal phone to the appropriate authorities. I further understand that my personal phone may be held for an indefinite period of time for investigative and/or evidentiary purposes and may be subject to permanent seizure or destruction.

Access to BYOD/application will be used in controlled environments and under secured connectivity (i.e. secured Wi-Fi). As with any wireless or cellular data connection, accessing enterprise applications from your mobile device carries risk to your data. There is the possibility that third-party actors eavesdropping, intercepting, or tapping your communications with enterprise resources could compromise your personal data. Your diligence as a user in accessing enterprise resources over trusted networks in known environments is the best way to prevent data loss and reduce the risk to you, your data, and the agency.

I acknowledge, understand and will comply with the above referenced security policy and rules of behavior, as applicable to my BYOD usage of [AGENCY NAME] services. I understand that addition of government-provided third party software (such as Ghost-Pattern, Notify Link, Airwatch, Good, etc.) may decrease the available memory or storage on my personal device and that [AGENCY NAME] is not responsible for any loss or theft of, damage to, or failure in the device that may result from use of third-party software and/or use of the device in this program. I understand that contacting vendors for trouble-shooting and support of third-party software is my responsibility, with limited configuration support and advice provided by [AGENCY NAME] OIT. I understand that business use may result in increases to my personal monthly service plan costs. I further understand that government reimbursement of any business-related data/voice plan usage of my personal device is not provided.

34

Should I later decide to discontinue my participation in the BYOD Program, I will allow the government to remove and disable any government provided third-party software and services from my personal device,

Employee Name: _________________________________

BYOD Device(s): __________________________________________________________

Services to be Used: __________________________________________________________

Anti-Virus or other Security Software installed on the Device: ___________________________

Employee Signature: _________________________________ Date: ___________

35

9.5 Legal References

This section identifies major legal references for a Federal BYOD program17. The broader, more restrictive requirements are the key reasons why it is difficult to adapt commercial BYOD efforts that do not comply with Federal standards. The following are some legal and regulatory implications to consider while implementing a BYOD policy:

29 USC 794D applies to IT developed, procured, maintained, or used by Federal agencies and departments. See also EGOV sec. 202(d).

E-Discovery & Freedom of Information Act (FOIA) Federal Identity, Credential, and Access Management (FICAM) Trust Framework Solutions,

Determination of Identity Assurance Level Requirement for Agency Applications Accepting FICAM TFS Approved Third Party Credentials, Version 1.0.0. http://www.idmanagement.gov/sites/default/files/documents/FICAM_TFS_Determine _Required_LOA.pdf

Federal Records Act (records management) Joint Task Force Transformation Initiative, National Institute of Standards and Technology

(NIST), Special Publication (SP) 800-37 Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach, February 2010. http://dx.doi.org/10.6028/NIST.SP.800-37r1

National Institute of Standards and Technology (NIST), Federal Information Processing Standards (FIPS) Publication 201-2, Personal Identity Verification (PIV) of Federal Employees and Contractors, August 2013. http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.201-2.pdf

National Institute of Standards and Technology (NIST), Federal Information Processing Standards (FIPS) Publication 199, Standards for Security Categorization of Federal Information and Information Systems, February 2004. http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf

National Institute of Standards and Technology (NIST), Federal Information Processing Standards (FIPS) Publication 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006. http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf

National Institute of Standards and Technology (NIST), Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0, February 12, 2014. http://www.nist.gov/cyberframework/index.cfm

NIST SP-800-114r1 – User’s guide to telework & BYOD Security Office of Management and Budget (OMB), OMB Memorandum M-16-04, Cybersecurity

Strategy and Implementation Plan (CSIP) for the Federal Civilian Government, October 30, 2015. https://www.whitehouse.gov/sites/default/files/omb/memoranda/2016/m-16-04.pdf

Privacy (Fourth Amendment, Privacy Act, EGOV Act, Breach Notification, Internet Tracking, Rules of Behavior, Common BYOD Strategies)

17 Legal Environment for Federal BYODAMARC Workshop: Developing a BYOD FrameworkFederal Mobile Computing Summit (Washington, DC)Thursday, March 6, 2014, 9am-12pm;Alex Tang, Attorney, Office of General Counsel, FTC

36

9.6 Document Definitions:

1) Bring Your Own Device (BYOD): The practice of allowing employees of an organization to use their own computers, smartphones, or other devices to access organizational resources for work purposes.

2) Container: An authenticated and encrypted area of an employee’s device that separates an organization’s information from the owner’s personal data and apps.

3) GFE: Government Furnished Equipment - Equipment that is owned by the government and delivered to, or made available to government employees, contractors, and other authorized personnel to conduct government business (Federal Acquisition Regulation (FAR) Part 45).

4) GFE Mobile Device Authorized Use: Different equipment and service offerings are available to meet different business needs, defined by staff roles and functions.

5) Loaner Devices: A loaner device fulfills a temporary, mission essential need (two weeks or less) for mobile access to agency data, where a BYOD or a GFE device provided on an on-going basis is not necessary. Typical use may include official Agency travel and my include devices such as mobile phones, tablets, or Mi-Fi devices.

6) Mi-Fi Device: Mi-Fi is a portable broadband device that allows multiple end users and mobile devices to access and share 3G or 4G mobile broadband Internet connections and create an ad-hoc network.

7) Sensitive Data: Sensitive data is data that must be protected on the basis of the need for protection against loss, disclosure, or alteration because of the risk and magnitude of harm that could result.

8) Shared Devices: Devices that are made available to more than one person over a given time period. Positions in this group have a mobility essential requirement for recurring (but not full time or long-term) voice communication, or for recurring (but not full time or long-term) substantive work with access to agency data.

9) Vendor Authorized and OCIO Approved Sources: Mobile applications to be installed on the device should be OCIO approved and vendor authorized (Google and Apple marketplaces, i.e., Google Apps and Apple Store) or agency hosted and Federal ly authorized applications.

10) Voice and Voice and Data: Service plans attached to GFE devices for positions that require connectivity and data access for mission critical functions during non-working hours or at remote sites (e.g., Emergency Response and Continuity of Operations (COOP)).

11) Voice and Text Only: Service plans attached to GFE devices for positions that require voice-only connectivity for mission critical functions (e.g. COOP notification requiring Wireless Priority Service).

37

Date post:	21-May-2021
Category:	Documents
Upload:	others
View:	3 times
Download:	0 times

hallways.cap.gsa.govhallways.cap.gsa.gov/system/files/MSCT BYOD Guidance... · Web viewMobile...

Documents