Government IT leaders who oversee sensitive or classified information require firm device-management policies to address security concerns before they will even consider allowing workers' personal smartphones and tablets behind the firewall.
By Kenneth Corbin
WASHINGTON — As federal CIOs develop new strategies to support an increasingly mobile workforce, they will inevitably have to decide whether or not to adopt a bring-your-own-device policy, just as a similar challenge confronts their counterparts in the private sector.
The fear of losing sensitive data has kept many federal CIOs from adopting BYOD policies. It’s not necessarily that the devices themselves are insecure, according to Day, but if a worker’s personal phone with work data stored on it is lost or stolen, and security protocols would normally dictate that the device be remotely wiped, would the agency IT staff then be compelled to erase all the contents of the phone?
“There’s the issues of what if I wipe your device and you lost all the pictures of little Susie and little Johnny and they weren’t backed up? We’re going to have to have some policies that go into place with this and figure that piece out,” he says. “Having full MDM (mobile device management) capability across the device is absolutely key.”
“We’re going to have to have some limitations on a personal device and then, again, the documentation that you are going to sign over saying that if I blow your device away with all your financial data and all your pictures that you did not back up, I’m not responsible for that,” he adds. “I think we’re going to get there, but until I get those security pieces put into place it’s going to take a bit.”
“What about a keyboard logger being installed on your private side of the device, and it’s not the part that I’m managing?” he asks.
Federal CIOs’ stance on BYOD, which varies from agency to agency, remains a work in progress, as is the gradual shift to the cloud and other government IT priorities that the Obama administration has outlined.
Last January, Federal CIO Steven VanRoekel announced the launch of a government mobile strategy, tasking departments and agencies to develop guidelines for the devices they would allow into the workplace, along with a host of other mobility issues, including policies for apps and suggestions for deploying mobile technology to drive efficiencies and deliver better services to citizens.
In sharp contrast to the approach that Day describes at the Coast Guard, BYOD has gotten a warm embrace at the Equal Employment Opportunity Commission (EEOC), at least at the policy level. EEOC CIO Kimberly Hancher describes a checklist of considerations the agency weighed before rolling out a BYOD policy.
Last year, when funding cuts sapped about 15 percent of the EEOC’s IT budget, Hancher and other agency leaders began to consider BYOD as a cost-saving measure. They evaluated whether the EEOC maintains any classified data that would be at risk if a user’s personal device was compromised. It does not. Nor does the agency house what it considers sensitive personally identifiable information (PII) in its data centers (PII was scrubbed from the EEOC’s servers a couple of years ago, according to Hancher).
Finally, agency heads affirmed that the devices EEOC employees carry with them would not offer access to critical infrastructure systems, and with that, they implemented a BYOD policy.
“For us, it was a risk-based decision to move into bring your own device,” Hancher says.
Government Works Stick With Blackberry
BYOD is often understood in terms of a friction between workers and the CIO or senior security officials: Employees want to use their own devices for work, but management resists. But that wasn’t the case at the EEOC.
In implementing the agency’s BYOD policy, Hancher polled employees about their thoughts on the issue. Just 23 percent signed up to bring a personal device into the workplace, while the remaining 77 percent opted to stick with their government-issued BlackBerry.
“Of the people who chose to keep the government-provided devices, the majority of them felt that work and personal should be separate,” Hancher says.
Others cited confusion about the rules and responsibilities they would be subjected to under a BYOD policy, and a substantial number chose not to participate simply because they don’t own a smartphone.
For them, “it’s not a matter of switching. They would have to go and buy — you know, select a device — pay for the device, pay for the voice and data service,” she says. “And those are some of the reasons why the consumers — our internal customers — are not flocking to BYOD.”
Kenneth Corbin is a Washington, D.C.-based writer who covers government and regulatory issues for CIO.com.